Presentation is loading. Please wait.

Presentation is loading. Please wait.

9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK

Published byDoreen Diana Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 9-Jul-02D.P.Kelsey, DataGrid Security2 Overview GridPP/DataGrid DataGrid Security - Introduction Authentication Authorisation Deployment Summary

3

4 9-Jul-02D.P.Kelsey, DataGrid Security4 GridPP Provide architecture and middleware Use the Grid with simulated data Use the Grid with real data Future LHC Experiments Running US Experiments £17M PPARC project to Build Grid for UK PP Sep 01 – Aug 04

5 9-Jul-02D.P.Kelsey, DataGrid Security5 Main Partners CERN – International (Switzerland/France) CNRS - France ESA/ESRIN – International (Italy) INFN - Italy NIKHEF – The Netherlands PPARC - UK

6 9-Jul-02D.P.Kelsey, DataGrid Security6 Research and Academic Institutes CESNET (Czech Republic) Commissariat à l'énergie atomique (CEA) – France Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) Consiglio Nazionale delle Ricerche (Italy) Helsinki Institute of Physics – Finland Institut de Fisica d'Altes Energies (IFAE) - Spain Istituto Trentino di Cultura (IRST) – Italy Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany Royal Netherlands Meteorological Institute (KNMI) Ruprecht-Karls-Universität Heidelberg - Germany Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands Swedish Research Council - Sweden Assistant Partners Industrial Partners Datamat (Italy) IBM-UK (UK) CS-SI (France)

7 9-Jul-02D.P.Kelsey, DataGrid Security7 Project Scope 9.8 M Euros EU funding over 3 years (Jan 01 – Dec 03) 90% for middleware and applications (HEP, EO and biology) Three year phased developments & demos (2001-2003) Possible extensions (time and funds) on the basis of first successful results: –DataTAG (2002-2003) –CrossGrid (2002-2004) –…

8 9-Jul-02D.P.Kelsey, DataGrid Security8 Programme of work Middleware –WP1 Grid Workload Management F. Prelz/INFN –WP2 Grid Data Management P. Kunszt/CERN –WP3 Grid Monitoring services S. Fisher/RAL –WP4 Fabric Management O. Barring/CERN –WP5 Mass Storage Management J. Gordon/RAL Testbed –WP6 Testbed Integration F. Etienne/CNRS –WP7 Network Services C. Michau/CNRS Scientific Applications –WP8 HEP Applications F. Carminati/CERN –WP9 Earth Observation ApplicationsL. Fusco/ESA-ESRIN –WP10 Biology Applications C. Michau/CNRS Dissemination WP11M. Lancia/CNR Project Management WP12F. Gagliardi/CERN

9 9-Jul-02D.P.Kelsey, DataGrid Security9 DataGrid Security Introduction No single Work Package (security is everywhere!) –3 sub-groups Authentication, Authorisation, & Co-ordination Based on Globus GSI –But adding our own extra functionality Security Requirements and first implementation –Document (D7.5) distributed to STF Security Design and 2 nd implementation (Jan 2003) Many topics not covered today!

10 9-Jul-02D.P.Kelsey, DataGrid Security10 Globus Security Grid Security Infrastructure (GSI) today PKI (X.509 certificates) Users, hosts and services are authenticated (both directions) Single sign-on –Delegation via Proxy credential (limited lifetime) Authorisation via “Grid Mapfile” –Maps certificate DN to local user (Unix, Kerberos) –Authorisation via local security mechanisms

11 9-Jul-02D.P.Kelsey, DataGrid Security11 Authentication 13 approved National Certificate Authorities –includes Registration Authorities – check identity CNRS (France) acts as “catch-all” CA –With appropriate RA mechanisms Matrix of “Trust” (work ongoing) – much work! –WP6 CA Mgrs check each other against agreed list of minimum requirements –Software being developed to aid this process (see next slide) Cross-Domain Authentication between Grid projects –USA (DOE) and CrossGrid are members of the CA group and Trust matrix

12 9-Jul-02D.P.Kelsey, DataGrid Security12 Authentication (2) DataGrid CA Features matrix

13 9-Jul-02D.P.Kelsey, DataGrid Security13 Authentication issues Don’t mix Authentication and Authorisation –But authentication often includes some implicit authorisation How to define list of “trusted” CA’s? –CP/CPS important –Audit of CA procedures – 3 rd party? (not done yet) –GGF GridCP and CA-Operations WG’s important here Scaling problems –How many CA’s can we cope with? (we will reach ~20) –Or should the VO’s issue Authentication certs? –Or use Kerberos at the site and generate certs online Authorisation is where the real identity checks need to be made –We should avoid (too) heavy-weight Authentication –Is MS.NET passport good enough?

