GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009
8 Jun 09Grids, TAC, Kelsey2 Outline EGEE and EGI – Introduction Federated Identity Management Virtual Organisations, Global Trust and Attribute Management Operational Security Disclaimers: My personal views –not the official views of any Grid project, IGTF etc. “Middleware” - just Authentication and Authorisation “Missing bits” – well at least some pointers to possibilities for future coordination Thanks to (for slides): Bob Jones and David Groep –With some modifications by me
Enabling Grids for E-sciencE EGEE-III INFSO-RI EGEE - Bob Jones - Research Connection, Prague, May EGEE-III Main Objectives –Expand/optimise existing EGEE infrastructure, include more resources and user communities –Prepare migration from a project- based model to a sustainable federated infrastructure based on National Grid Initiatives Flagship Grid infrastructure project co-funded by the European Commission Duration: 2 years Consortium: ~140 organisations across 33 countries EC co-funding: 32Million €
Enabling Grids for E-sciencE EGEE-III INFSO-RI EGEE - Bob Jones - Research Connection, Prague, May 2009 ~280 sites 45 countries >80,000 CPUs >20 PetaBytes >14,000 users >250,000 jobs/day
Enabling Grids for E-sciencE EGEE-III INFSO-RI EGEE - Bob Jones - Research Connection, Prague, May Applications >260 VOs from several scientific domains –Astronomy & Astrophysics –Civil Protection –Computational Chemistry –Comp. Fluid Dynamics –Computer Science/Tools –Condensed Matter Physics –Earth Sciences –Fusion –High Energy Physics –Life Sciences More applications and user communities every month
Enabling Grids for E-sciencE EGEE-III INFSO-RI EGEE - Bob Jones - Research Connection, Prague, May Collaborating e-Infrastructures
Goal: Long-term sustainability of grid infrastructures in Europe Approach: Establish a federated model bringing together National Grid Infrastructures (NGIs) to build the European Grid Infrastructure (EGI) EGI Organisation: Coordination and operation of a common multi-national, multi- disciplinary Grid infrastructure To enable and support international Grid-based collaboration To provide support and added value to NGIs To liaise with corresponding infrastructures outside Europe 7
EGI workshop, CataniaMarch 2nd, EGI and NGI Tasks EGI tasks NGI international tasks NGI local tasks EGI NGI
Federated Identity Management for Grids International Grid Trust Federation (IGTF) –3 geographical Policy Management Authorities Coordinates a Global PKI (X.509) –Used by many different Grids IGTF defines minimum requirements and best practices –Accredits CAs against –3 different authentication profiles 8 Jun 09Grids, TAC, Kelsey9
OGF25 IGTF Work shop– Mar David Groep – Geographical coverage of the EUGridPMA 25 of 27 EU member states (all except LU, MT) +AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CA, CERN (int), DoEGrids(US)* Pending or in progress BY, MD, SY, LV, ZA, SN
11 16th EUGridPMA Mtg, 11 May 09Vinod Rebello – TAGPMA Membership NRC – Canada ESnet (DOEGrids) – USA EELA – International Fermi National Accelerator Laboratory - USA HEBCA/USHER/Dartmouth College – USA IBDS (ANSP) - Brazil WLCG – International NCSA – USA NERSC – USA Open Science Grid – International Purdue University – USA REUNA – Chile San Diego Supercomputer Center – USA SENAMHI – Peru TACC – USA TeraGrid (PSC) – USA Texas High Energy Grid – USA University of Virginia – USA UFF – Brazil ULA – Venezuela UNAM – Mexico UNLP – Argentina IGTF Accredited CA Operators CA Accreditation in progress Interested in accreditation Relying Party
APGridPMA members AIST (JP) APAC (AU) ASGCC (TW) CNIC (CN) HKU (HK) IGCA (IN) IHEP (CN) KEK (JP) KISTI (KR) NAREGI (JP) NCHC (TW) NECTEC (TH) NGO/Netrust (SG) PRAGMA-UCSD (US) 8 Jun 09Grids, TAC, Kelsey12
Interfederation Grids-NRENs A growing number of CAs are now run by NRENs (or NGIs) Future challenges for Grid IdM –Scaling –Ease of use -> Interfederation: IGTF and R&E AAIs –Started with SWITCH 8 Jun 09Grids, TAC, Kelsey13
