Presentation is loading. Please wait.

Presentation is loading. Please wait.

PDC Enabling Science Grid Security Research Olle Mulmo.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PDC Enabling Science Grid Security Research Olle Mulmo."— Presentation transcript:

1 PDC Enabling Science Grid Security Research Olle Mulmo

2 PDC Enabling Science Trust Mismatch Cross “Certification” Issue Certification Authority Certification Authority Domain A Server X Server Y Policy Authority Policy Authority Task Domain B Sub-Domain A1 Sub-Domain B1 No Cross- Domain Trust

3 PDC Enabling Science Grid Solution: Virtual Organizations Certification Domain A common mechanism Certification Authority Sub-Domain B1 Authority Federation Service Virtual Organization Domain No Cross- Domain Trust

4 PDC Enabling Science VO management VOs today = 100s of users DOE Science Grid, European Data Grid Centrally kept, highly secure, repository Databases, LDAP directories, additional software, … Research groups today = 10s of users Administration = pain Current VO software too heavy-weight Mismatch

5 PDC Enabling Science Different trust models for dynamic VOs Look at peer-to-peer models Sociological web-of-trust models “Simple secret” based security model Group creation based on invitation (One-time passwd) Common problem: traceability Who invited whom? Can models above be extended? Grid & P2P is a “hot topic”

6 PDC Enabling Science Account management AAAccounting == accountability Who did what at what time? Accounting == billing Who consumed what resources, for how long, at what price? Distributed quota problem 6000 CPUh == 1*6000 CPUh or 6*1000 CPUh (Swegrid needs at least a short-term solution)

7 PDC Enabling Science Account management (cont.) Mapping each individual into unique user account… Doesn’t scale Need dynamics Existing quotas and scheduler limits must apply Other initiatives to watch/interact with Slashgrid (UK E-Science) Large-site AAA (GGF) EGEE proposal

8 PDC Enabling Science Authorization Policy Tightly related to quota management The “You have access” part of the “You have access to this piece of the pie” problem Same software, different authority Current implementations are based on group membership Either you’re in, or you’re out Support for expressiveness is missing “access between 8am and 5pm” “only if CPU load is less than 50%” Large portion of a policy needs dynamic information from runtime context

9 PDC Enabling Science Authorization Policy (cont.) Another Grid and OGSA “hot topic” But emphasis on integration of old software Opportunity to ignore and do real and relevant work Does not need to start from scratch – may reuse an existing framework

10 PDC Enabling Science Proposed VR-IT research Authentication and distributed file system technologies Credential translation / mapping Privilege inflation Prototype implementation (AFS) Authorization, Accounting and Policy Develop dynamic trust models Develop scalable models for user account mgmt Develop expressiveness of authorization policy

Download ppt "PDC Enabling Science Grid Security Research Olle Mulmo."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Grids for Complex Problem Solving, 29 January 2003 Grid based collaborative working in large distributed organisations

Grids for Complex Problem Solving, 29 January 2003 Grid based collaborative working in large distributed organisations
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Understanding Active Directory

Understanding Active Directory
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
PaN-data WP4 - Users Gordon Brown STFC-e-Science Alun Ashton DLS Bill Pulford DLS.

PaN-data WP4 - Users Gordon Brown STFC-e-Science Alun Ashton DLS Bill Pulford DLS.
Dr. Raimund Ege: Research Summary  Security in the Mobile Context Trust and Access control models Peer-to-peer delivery networks  Opportunities for student.

Dr. Raimund Ege: Research Summary  Security in the Mobile Context Trust and Access control models Peer-to-peer delivery networks  Opportunities for student.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google