14 9-Jul-02D.P.Kelsey, DataGrid Security14 Authorisation Testbed 0 (2000) –Based on Globus GSI and Grid Mapfile Maps certificate DN to one UNIX user account No groups or roles Unix UID/GID-based access control Testbed 1 (2001) –DataGrid “Virtual Organisation” (VO) support Tools to manage grid mapfile automation –> groups Leasing of dynamic user accounts –mods to Globus mapping code

15 9-Jul-02D.P.Kelsey, DataGrid Security15 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

16 9-Jul-02D.P.Kelsey, DataGrid Security16 Authorisation (2) Original Globus CAS –Community certificate, signed by CAS Also contains authorisation capabilities –All access control centralised in CAS DataGrid model (for Testbed 2 – 2002) –Authenticate with personal certificate –Virtual Organisation Membership Service VOMS “adds” role(s) and group(s) –As requested by user New Globus CAS going this way (AC-like) –Grid ACL’s local to resource Continue to look at other technology (CAS, PERMIS, …)

17 9-Jul-02D.P.Kelsey, DataGrid Security17 SlashGrid & GACL (McNab – HEP Manchester) Framework for creating “Grid-aware” filesystems –different types of filesystem provided by dynamically loaded plugins –Uses CMU Coda kernel module –Source, binaries and API notes: http://www.gridpp.ac.uk/slashgrid/ http://www.gridpp.ac.uk/slashgrid/ GACL –a C library for manipulating Grid Access Control Lists, written in XML-based Access Control Languages. –http://www.gridpp.ac.uk/gacl/http://www.gridpp.ac.uk/gacl/ n.b. also GridSite for certificate-base web authorisation

18 9-Jul-02D.P.Kelsey, DataGrid Security18 Authorisation issues Moving towards more functionality –Users with more than one allowed role –Move away from Unix uid based security –Applicable to all Grid services Users may belong to multiple VO’s –Authorisation may need to be based on “joins” Global vs Local authorisation mechanisms –need to negotiate policy – Global/VO/Local

19 9-Jul-02D.P.Kelsey, DataGrid Security19 Grid Deployment - issues Legal, political, site security policies, etc. –The user does not (need to) know where the jobs will run Cannot sign registration forms everywhere –Acceptable Use policies (Rules) What is needed for User Registration? –We have a solution for EDG Testbed But not yet for full production –What is acceptable to Site Security Officers? PPDG “Grid Site AA” project working on this –An extremely important area – could kill the Grid!

20 9-Jul-02D.P.Kelsey, DataGrid Security20 US PPDG-SiteAA Particle Physics Data Grid –Using Globus GSI US DOE Science Grid CA now in operation “Grid Site AA” project - extension to PPDG http://www.ppdg.net/docs/PPDG-AAA-Proposal.pdf http://www.ppdg.net/pa/ppdg-pa/siteaa/ –Examine/evaluate the impact of GSI on local site security –Important area not yet tackled by DataGrid

21 9-Jul-02D.P.Kelsey, DataGrid Security21 Issues – Deployment (2) VO’s need to manage their members and sites/resource providers negotiate with VO’s –Only system which will scale Sites cannot manage large number of Grid users –Not just a technical problem! –Must develop procedures to allow this to happen –VO’s not used to managing resources –Will Computer Centres give up (full) control?

22 9-Jul-02D.P.Kelsey, DataGrid Security22 Deployment – a personal view Today –Computer centres register users (lots of rules and checks) but then allow them to do almost anything! In the (GRID) future –Computer centres will register VO’s VO’s manage their users –“Trust” established between VO’s and Sites –The applications could (will?) be tightly controlled Using e.g. Community restricted delegation and signed apps –The actual user does not matter (but must have audit trail) Control the “What” and not the “Who”

23 9-Jul-02D.P.Kelsey, DataGrid Security23 Summary – lessons learned Authentication –Cross-Domain Trust is the big problem How to scale? Authorisation –The IMPORTANT area This is where the identity and rights need to be checked –Technology is immature Many operational and legal deployment issues to be solved –To establish Trust between Sites/VO’s/users

24 9-Jul-02D.P.Kelsey, DataGrid Security24 Web links GridPPhttp://www.gridpp.ac.ukhttp://www.gridpp.ac.uk DataGridhttp://www.eu-datagrid.orghttp://www.eu-datagrid.org DataGrid Security Requirements document http://hepwww.rl.ac.uk/kelsey/datagrid- d7.5.pdf http://hepwww.rl.ac.uk/kelsey/datagrid- d7.5.pdf PPDGhttp://www.ppdg.nethttp://www.ppdg.net

Download ppt "9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK"

Similar presentations

CERN STAR TAP June 2001 Status of the EU DataGrid Project Fabrizio Gagliardi CERN EU-DataGrid Project Leader June 2001

CERN STAR TAP June 2001 Status of the EU DataGrid Project Fabrizio Gagliardi CERN EU-DataGrid Project Leader June 2001
An open source approach for grids Bob Jones CERN EU DataGrid Project Deputy Project Leader EU EGEE Designated Technical Director

An open source approach for grids Bob Jones CERN EU DataGrid Project Deputy Project Leader EU EGEE Designated Technical Director
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
CERN The European DataGrid Project Technical status www.eu-datagrid.org Bob Jones (CERN) Deputy Project Leader.

CERN The European DataGrid Project Technical status Bob Jones (CERN) Deputy Project Leader.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Grid Projects: EU DataGrid and LHC Computing Grid Oxana Smirnova Lund University October 29, 2003, Košice.

Grid Projects: EU DataGrid and LHC Computing Grid Oxana Smirnova Lund University October 29, 2003, Košice.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

Similar presentations

Ads by Google