Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002.

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

GT 4 Security Goals & Plans Sam Meder

Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.

4 December 2002 Grid Resource Access Workshop, NeSC 1 Managing Access to Resources on the Grid David Boyd CLRC e-Science Centre

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

TIES — Technologies for Information Environment Security Sandy Shaw University of Edinburgh.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

INFSO-RI Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

OGF PGI – EDGI Security Use Case and Requirements

Tweaking the Certificate Lifecycle for the UK eScience CA

Update on EDG Security (VOMS)

O. Otenko PERMIS Project Salford University © 2002

The GENIUS Security Services

The JISC Core Middleware Call

Presentation transcript:

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002

Oxford University e-Science Centre 2 Managing Access 4 Dec Aims of the Workshop To bring together:- –Those building Grid environments –Those in University IT community with responsible for managing access to computing resources Reviewing methods of :- –authentication (am) e-Science programme Three JISC funded projects –authorisation (pm) 3 systems offering authorisation A working process for mapping Grid users into local accounts (EDG) User registration for Grid resources

Oxford University e-Science Centre 3 Managing Access 4 Dec Authentication – e-Science Costs institution about £1000 to create RA Current cost about £200 (£20) per certificate to the CA (RA) Current capacity c certificates (194 certificates so far) –Issuing 60 certificates/month Renaissance Worldwide, “Choosing a PKI Vendor” –$ /certificate assuming 1000/year Certificates must be renewed annually Certificate must be cared for like a passport Looking for approval of EDG CA and Grid CAs outside Europe Will update CP/CPS (contract) “This is a frighteningly high cost to protect computers”

Oxford University e-Science Centre 4 Managing Access 4 Dec Authentication – JISC Projects… Digital Certificate Operation in a Complex Environment (M Dovey) –To provide a detailed evaluation and implementation of digital certificates at Univ of Oxford –How do we expand RA for e-Science to general RA for University? –Will explore development beyond project –Why not just username and password? Open Source Certificate Authority (E Carter, D Holdsworth) –Automated registration authority User account generation/certificate issue –Online, scalable –Revocation is done best at authorisation

Oxford University e-Science Centre 5 Managing Access 4 Dec … continued Technologies for Information Environment Security (A Ferguson/S Shaw) –Proof of concept for an authentication service for licensed resources (assets) of the JISC IE Accessed by standard browsers –Consider the wider use of digital certificates in HE –Is a two-tier policy required for institutions? Basic level assurance for JISC IE Higher level of additional services

Oxford University e-Science Centre 6 Managing Access 4 Dec Am Authentication Discussion 1.Strong view from floor that ‘going over top’ for general authentication use in CP/CPS (at least 50%) CP/CPS requires that user identifies himself/herself –Institutions will wish to use existing registration to identify as already personal identification process happened and combine CA –Otherwise not scalable Context is very important –If wish to inter-work with abroad, then need to meet their requirements Why not just use username and password? –There is now trend for server to define format of password –Exposing different requirements – certificates are needed for Grid Principal drivers for certificates are Grid, medical schools (complexity of trust models) and high assurance Government services –So we will have to learn to use certificates in higher numbers

Oxford University e-Science Centre 7 Managing Access 4 Dec EDG Account Management Within the lifecycle of a job, each step requires authorisation How can Grid users gain access without creating new accounts every day, be limited, audited, and their files be tracked Local access control and account management.. EDG has LDAP VO Mkgridmap tool builds local grid-mapfile from VO server each day –Grid-mapfile: users which can use resource Process: –Users first join Acceptable Use Policy VO (using Certificate) –  Users can then join the VO of their application VOMS – Similar to CAS, but retains user identity (like VO or sub- group membership) –No longer need to fetch membership, as VO members will be accepted as they have right GGF Authorization Working Group (Authz) –Converge authorisation solutions and move from Grid to web services

Oxford University e-Science Centre 8 Managing Access 4 Dec CAS GSI – X.509 –Certificate on base machine, then create proxy with further information attached –Current policy is GridMap file; but not scalable –CAS addresses this; CAS produces a proxy when a user is authorised –CAS investigation being reviewed using JISC funding CAS enabled gatekeeper –Policy Enforcement Point encapsulated into certificate Virtual Organisation Management Portal (VOM) –Certificate used on portal browser to join VO, then can proceed through VO manager to have request approved and then move to resource manager

Oxford University e-Science Centre 9 Managing Access 4 Dec Akenti (Complex) Access Management system from LBL –Assumes PKI –Allows each stakeholder to define access Authentication: X.509 Authorisation: Three types of signed certificates (not X.509) –Policy: one per resource –User attribute –Resource use-condition: supplied by stakeholders These then make the access control decision Interfaced to Globus, and in web context – Apache model Possible reservation: its own ‘certificates’ are not standards- based

Oxford University e-Science Centre 10 Managing Access 4 Dec PERMIS Policy based authorisation system –Similar to XACML but simpler –Can push or pull –Not AAA, simply policy based authorisation used XML –The target/resource is the root of trust

Oxford University e-Science Centre 11 Managing Access 4 Dec Pm Authorisation Discussion Any primary authorisation server/policy engine will attract hackers How would system managers react to deploying the EDG Account Management? –Group accounts are potentially worrying –File system approach is Linux specific (open AFS coming) How close are VOM and VOMS? –Very similar apart from backend Revocation should be achieved through Authorisation –Possibly need different levels of priority At a sufficiently early stage not to know details in order to give feedback to developers Need quick feedback from projects to see how they would, or not help

Oxford University e-Science Centre 12 Managing Access 4 Dec Common Acceptable Use Conditions Can we have a single set of regulations for all institutions? –Answer no The UCISA statement is a good start for a “Grid CAU” Or EDG or AKENTI statements –Need a superset of conditions but with some irrelevant parts removed –There will need to agreement that it will be enforced by the home institution when a user misbehaves –Then circulate the draft text When will the ‘Grid regulations’ be “signed”? –At the time of registration through the RA? How do we make this international?