Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.

Published byMariah Tucker Modified over 9 years ago

Similar presentations

Presentation on theme: "GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009."— Presentation transcript:

1 GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009

2 8 Jun 09Grids, TAC, Kelsey2 Outline EGEE and EGI – Introduction Federated Identity Management Virtual Organisations, Global Trust and Attribute Management Operational Security Disclaimers: My personal views –not the official views of any Grid project, IGTF etc. “Middleware” - just Authentication and Authorisation “Missing bits” – well at least some pointers to possibilities for future coordination Thanks to (for slides): Bob Jones and David Groep –With some modifications by me

3 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 EGEE - Bob Jones - Research Connection, Prague, May 2009 3 EGEE-III Main Objectives –Expand/optimise existing EGEE infrastructure, include more resources and user communities –Prepare migration from a project- based model to a sustainable federated infrastructure based on National Grid Initiatives Flagship Grid infrastructure project co-funded by the European Commission Duration: 2 years Consortium: ~140 organisations across 33 countries EC co-funding: 32Million €

4 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 4 EGEE - Bob Jones - Research Connection, Prague, May 2009 ~280 sites 45 countries >80,000 CPUs >20 PetaBytes >14,000 users >250,000 jobs/day

5 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 EGEE - Bob Jones - Research Connection, Prague, May 2009 5 Applications >260 VOs from several scientific domains –Astronomy & Astrophysics –Civil Protection –Computational Chemistry –Comp. Fluid Dynamics –Computer Science/Tools –Condensed Matter Physics –Earth Sciences –Fusion –High Energy Physics –Life Sciences More applications and user communities every month

6 Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 EGEE - Bob Jones - Research Connection, Prague, May 2009 6 Collaborating e-Infrastructures

7 Goal: Long-term sustainability of grid infrastructures in Europe Approach: Establish a federated model bringing together National Grid Infrastructures (NGIs) to build the European Grid Infrastructure (EGI) EGI Organisation: Coordination and operation of a common multi-national, multi- disciplinary Grid infrastructure To enable and support international Grid-based collaboration To provide support and added value to NGIs To liaise with corresponding infrastructures outside Europe 7

8 EGI workshop, CataniaMarch 2nd, 20098 EGI and NGI Tasks EGI tasks NGI international tasks NGI local tasks EGI NGI

9 Federated Identity Management for Grids International Grid Trust Federation (IGTF) –3 geographical Policy Management Authorities Coordinates a Global PKI (X.509) –Used by many different Grids IGTF defines minimum requirements and best practices –Accredits CAs against –3 different authentication profiles 8 Jun 09Grids, TAC, Kelsey9

10 OGF25 IGTF Work shop– Mar 2009 - 10 David Groep – davidg@eugridpma.org Geographical coverage of the EUGridPMA  25 of 27 EU member states (all except LU, MT)  +AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CA, CERN (int), DoEGrids(US)* Pending or in progress  BY, MD, SY, LV, ZA, SN

11 11 16th EUGridPMA Mtg, 11 May 09Vinod Rebello – vinod@ic.uff.br TAGPMA Membership NRC – Canada ESnet (DOEGrids) – USA EELA – International Fermi National Accelerator Laboratory - USA HEBCA/USHER/Dartmouth College – USA IBDS (ANSP) - Brazil WLCG – International NCSA – USA NERSC – USA Open Science Grid – International Purdue University – USA REUNA – Chile San Diego Supercomputer Center – USA SENAMHI – Peru TACC – USA TeraGrid (PSC) – USA Texas High Energy Grid – USA University of Virginia – USA UFF – Brazil ULA – Venezuela UNAM – Mexico UNLP – Argentina IGTF Accredited CA Operators CA Accreditation in progress Interested in accreditation Relying Party

12 APGridPMA members AIST (JP) APAC (AU) ASGCC (TW) CNIC (CN) HKU (HK) IGCA (IN) IHEP (CN) KEK (JP) KISTI (KR) NAREGI (JP) NCHC (TW) NECTEC (TH) NGO/Netrust (SG) PRAGMA-UCSD (US) 8 Jun 09Grids, TAC, Kelsey12

13 Interfederation Grids-NRENs A growing number of CAs are now run by NRENs (or NGIs) Future challenges for Grid IdM –Scaling –Ease of use -> Interfederation: IGTF and R&E AAIs –Started with SWITCH 8 Jun 09Grids, TAC, Kelsey13

14 OGF25 IGTF Work shop– Mar 2009 - 14 David Groep – davidg@eugridpma.org A Federated Grid CA  Use your federation ID ... to authenticate to a service ... that issues a certificate ... recognised by the Grid today Graphic from: Jan Meijer, UNINETT

15 OGF25 IGTF Work shop– Mar 2009 - 15 David Groep – davidg@eugridpma.org Matching the Grid requirements  Persistent and unique naming  IdPs historically tended to recycle login names  even eduPersonPrincipalName is often recyled  only eduPersonTargetedID is immune to thus, but not supported everywhere (and is usually opaque)  this adds a requirement to the federation or to the IdPs  Reasonable representation of names  Given name, surname and nickname are usually considered privacy sensitive  user-approved release of these appears doable  requires evaluation of legal framework

