Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK
16-May-2006David Kelsey, Grid Trust Fabric, TNC Outline Brief Introduction to the LCG and EGEE projects What is Grid Trust? What is a Grid Virtual Organisation (VO)? The Grid Security Model Authentication (AuthN) –The International Grid Trust Federation Authorization (AuthZ) Policy and Legal issues NRENs, Grids and Federations Future plans Final words
16-May-2006David Kelsey, Grid Trust Fabric, TNC The LHC Computing Grid Project (LCG) & Enabling Grids for EsciencE (EGEE)
Les Les Robertson LCG Project Leader High Energy Physics using a worldwide computing grid CERN December 2005
last update 04/09/ :07 LCG les robertson - cern-it-5 The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors The LHC Accelerator
last update 04/09/ :07 LCG les robertson - cern-it-6 LHC DATA This is reduced by online computers that filter out a few hundred “good” events per sec. Which are recorded on disk and magnetic tape at 100-1,000 MegaBytes/sec ~15 PetaBytes per year for all four experiments
last update 04/09/ :07 LCG les robertson - cern-it-7 Resources for LHC Data Handling 15 PetaBytes of new data each year CMS LHCb ATLAS ALICE 1 Petabyte (1PB) = 1000TB = 10 times the text content of the World Wide Web ** ** Urs Hölzle, VP Operations at Google 100,000 of today’s fastest processors 150 times the total content of the Web each year
last update 04/09/ :07 LCG les robertson - cern-it-8 High Energy Physics: a global community 1800 physicists (including 400 students) 150 universities/laboratories 34 countries.
HEPiX Rome 05apr06 LCG LCG depends on two major science grid infrastructures …. EGEE - Enabling Grids for E-Science OSG - US Open Science Grid
LCG.. and an excellent Wide Area Network
Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Trust Fabric, TNC 2006Ian Bird, SA1, EGEE Final Review th May A global, federated e-Infrastructure EGEE infrastructure ~ 200 sites in 39 countries ~ CPUs > 5 PB storage > concurrent jobs per day > 60 Virtual Organisations EUIndiaGrid EUMedGrid SEE-GRID EELA BalticGrid EUChinaGrid OSG NAREGI
Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Trust Fabric, TNC The EGEE project Objectives –consistent, robust and secure service grid infrastructure for many applications –improving and maintaining the middleware –attracting new resources and users Structure –13 federations in 32 countries –leveraging national and regional grid activities worldwide –Co-funded by the EU with ~32 M Euros for first 2 years from 1st April 2004 –EGEE-II started April 2006
Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Trust Fabric, TNC EGEE Highlights - Applications Support applications from –Astrophysics –Computational Chemistry –Earth Sciences –Finance –Fusion –Geophysics –High Energy Physics –Life Sciences –Material Sciences –Multimedia –etc.… See recent press release on search for drugs against Avian Flu
16-May-2006David Kelsey, Grid Trust Fabric, TNC What is Grid Trust?
16-May-2006David Kelsey, Grid Trust Fabric, TNC Grid Trust Many components (in ascending scale of difficulty) –Technical Interoperable security, standards-based –Policy and Procedures Ensure participants act in a predictable way –Legal International aspects particularly hard –Social Have spent last 6 years building “trust” Many face to face meetings Last 2 years, working towards a federated approach Sites need to trust VO’s (and vice versa) –To take care of Users, Data, Operations, …
16-May-2006David Kelsey, Grid Trust Fabric, TNC What is a Grid Virtual Organisation (VO)?
