Download presentation
Presentation is loading. Please wait.
1
PDC Enabling Science Grid Security Research Olle Mulmo
2
PDC Enabling Science Trust Mismatch Cross “Certification” Issue Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust
3
PDC Enabling Science Grid Solution: Virtual Organizations Certification Domain A common mechanism Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust
4
PDC Enabling Science VO management VOs today = 100s of users DOE Science Grid, European Data Grid Centrally kept, highly secure, repository Databases, LDAP directories, additional software, … Research groups today = 10s of users Administration = pain Current VO software too heavy-weight Mismatch
5
PDC Enabling Science Different trust models for dynamic VOs Look at peer-to-peer models Sociological web-of-trust models “Simple secret” based security model Group creation based on invitation (One-time passwd) Common problem: traceability Who invited whom? Can models above be extended? Grid & P2P is a “hot topic”
6
PDC Enabling Science Account management AAAccounting == accountability Who did what at what time? Accounting == billing Who consumed what resources, for how long, at what price? Distributed quota problem 6000 CPUh == 1*6000 CPUh or 6*1000 CPUh (Swegrid needs at least a short-term solution)
7
PDC Enabling Science Account management (cont.) Mapping each individual into unique user account… Doesn’t scale Need dynamics Existing quotas and scheduler limits must apply Other initiatives to watch/interact with Slashgrid (UK E-Science) Large-site AAA (GGF) EGEE proposal
8
PDC Enabling Science Authorization Policy Tightly related to quota management The “You have access” part of the “You have access to this piece of the pie” problem Same software, different authority Current implementations are based on group membership Either you’re in, or you’re out Support for expressiveness is missing “access between 8am and 5pm” “only if CPU load is less than 50%” Large portion of a policy needs dynamic information from runtime context
9
PDC Enabling Science Authorization Policy (cont.) Another Grid and OGSA “hot topic” But emphasis on integration of old software Opportunity to ignore and do real and relevant work Does not need to start from scratch – may reuse an existing framework
10
PDC Enabling Science Proposed VR-IT research Authentication and distributed file system technologies Credential translation / mapping Privilege inflation Prototype implementation (AFS) Authorization, Accounting and Policy Develop dynamic trust models Develop scalable models for user account mgmt Develop expressiveness of authorization policy
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.