Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE is a project funded by the European Union under contract IST-2003-508833 Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

Published byClaud Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE is a project funded by the European Union under contract IST-2003-508833 Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10."— Presentation transcript:

1 EGEE is a project funded by the European Union under contract IST-2003-508833 Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10 th May, 2004 www.eu-egee.org

2 , - 2 Contents Messaging security Delegation Access control (lists) Policies Process space switching VOMS MyProxy Logging, auditing and incident detection Performance

3 , - 3

4 , - 4 Messaging Security Going with GSI transport layer security (TLS)  XML based security too slow currently  globus_gss_assist from globus for C/C++ in Linux  CoG >=1.1 for java in Linux and Windows  GSI C/C++ library windows native library situation unclear DM cluster is studying message level sec (signed messages)  Would replace delegation  Removes all the nasty security problems delegation poses  Decisions needed in conceptual level  Tools need to be found, CoG uses them, so they must exist

5 , - 5 Messaging security (2) SOAP implementation to use  Axis with CoG (GT3 core?) for java services and clients in Linux and windows  gSOAP version from EDG for C/C++ clients in Linux?  CGSI plugin? Are service proxies needed?  SSG to decide if really needed  Might affect SOAP implementation OCSP for credential status checking  Openssl supports it for C/C++ in linux  Java situation to be clarified  Windows situation to be clarified

6 , - 6 Delegation Going with GSI&httpg delegation mechanism for a start  Solutions exist gsi_gss_assist for C/C++ in Linux for non WS services No solution for WS C/C++ clients yet building blocks exist CoG for java in Linux and Windows GSI for Windows to be clarified? Aiming for delegation portType  Makes delegation orthogonal to the authentication  Will be defined by JRA3 & Andrew McNab  Prototypes should be easy to make Andrew McNab for C/C++ JRA3 (Joni, Mika, Olle?) for java?  Migration to this system later when it matures a bit

7 , - 7 Access control (lists) Several approaches used DM cluster going with POSIX ACLs stored in DB Info cluster going with hybrid DB view etc based access control Job submission, LCAS going with GACL with several additions (timeslots, ban lists...)

8 , - 8 Policies Need to combine multiple policy sources Move towards XACML  Subset of XACML relevant to us needs to be defined  Andrew has GACL->XACML->GACL translator, handles subset of XACML  XACML java tools are being tried out in NIKHEF (Yuri)  Commercial C/C++ library exists (no opensource solution found) How to combine policies  Handled in XACML spec already? Policy handling still needs a lot of thought  In conceptual, architechtural and implementation level  Name space issues need to be solved

9 , - 9 Process space switching Globus has an implementation (gss_assist_gridmap) GT3 has solution for java services using a set-uid programs EDG has one for pool accounts etc (NIKHEF) (LCMAPS) Andrew McNab proposed some work and collaboration in this area (Gridsite, su-exec cgi)

10 , - 10 VOMS Server maintained and developed by Italian cluster VOMS admin interface maintained by JRA3 for now  LCG will continue development  JRA3 involvement in development to be decided Light weight VOMS  Operation centers require it to host large number of VOs  Who would do it (VOMS developers? priority?) Java client needed (portals?) VOMS AC parsing needs to be added to java library How is VOMS java library to be used?  As authorizationManager filter/handler before application To keep the mechanism separate

11 , - 11 MyProxy Who maintains and develops it?  Clarify the situation of EDG MyProxy development Java client  Provided by java CoG

12 , - 12 Logging, auditing and incident det Need to have useful logs  Actions need to be auditable byt the admin down to the username who initiated them Is this information available in all the places?  Common log format What to do with all the external software  Throttleable logging Allow increasing logging level without restarting the service to allow closer inspection of possible ongoing incident Is this possible?

13 , - 13 Performance First hard performance requirements from DM cluster: 200ms per message  System definition should be added, otherwise meaningless Network Computer speeds, load Connection to background service happening  This should be split into DM and security portions  Hard to do with the full system of handshaking, OCSP and different levels of authorization services

Download ppt "EGEE is a project funded by the European Union under contract IST-2003-508833 Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10."

Similar presentations

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.

INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
WP4 Security Update For WP4: David Groep

WP4 Security Update For WP4: David Groep
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Similar presentations

Ads by Google