16 OGF25 IGTF Work shop– Mar 2009 - 16 David Groep – davidg@eugridpma.org New: TERENA Grid CA Service  Initial partners: FEIDE, SURFfederatie, HAKA, WAYF, Swamid, TERENA (replaces DutchGrid and NorduGrid CAs)  Trans-national, cross-federation service  But not (yet) confederated  How many SLCS/MICS CAs does Europe need ?  Consolidate operational PKI skills in one place  Better sustainability, in line with the European trend

17 OGF25 IGTF Work shop– Mar 2009 - 17 David Groep – davidg@eugridpma.org Federated CAs in Europe  SWITCH: May 2007  TERENA: Summer 2009  Others interested (CESNET, …)

18 Some issues LoA –Grids demand stricter identity vetting than some other applications Data Privacy –Grids require release of display names 8 Jun 09Grids, TAC, Kelsey18

19 Virtual Organisations and Global Trust Security/Trust model –User registers once with VO Sites delegate this to the VO –VO builds trust with a Grid –Interoperable common simple policy documents essential to regulate behaviour User, Site, VO AUP & security policies 8 Jun 09Grids, TAC, Kelsey19

20 Grid Authorisation: Attribute Management VO Membership Service (VOMS) –RBAC –Attribute Certificate (signed by VO) extension in proxy cert Contains groups, roles, and generalised attributes VO is SOA for these attributes –Needs to stay in control Aggregation of attributes (VO and Institute IdP) –some work already started in EGEE (SWITCH) VASH Should we (can we?) standardise some attributes? –SCHAC schema 8 Jun 09Grids, TAC, Kelsey20

21 Trustworthy AuthZ AA services IGTF working on min requirements and best practice for operation of a Grid Attribute Authority A possible scalable accreditation process NGIs (or NRENs) could do it according to IGTF standards 8 Jun 09Grids, TAC, Kelsey21

22 Grid Security Operations EGEE Operational Security Coordination Team (OSCT) –Regional structure (11 centres) Incident Response, Monitoring, Training Coordination already being explored with TF-CSIRTS (and TRANSITS training) –mutual benefits GRID-SEC being established to enable incident communication between GRIDs and GRIDs and NRENs 8 Jun 09Grids, TAC, Kelsey22

23 More details – further work Romain Wartel – talk at 17:00 today –“NRENs and Grid security teams: a critical cooperation” Supporting virtual technologies track And a BOF on Tuesday evening (19:00) 8 Jun 09Grids, TAC, Kelsey23

24 NRENs and Grids What about network operations? advertise the upcoming NRENs and Grids workshop at EGEE'09 –Jointly organised by TERENA and EGEE- SA2 http://www.terena.org/activities/nrens-n-grids/ 8 Jun 09Grids, TAC, Kelsey24

25 Uniting our strengths to realise a sustainable European grid

26 Links EGEE http://www.eu-egee.org/http://www.eu-egee.org/ EGI http://www.eu-egi.eu/http://www.eu-egi.eu/ IGTF http://www.igtf.net/http://www.igtf.net/ JSPG: http://www.jspg.orghttp://www.jspg.org EGEE OSCThttp://osct.web.cern.ch/osct/http://osct.web.cern.ch/osct/ GRID-SEC http://grid-sec.web.cern.ch/grid- sec/Site/GRID-SEC.htmlhttp://grid-sec.web.cern.ch/grid- sec/Site/GRID-SEC.html 8 Jun 09Grids, TAC, Kelsey26

27 NRENS & Grids Identity Management –Inter-federation already happening, but room for growth –Room to work together, e.g. on LoA Attribute Management (AuthZ) –How to build a scalable trust fabric –Attributes defined in SCHAC? Operational Security –not replacing national CSIRTS, but adding value –encourage collaboration 8 Jun 09Grids, TAC, Kelsey27

28 Discussion 8 Jun 09Grids, TAC, Kelsey28

Download ppt "GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009."

Similar presentations

EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Why Grids Matter to Europe Bob Jones EGEE.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Why Grids Matter to Europe Bob Jones EGEE.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
The EGI – a sustainable European grid infrastructure Michael Wilson STFC RAL.

The EGI – a sustainable European grid infrastructure Michael Wilson STFC RAL.
Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.

Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
The LHC Computing Grid – February 2008 The Worldwide LHC Computing Grid Dr Ian Bird LCG Project Leader 15 th April 2009 Visit of Spanish Royal Academy.

The LHC Computing Grid – February 2008 The Worldwide LHC Computing Grid Dr Ian Bird LCG Project Leader 15 th April 2009 Visit of Spanish Royal Academy.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Policy Issues for Identity Management (and other attributes) EGI Technical.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
Updates from the EUGridPMA David Groep, Apr 20 th, 2009.

Updates from the EUGridPMA David Groep, Apr 20 th, 2009.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK

Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
4th EGEE Meeting, PISA 24-28 October, 2005 E-Infraestructure shared between Europe and Latin America Jesús Casado, CIEMAT

4th EGEE Meeting, PISA October, 2005 E-Infraestructure shared between Europe and Latin America Jesús Casado, CIEMAT
Advanced Computing Services for Research Organisations Bob Jones Head of openlab IT dept CERN This document produced by Members of the Helix Nebula consortium.

Advanced Computing Services for Research Organisations Bob Jones Head of openlab IT dept CERN This document produced by Members of the Helix Nebula consortium.
Updates of APGrid PMA 22 June, 2010. Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI.

Updates of APGrid PMA 22 June, Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI.
A short introduction to GRID Gabriel Amorós IFIC.

A short introduction to GRID Gabriel Amorós IFIC.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google