Presentation on theme: "5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK"— Presentation transcript:
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security3 GridPP Provide architecture and middleware Use the Grid with simulated data Use the Grid with real data Future LHC Experiments Running US Experiments £17M PPARC project to Build Grid for UK PP Sep 01 – Aug 04
5-Dec-02D.P.Kelsey, GridPP Security4 GridPP Security Same as EU DataGrid (see tomorrow) –But also US PPDG, GriPhyN, iVDGL –CERN LHC Computing Grid Based on Globus GSI –But adding our own developments and functionality
5-Dec-02D.P.Kelsey, GridPP Security5 Security Requirements 112 documented in D7.5 document –72 essential, 37 desirable aims, 3 long-term aim –Authentication (17), Authorisation (32), Auditing(5), Non- repudiation (3), Delegation (8), Confidentiality (18), Integrity (4), Networking (2), Manageability (4), Usability (8), Interoperability (5), Scalability (1), Performance (5) Includes –Virtual Organisations (VOs) – Role based authorisation Authorise resources as well as users –Local Authorisation Decisions and keep ACLs local to data –Confidentiality Encrypted medical data Dont know who is in a VO –International Collaboration – must inter-operate!
5-Dec-02D.P.Kelsey, GridPP Security6 Authentication More details tomorrow International Collaboration very important Building Trust between national CAs EDG defines list of trusted CAs –Currently 13 national CAs –Will grow to ~20
5-Dec-02D.P.Kelsey, GridPP Security7 Security Developments Security components developed (see EDG web) –CA Trust Matrix tools –VO/LDAP & VOMS – Authorisation –LCAS, LCMAPS – local authorisation and mapping –Gridmapdir – dynamic leased accounts –Gridsite – certificate-based web management –SlashGrid - dn-based grid homefile system –GACL – Library to parse ACLs (XML) –edg-java-security (for Data Management) More details in tomorrows talk
5-Dec-02D.P.Kelsey, GridPP Security8 Grid Deployment - issues Legal, political, site security policies, etc. –The user does not (need to) know where the jobs will run Cannot sign registration forms everywhere –Acceptable Use policies (Rules) What is needed for User Registration? –We have a solution for EDG testbed But not yet for full production (LCG considering this) –What is acceptable to Site Security Officers? GGF Site-AAA research group –An extremely important area – could kill the Grid!
5-Dec-02D.P.Kelsey, GridPP Security9 Issues – Deployment (2) Virtual Organisation Management VOs need to manage their members and sites/resource providers negotiate with VOs –Only system which will scale Sites cannot manage large number of Grid users –Not just a technical problem! –Must develop procedures to allow this to happen –VOs not used to managing resources –Will Computer Centres give up (full) control?
5-Dec-02D.P.Kelsey, GridPP Security10 Summary Authentication –Cross-Domain Trust is the big problem will it continue to scale? Authorisation –The most IMPORTANT area This is where the identity and rights need to be checked –Technology is immature –Need VO management procedures/tools Many operational, legal, deployment issues –To establish Trust between Sites/VOs/users Do/will sites trust each other? EDG has several solutions – see tomorrows talk
5-Dec-02D.P.Kelsey, GridPP Security11 Web links GridPPhttp://www.gridpp.ac.ukhttp://www.gridpp.ac.uk DataGridhttp://www.eu-datagrid.orghttp://www.eu-datagrid.org LCGhttp://lcg.web.cern.ch/LCG/http://lcg.web.cern.ch/LCG/ GGF Security Area DataGrid Security Requirements document d7.5.pdf d7.5.pdf