Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005."— Presentation transcript:

1 Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005

2 Outline Issues (20 mins) Ideas (10 mins) Discussion (15-20 mins) I am not a security person, but I recognize it is essential for large scale grid computing of which I have some experience trying to “do”. Please interject, disagree, question anything I say.

3 Pieces of the Puzzle People Physicists Sys Admins VO managers Software developers Hardware Individual computers Computing centres Networks Software Operating system/host specific Site specific VO specific Communal grid s/w Services service class service instance User software parallel/cooperating jobs

4 Authorization Domains 3 Authz domains: Site specific (which we know well) VO/grid (which we’re working on) User configurable All need to give the “thumbs up” for data access service access execution

5 Usage Control and Costing Utilisation/Usage tracking Charging Fair share/dynamic access control Paradigms Turn a tap Release funds to an account

6 Privacy Data access Information leakage through meta-data through “recipe” to create data Access to entity identity/authentication tokens “unavoidable” through delegation/service access? Not such a big issue for particle physicists

7 Correctness Who generated this file data result Is it correct? Do I trust the source? What version(s) of software was used? What was the workflow?

8 Virtual Organisations Entities need to exist in security domains which span physical domains Virtual Organisations VOs are dynamic constantly changing membership must be easy to setup/destroy/propagate VOs are themselves (internally) hierarchical VO managers, even “per-role” managers Need automation Issuing of “rights” and membership Policies Services Sites want to make “block” arrangements with VOs and not negotiate terms with every user

9 Roles Current “user security” infrastructure has one focus: “I am Ian Stokes-Rees” because I know a password because I have a certificate signed by a trusted CA which has been told by a trusted RA that they should sign that certificate and give it to me Sites say: Ian Stokes-Rees can access this system submit batch jobs read/write data VO says: Ian Stokes-Rees is part of our VO (But at the moment only one VO can say this...) This isn’t very exciting, or a very big step but a journey of a thousand miles starts with one step

10 Roles II Authorization by sites or services is then per- entity Or “We trust this VO and will import/mirror their entire user list” Need to be able to say: “I am a Physics Working Group Coordinator” “I am an LHCb Data Curation Manager” “I trust CERN software services” So we need roles And of course services and hosts have roles And each entity may have multiple roles

11 Tickets Tickets imply time limited/windowed specific rights may be entity-bound or may be transferable Need a “Ticket Server” Or more likely a network of ticket servers Need some way to manage a ticket collection and probably to decide which tickets to use I am still trying to decide if tickets and roles are different

12 Decoupled There needs to be points of commonality understood data formats But there needs to be freedom of implementation different protocols different usages Need to identify fundamental requirements and representation leave implementation and handling open to different approaches

13 Scenario Users Software Services Site Administrators Grid Computing

14 Users Construct an “identity” time based permissions specify a set of roles collect and bind together a set of tickets meta-permissions (identity-bound policy?) can the identity delegate who can communicate with the identity Specify which identity to use for which operations Bind identity to data implications of identity “expiring” Use sets of identities is this different to roles or credential wallet? yes, if they are mutually exclusive identities no, if they are complimentary

15 Software Services Software needs to have its own security profile: identity token credentials (roles, access tickets) But also needs to accept delegated responsibility from other users, to perform operations on their behalf from other services (or maybe not?) Operates in a larger security domain (site, host and VO) this will imply “inherited” policy

16 System Administrators Need (and in many ways have) ultimate control over who accesses their systems, executes programs, reads and writes data Will have dynamic policies based on night, day, weekend, load level, maintenance Need it to be simple

17 Grid Computing specific example of Users and Software Services coming together many different tokens may be required to access grid resources run on a specific site collect data from different sources write data to different sources access remote services (e.g. database) draw “funds” from different accounts

18 Ideas PKI based infrastructure Credential wallet Timed credentials Tickets and Roles are equivalent Roles are just “long lived” tickets Two classes: transferable credentials identity locked credentials Also “receiver locked” credentials/identity (PK encrypted) Tickets, Grid Bucks, Reservation, and Resource Management somehow related

19 Questions Are roles and tickets different? Is PKI the only obvious way to do this right now? How good is PKI support for roles and/or tickets? What standards exist to support this? What libraries exist to make it happen? Where are we with Grid Economies?

Download ppt "Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © 2009. Chapter 1, pp 19-28. For educational use only.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Similar presentations

Ads by Google