16-May-2006David Kelsey, Grid Trust Fabric, TNC Grid VOs Several different views! The original Globus definition included resources –A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules The EGEE View – just people –A grouping of individuals, often not bound to a single institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid There are many Grids –Defined by shared services and common policy –Single Information System –Common operations (distributed) –Politics and/or Funding
16-May-2006David Kelsey, Grid Trust Fabric, TNC The Grid/VO/Site Model
16-May-2006David Kelsey, Grid Trust Fabric, TNC Grid/VO/Site Model Users have a single electronic identity They register once per VO (and renew) –Can/do belong to more than one VO Users do not register at sites or Grids VOs register with Grid (again once per Grid) Aim for single instance of VO membership database –To be used across multiple Grids Sites can/do provide resources to multiple Grids Sites decide which VOs to support –Distributed Grid Operations facilitates this Deployment, configuration etc
16-May-2006David Kelsey, Grid Trust Fabric, TNC Grid Security Model
16-May-2006David Kelsey, Grid Trust Fabric, TNC The Grid Security Model Authentication – proof of identity –GSI: Globus Grid Security Infrastructure (interoperate) –Single sign-on via X.509 certificates (PKI) OpenSSL –Delegation (via short-lived proxy certs) to services Global Authorization – right to access resources –Virtual Organisation (VO) – e.g. a Biomed experiment Maintains list of registered users Allocates users to groups and roles Controls global policy and allocations Local Authorization – site access control –Via local (e.g. Unix) mechanisms or –Callouts to local AuthZ enforcement (Grid developments) –Grid ACL’s - global identity or VO AuthZ attributes Policy –Grids (e.g. EGEE, Open Science Grid) define security policy –Policies must be interoperable, e.g. common AUP
16-May-2006David Kelsey, Grid Trust Fabric, TNC Security Policy Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders
16-May-2006David Kelsey, Grid Trust Fabric, TNC Authentication
16-May-2006David Kelsey, Grid Trust Fabric, TNC Authentication Keep Authentication and Authorization separate –Authentication best done at Institute level –Authorization best done at VO level Provide the User with one (Grid) electronic identity –For use in many Grids or VOs –For user convenience Have successfully built a global PKI (X.509) –Mutual Authentication of people and services What is the most appropriate scale? –One CA per country/region (ideally for all eScience) EU Grid PMA has coordinated the (global) CA’s –“minimum requirements” for accredited CA’s Now IGTF takes over the global coordination
16-May-2006David Kelsey, Grid Trust Fabric, TNC IGTF International Grid Trust Federation –Formed in October 2005 –Federate to solve scaling problems Coordinates the three regional Policy Management Authorities (PMA) –EU Grid PMA –Asia/Pacific Grid PMA –The Americas Grid PMA Each PMA –Accredits Identity Providers for Grid Authentication –Owns and maintains various authentication profiles –Coordinates the X.509 namespace –Distributes roots of trust (globally) –Members are the CAs and major relying parties
16-May-2006David Kelsey, Grid Trust Fabric, TNC IGTF (2) Authentication Profiles –Classic PKI long-lived (12 months) certificates held by the end entities Medium assurance level –Photo-ID and face-to-face User RA CRLs issued –SLCS (recent addition) short-lived certificate services Certificates automatically generated From local site authentication services (e.g. Kerberos) No CRLs –Experimental CAs Working towards an OCSP definition and service –With CAOPS-WG in GGF TACAR is an important independent source of roots of trust –TERENA Academic CA repository
16-May-2006David Kelsey, Grid Trust Fabric, TNC IGTF(3) common, global best practices for trust establishment better manageability and response of the PMAs TAGPMA APGridPMA Slide from David Groep
16-May-2006David Kelsey, Grid Trust Fabric, TNC IGTF (4) More than 50 countries/regions worldwide are members Europe is well covered “Catch-all” CA for gaps
16-May-2006David Kelsey, Grid Trust Fabric, TNC AuthZ Technology
16-May-2006David Kelsey, Grid Trust Fabric, TNC Authorization & VO Management In EGEE gLite middleware Global AuthZ (VOMS) –Virtual Organization Membership Service VO members, their groups and roles Provides digitally signed AuthZ attribute certificate –Included in the grid proxy certificate –A “PUSH” model (user can select roles and VOs) Local AuthZ –Local Centre Authorization Service (LCAS) A framework to handle local policy (e.g. banned users) –Local Credential Mapping (LCMAPS) Provides local credentials (Kerberos/AFS, ldap nss…) Local policy decisions (Compute and Storage Elements) –Can decide and enforce policy on VOMS attributes
