Presentation is loading. Please wait.

Presentation is loading. Please wait.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

Published byJean Atkins Modified over 9 years ago

Similar presentations

Presentation on theme: "30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk d.p.kelsey@rl.ac.uk

2 30-Sep-03D.P.Kelsey, SCG Summary2 Overview Security in EDG 2.1 SCG/Applications joint session (Saturday) VO naming, ACL syntax (input to GGF) D7.7 plans Summary

3 30-Sep-03D.P.Kelsey, SCG Summary3 Comments This is the first time I have not had to request a slot in the summary plenary (at final project conference!) SCG has come of age Quote: –EDG realised it had forgotten security (1st conference) Fabrizio Gagliardi (26 Sep 2003) So….no security requirements All requirements fully satisfied!

4 30-Sep-03D.P.Kelsey, SCG Summary4 Security in EDG 2.1

5 30-Sep-03D.P.Kelsey, SCG Summary5 VOMS VOMS is deployed Big improvement in Authorization (AuthZ) functionality –Fine-grained access control –Groups, sub-groups, roles, capabilities –Support for multiple VO’s Unfortunately little time for services to use the VOMS attributes EDG PTB (26 August) decided that job submission integrated with VOMS together with LCAS/LCMAPS was the highest priority for the EDG 2.1 Application TB –WP1/WP4/SCG efforts

6 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 6 Job Submission user CE user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation ( AccessControlBase) 4. CEs for VOs in authz? 3. job submission MyProxy server WMS 2. cert upload

7 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 7 MyProxy server Running a Job CE cert (long term) host cert proxy authz VO WMS 1. cert download LCAS/ LCMAPS authentication & authorization info 2. job start LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups u default VO = default UNIX group u other VO/group/role = other UNIX group(s) voms-proxy-init

8 30-Sep-03D.P.Kelsey, SCG Summary8 VOMS status VOMS server deployed (19 th Sep) –INFN, RAL and CERN running servers –ITeam and WP6 VO’s tested VOMS client –Included in UI –Configured at CERN on dev testbed Need to run VOMS servers for other VO’s –NIKHEF offer to do this (WP6) VO managers need training

9 30-Sep-03D.P.Kelsey, SCG Summary9 WP1 Security WP1 –Proxy renewal service (26 Sep) Support for VOMS Renew proxy with same VOMS info as in old proxy –Logging and Bookkeeping service (26 Sep) Access control implemented –Job-owners can specify an ACL to allow others access –Uses GACL library –ACLs stored in LB database –New LB API (and command line) to add/remove ACL entries VOMS support (AuthZ info extracted for use in ACL) –WMS Uses VO info from CE Info provider for job matchmaking –If job comes with VOMS proxy (VO name only)

10 30-Sep-03D.P.Kelsey, SCG Summary10 WP2 and WP3 security WP2 –edg-java-security deployed (24 th Sep) –Authentication works –Authorization not enabled –C++ client now working but not deployed WP3 –Authentication in R-GMA deployed Well tested, but currently turned off –No delegation –No Authorization –C++ client as well will be turned on with Java security –R-GMA browser (requires host certificates as in WP2)

11 30-Sep-03D.P.Kelsey, SCG Summary11 WP4 Security WP4 –LCAS, LCMAPS deployed (12 th Sep) Full fine-grained VOMS support Sys admins have to enable this on clusters –Only for central LDAP-based user database If not then coarse-grained VO-based AuthZ –Or local group-based AuthZ – defined by sys admin –GACL-based access control: LCAS plug-in –Translation tool for local credentials to GACL –CE Info Provider can give static list of VO’s For use in WP1 WMS

12 30-Sep-03D.P.Kelsey, SCG Summary12 WP5 Security WP5 –Secure mode (edg-java-security) deployed –Insecure mode supported in parallel always mapped to WP6 VO –Plan to switch off insecure mode Needs testing Needs WP2 to call secure mode –ACLs supported (GACL) but not deployed Therefore no fine-grained access control –Testing restricted write access (from VOMS) May be possible on EDG 2.1 –No delegation (web services)

13 30-Sep-03D.P.Kelsey, SCG Summary13 SCG/Applications

14 30-Sep-03D.P.Kelsey, SCG Summary14 Joint SCG/WP8-9-10 session To consider use cases for VOMS and priorities –Groups –Roles –Access Control etc Papers written by each WP during the summer Useful discussions Also highlighted many other missing or incomplete features –Accounting, monitoring, quotas, …

15 30-Sep-03D.P.Kelsey, SCG Summary15 Cartoonist View of the World Actually it’s 2 years and 10 months…

16 30-Sep-03D.P.Kelsey, SCG Summary16 Conclusion For deployment beyond EDG 2.1 –If resources available and bug-fixing allows… Implement fine-grained access control to files (WP2/5) –Using WP9/GOMES as an example –Possible demo for EU Review (Feb 2004) Really would have liked to tackle Bio-medical encryption –Very doubtful that we will find time

17 30-Sep-03D.P.Kelsey, SCG Summary17 VO naming, ACL syntax

18 30-Sep-03D.P.Kelsey, SCG Summary18 Names and syntax Offering EDG AuthZ as input examples to GGF –VOMS, LCAS/LCMAPS, Java Security, GACL, GridSite, etc GGF OGSA-AuthZ working group –Co-chaired by EDG member (Andrew McNab) –AuthZ/Access Control with SAML and XACML We need globally unique names for VO’s –Also need to establish the root of trust –Propose using registered DNS names e.g. vo-atlas.cern.ch Or even lhcb.org Strings in ACL entries – defined format –/VO[/Group/[Sub-group(s)]][/Role=r][/Capability=c]

19 30-Sep-03D.P.Kelsey, SCG Summary19 Deliverable D7.7

20 30-Sep-03D.P.Kelsey, SCG Summary20 Plans for D7.7 D7.7 (PM36) –Final Report on Security Discussed at SCG meeting on Monday Linda Cornwall (RAL) – editor Will concentrate on –Successful deployment of new AuthZ technology Design described in D7.6 –Show the requirements that have now been met As specified in D7.5 –Describe areas for work in future projects Security evaluations also in other deliverables (e.g. D6.8)

21 30-Sep-03D.P.Kelsey, SCG Summary21 Summary Much progress has been made –Delays in EDG 2.0 delayed the security implementation Nevertheless –We will demonstrate AuthZ in WMS On application testbed (EDG 2.1) –Some simple access control may be possible on files Even on EDG 2.1 –Working on full demo for EU review A big thank you to all my colleagues in SCG –The architects, designers and developers

Download ppt "30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK"

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
VOMS Alessandra Forti HEP Sysman meeting 27-28 April 2005.

VOMS Alessandra Forti HEP Sysman meeting April 2005.

Similar presentations

Ads by Google