OGF25 IGTF Work shop– Mar David Groep – A Federated Grid CA Use your federation ID ... to authenticate to a service ... that issues a certificate ... recognised by the Grid today Graphic from: Jan Meijer, UNINETT
OGF25 IGTF Work shop– Mar David Groep – Matching the Grid requirements Persistent and unique naming IdPs historically tended to recycle login names even eduPersonPrincipalName is often recyled only eduPersonTargetedID is immune to thus, but not supported everywhere (and is usually opaque) this adds a requirement to the federation or to the IdPs Reasonable representation of names Given name, surname and nickname are usually considered privacy sensitive user-approved release of these appears doable requires evaluation of legal framework
OGF25 IGTF Work shop– Mar David Groep – New: TERENA Grid CA Service Initial partners: FEIDE, SURFfederatie, HAKA, WAYF, Swamid, TERENA (replaces DutchGrid and NorduGrid CAs) Trans-national, cross-federation service But not (yet) confederated How many SLCS/MICS CAs does Europe need ? Consolidate operational PKI skills in one place Better sustainability, in line with the European trend
OGF25 IGTF Work shop– Mar David Groep – Federated CAs in Europe SWITCH: May 2007 TERENA: Summer 2009 Others interested (CESNET, …)
Some issues LoA –Grids demand stricter identity vetting than some other applications Data Privacy –Grids require release of display names 8 Jun 09Grids, TAC, Kelsey18
Virtual Organisations and Global Trust Security/Trust model –User registers once with VO Sites delegate this to the VO –VO builds trust with a Grid –Interoperable common simple policy documents essential to regulate behaviour User, Site, VO AUP & security policies 8 Jun 09Grids, TAC, Kelsey19
Grid Authorisation: Attribute Management VO Membership Service (VOMS) –RBAC –Attribute Certificate (signed by VO) extension in proxy cert Contains groups, roles, and generalised attributes VO is SOA for these attributes –Needs to stay in control Aggregation of attributes (VO and Institute IdP) –some work already started in EGEE (SWITCH) VASH Should we (can we?) standardise some attributes? –SCHAC schema 8 Jun 09Grids, TAC, Kelsey20
Trustworthy AuthZ AA services IGTF working on min requirements and best practice for operation of a Grid Attribute Authority A possible scalable accreditation process NGIs (or NRENs) could do it according to IGTF standards 8 Jun 09Grids, TAC, Kelsey21
Grid Security Operations EGEE Operational Security Coordination Team (OSCT) –Regional structure (11 centres) Incident Response, Monitoring, Training Coordination already being explored with TF-CSIRTS (and TRANSITS training) –mutual benefits GRID-SEC being established to enable incident communication between GRIDs and GRIDs and NRENs 8 Jun 09Grids, TAC, Kelsey22
More details – further work Romain Wartel – talk at 17:00 today –“NRENs and Grid security teams: a critical cooperation” Supporting virtual technologies track And a BOF on Tuesday evening (19:00) 8 Jun 09Grids, TAC, Kelsey23
NRENs and Grids What about network operations? advertise the upcoming NRENs and Grids workshop at EGEE'09 –Jointly organised by TERENA and EGEE- SA2 8 Jun 09Grids, TAC, Kelsey24
Uniting our strengths to realise a sustainable European grid
Links EGEE EGI IGTF JSPG: EGEE OSCThttp://osct.web.cern.ch/osct/ GRID-SEC sec/Site/GRID-SEC.htmlhttp://grid-sec.web.cern.ch/grid- sec/Site/GRID-SEC.html 8 Jun 09Grids, TAC, Kelsey26
NRENS & Grids Identity Management –Inter-federation already happening, but room for growth –Room to work together, e.g. on LoA Attribute Management (AuthZ) –How to build a scalable trust fabric –Attributes defined in SCHAC? Operational Security –not replacing national CSIRTS, but adding value –encourage collaboration 8 Jun 09Grids, TAC, Kelsey27
Discussion 8 Jun 09Grids, TAC, Kelsey28