16-May-2006David Kelsey, Grid Trust Fabric, TNC VO Groups and Roles Each VO assigns its members to groups and roles Groups –Collections of individuals with something in common E.g. group of scientists working on a particular topic Used for access control and quotas/priorities Roles –Capabilities/Privileges assigned to individuals or groups e.g. production processing manager, DBA, … We started to explore common role names –Some agreement possible but its close to impossible! Too many VO’s and differences –At very least, names and semantics must be well understood within a VO context
16-May-2006David Kelsey, Grid Trust Fabric, TNC Policy and Legal issues
16-May-2006David Kelsey, Grid Trust Fabric, TNC EGEE/LCG Security Policy Security & Availability Policy Grid AUP Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide picture from Ian Neilson VO AUP
16-May-2006David Kelsey, Grid Trust Fabric, TNC Policy Acceptable Use Policy –One general/simple/short common Grid AUP for EGEE and Open Science Grid (USA) And EU national Grids For all registered VOs and binds user to VO AUP –Each VO defines its own aims and AUP Sites can then decide to support or not –User accepts these during registration And regular renewal (every 12 months) Robust User Registration procedures are required –Sites have delegated user registration to VOs Agreed operational security procedures important –Security incident response
16-May-2006David Kelsey, Grid Trust Fabric, TNC Federation legal issues Sites/Resources require –Auditing at individual user level –Read access to User registration data in VO VOs require –Accounting (usage) data from resources –At individual user level EU Privacy & Data Protection laws control sites publicly identifying individual users –Working on a solution for this VOs are not (in general) legal entities –Makes life interesting!
16-May-2006David Kelsey, Grid Trust Fabric, TNC NRENs, Grids & Federations?
16-May-2006David Kelsey, Grid Trust Fabric, TNC eIRG Roadmap e-IRG: e-Infrastructure Reflection Group Roadmap for i2010: commitment to the federated approach vision of an integrated AA infrastructure for eEurope Towards an integrated AAI for academia in Europe and beyond The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004) The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005)
16-May-2006David Kelsey, Grid Trust Fabric, TNC NRENs, Grids & Federations? No desire to run net services if can be provided by NRENs AuthN/Identity services –Many NRENs run Certification Authorities ~ 10 for Grids today and growing –AuthN best done by home institute –NRENs/Grids should continue to work together here Federated Identity services For large/long-lived VOs –Global AuthZ must be managed by the VO –Role/Group names must be defined by VO and understood by Sites/Resources (across all Grids) The TERENA series of workshops on “NRENs and Grids” is one way of exchanging information & collaborating
16-May-2006David Kelsey, Grid Trust Fabric, TNC Federations (2) Dynamic/Short-lived VOs –Small groups of collaborating scientists “Laymen rather than experts” –VO cannot register with Grid Infrastructure –Interesting to explore possibilities for NRENs here With move to short-lived certificates (SLCS) –Linked to a site authentication infrastructure –Scaling problems for IGTF accreditation –IGTF needs the country to present a single coordinated identity federation a role for NRENs?
16-May-2006David Kelsey, Grid Trust Fabric, TNC Some future plans Interoperability – ongoing work –GGF “Grid Interoperability Now” (GIN) project –AuthN and AuthZ recognised as very important –IGTF for AuthN –EGEE active in GIN AuthZ Running VOMS service for GIN New developments on policy expression/evaluation We have a requirement from some VO’s to be able to register and use only those services they trust –Mutual AuthZ EGEE-II working on Shibboleth/gLite
16-May-2006David Kelsey, Grid Trust Fabric, TNC References LCG/EGEE Joint Security Policy Group EGEE Security Open Science Grid IGTF EU Grid PMA TERENA Tacar Grid AUP
16-May-2006David Kelsey, Grid Trust Fabric, TNC Final Words International federated identity for Grids is working –Many CA’s already run for us by NRENs –Must work towards integration of other federated IDPs AuthZ is more difficult – but making good progress –attributes must be managed by the VO Standards are essential – for interoperability –GGF is important body –Grid Security will implement new standards People/Social aspects even more important –Building international trust takes time –Between Grids, Sites and VOs NRENs and Grids have been tackling different aspects of the federation problem space We (Grids and NRENs) must collaborate and work towards common solutions wherever possible