Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

Published byAllen Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What."— Presentation transcript:

1 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What we want/need Immediate decisions Policies (XACML) and VOMS Limitation and Revocation Future

2 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Stakeholders LCG Security Group (chair D. Kelsey) – Emphasis on written policies, AUPs etc EGEE Site Security Group – Details still being sorted EGEE JRA3 – Northern Europe (NL, FI, SE) INFN/CERN – VOMS GridPP – GACL / GridSite

3 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 JRA3 Middleware Core is provided by Northern Europe Cluster – Helsinki Institute of Physics, Foundation for Fundamental Research of Matter in Utrecht, University of Amsterdam, University of Bergen, Royal institute of Technology in Stockholm Also forming agreement with INFN for – continued support of VOMS service – (VOMS admin interface to be supported by JRA3) GridPP has undertaken to continue various pieces related to GridSite and GACL – Currently, GACL and GACL-in-XACML – Delegation (G-HTTPS becoming Delegation Service)

4 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Architecture (incomplete) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors process space “sudo” Diagrams from David Groep / Joni Hahkala / Olle Mulmo

5 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we have (Unix native) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxyVOMS LCAS GACL Gsoap process space “sudo” snort(*) GRAM + LCMAPS (*) Almost there G-HTTPS httpg

6 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we have (Java) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxy (client) CAS EDG AuthZ(*) Axis various SAML(*) XACML(*) (*) Almost there GT, EDG Java process space “sudo” GRAM

7 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we want (incomplete) Intrusion Cred store Proxy cert VOMS service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors Policy based authZ ??? Audit Site policy Access control Revo- cation Trust anchors Provisioning

8 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Immediate decisions Will start with Transport Layer Security – ie SOAP over GSI HTTPS for web services – that is HTTPS with GSI proxy certificates This is because XML Security is currently too slow For C/C++ can use globus_gss_assist() – (or GridSite library / mod_gridsite and gSOAP) For Java use Axis with CoG Will rapidly develop a WS delegation portType – We will do this in C/C++ (based on grst-proxy.cgi) – JRA3 will do this for Java (based on EDG java sec)

9 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Policies Need to combine multiple policy sources Move towards XACML  Subset of XACML relevant to us needs to be defined  GridPP developing GACL XACML translator  XACML java tools are being tried out in NIKHEF  Policy combination to be defined Policy handling still needs a lot of thought  In conceptual, architechtural and implementation level  Name space issues need to be solved

10 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 VOMS Server maintained and developed by IT/CZ cluster VOMS admin interface maintained by JRA3 for now  LCG will continue development  JRA3 involvement in development to be decided Light weight VOMS  Operation centers required to host many VOs Java client needed (portals?) VOMS AC parsing needs to be added to java library

11 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Limitation / Revocation Will carry on using MyProxy to extend ~12hr GSI proxies for long running jobs Will add support for Online Certifcate Status Protocol to check status of user/service certificates  Stop distributing Certificate Revocation Lists  OCSP service can allow revocation in ~minutes (One possibility, which isn't included, is using OCSP to allow users to revoke their own GSI proxies too  ie can kill a 12 hr proxy wherever it is on the Grid)

12 Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Future Iterate all this with Applications and Sites groups Implementation of access policies at site/resource level to be more integrated Move (almost) everything to Web Services protocols Mutual authorization, not just authentication – Resources certified by VO's? – Machine-readable operational policy statements, signed AUPs for users and services

Download ppt "EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What."

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.

Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

Similar presentations

Ads by Google