TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
OSG/TeraGrid Interopations: The Authz Perspective Von Welch (NCSA) Presenting work by Christopher A. Baumbauer (Purdue U.) Greg Cross (U. Chicago) Stuart.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Widely Distributed Access Management Tom Barton University of Chicago.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
Network, Operations and Security Area Tony Rimovsky NOS Area Director
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Digital Object Architecture
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
TeraGrid Privacy Policy: What is it and why are we doing it… Von Welch TeraGrid Quarterly Meeting March 6, 2008.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
TeraGrid CTSS Plans and Status Dane Skow for Lee Liming and JP Navarro OSG Consortium Meeting 22 August, 2006.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
SOS August 21, 2006 GGF Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Status Organization Overview of Program of Work Education, Training It’s the People who make it happen & make it Work.
GridShib Grid-Shibboleth Integration An Overview Von Welch
© 2006 The University of Chicago Team Science, Team Scholarship Tom Barton Chad Kainz.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Network, Operations and Security Area Tony Rimovsky NOS Area Director
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
OSG Deployment Preparations Status Dane Skow OSG Council Meeting May 3, 2005 Madison, WI.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
May 4, 2006Dane Skow Managing (Dis)Honorable Guests -- A Role for Grid Security Dane Skow University of Chicago and Argonne National.
2NCSA/University of Illinois
TeraGrid Plans for Authentication and Authorization Testbed
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member Meeting December 6, 2006

What is a VO to TeraGrid ? A group of users and their infrastructure to manage their policies PI led Projects –Most commonly a faculty PI and her team of students –Today TeraGrid has ~1000 of these projects (and ~4000 users) Science Gateways –A portal which provides tools useful to a community of users –Today TeraGrid has ~25 of these gateways (serving communities of ~20,000+ users total)

What is Virtual about a VO ? (Virtual) Organization has a set of members, a budget they administer, a set of policies, … VOs don’t necessarily have –Physical infrastructure or permanent presence –Electronic infrastructure or permanent presence –Need to do business as a (legal) entity

Project VOs Characteristics –Multiple people sharing work within context of single project –Multiple roles and delegated authorities –Natural to leverage infrastructure of the project “home” TeraGrid Support –Membership tracked in TGCDB with PI control –Project based accounting –Policies set using local system methods (uid based) Questions –How do Project VOs manage policy in an easy way ?

Science Gateway VOs Characteristics –Bonding element is a research interest and/or set of tools –Frequently has access to multiple resources and wants to matchmake –Acts as a broker and/or service provider –Established “brand” above the (grid) infrastructure TeraGrid Support –Support for community accounts (to multiplex request) –Audit record for individual request “cost” (soon) –Community based accounting –Common Authentication infrastructure (post AAA) Questions –What level of individual action/privilege is needed/desired ?

Personal VOs Characteristics –Tend to be full delegation of identification secret Parallel to a tradesperson key to a house Policy enforced out of band –One persistent authority controlling the token –These VOS will always exist. Question is whether or not they go underground. TeraGrid Support –Caveat Emptor and Benign Neglect Questions: –Do shared workspaces with different identity tokens increase of decrease risk ? For whom ?

Team VOs Characteristics –Multiple people working together over a period of time –Roles change within context of different projects TeraGrid Support –None today Questions –What is the urgency of the need for such Vos ?

Issues with Authentication Status Quo IDs sometimes contain sensitive information (e.g. SSN) ID sources do not typically have direct, ongoing relationship with users Many sources of authentication mean confusion, error and insecurity for all parties Protection of online secrets is difficult and point of attack Scaling beyond ~100 sources of identity call for index and/or hierarchy –100+ in MacOS X default, etc –Currently 90+ CAs in IGTF PMA set –~1500 Institutions in EDUCAUSE

Authorization Status Quo Currently solely ID based – A user has only one mapping in the system no capability for roles Single group membership Need prior knowledge of group membership –Maintenance /synchronization problem No differentiation between services for access levels –Allocated users –Authenticated users –TG Community users –Partner/Campus users –Public Scaling –Workload scales by ID not by group –Adds new sources of authority to manage

Account Management Status Quo Single Account/authorization doesn’t map to rich set of services Persistent Execution Environments –Pre-provisioning individual environments (accounts) has large overhead and vulnerabilities –Shared environments –Environment configuration for groups must be independently duplicated Traceable actions –Need to preserve connection from actions (and costs) to individual initiating the action for troubleshooting

Workshop Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory –Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn Peters, Dane Skow Attendees: 42 persons, representatives from all TeraGrid Resource Provider sites, OSG, Internet2, Globus Whitepaper ( Von Welch, Ian Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett) http//gridshib.globus.org/tg-paper.html http//gridshib.globus.org/tg-paper.html

The Proposal Plan for a world where users can be authenticated via their home campus identity management system Enable attribute-based authorization of users by RP site –Allow for user authentication with authorization by community Prototype system in testbed, with involvement of interested parties to work out issues All usage still billed to an allocation –Community or individual

Testbed

Testbed Components Enhanced CTSSv3 stack –Existing GT component extensions to enable attribute-based authorization Identify testbed resources –UChicago/ANL, NCSA Mercury, ORNL –Use OSG/TG VOMS test server Handful of user communities –Science Gateway, Educational, OSG, others TBD. Use of Shibboleth and related software –myVocs, GridShib –Leverage InQueue/TestShib, UT Fed

Testbed Timeline Until year end 2006 –Refine Testbed plans and participants Jan - Mar 2007 –Deploy first instances on Testbed and first use cases Mar - May 2007 –Refine use cases and double instances June 2007 –Assess results and plan deployment July - Sept 2007 –Retool, package, document,.. Sept - Dec 2007 –Deploy and pre-production test Jan 2007 –Production deployment

Technical Plan 1.Enable logging of attributes through the system –Improves traceability and prepares for attribute handling 2.Enable group membership decisions based on attributes –Provides for community based authorization 3.Enable attribute based authorization/provisioning decisions –Enables user mapping to different environments –Enables specialized provisioning by attribute set

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.