Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK

Published byJeffrey Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 16-May-2006David Kelsey, Grid Trust Fabric, TNC 20062 Outline Brief Introduction to the LCG and EGEE projects What is Grid Trust? What is a Grid Virtual Organisation (VO)? The Grid Security Model Authentication (AuthN) –The International Grid Trust Federation Authorization (AuthZ) Policy and Legal issues NRENs, Grids and Federations Future plans Final words

3 16-May-2006David Kelsey, Grid Trust Fabric, TNC 20063 The LHC Computing Grid Project (LCG) & Enabling Grids for EsciencE (EGEE)

4 Les Les Robertson LCG Project Leader High Energy Physics using a worldwide computing grid CERN December 2005

5 last update 04/09/2015 00:07 LCG les robertson - cern-it-5 The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors The LHC Accelerator

6 last update 04/09/2015 00:07 LCG les robertson - cern-it-6 LHC DATA This is reduced by online computers that filter out a few hundred “good” events per sec. Which are recorded on disk and magnetic tape at 100-1,000 MegaBytes/sec ~15 PetaBytes per year for all four experiments

7 last update 04/09/2015 00:07 LCG les robertson - cern-it-7 Resources for LHC Data Handling 15 PetaBytes of new data each year CMS LHCb ATLAS ALICE 1 Petabyte (1PB) = 1000TB = 10 times the text content of the World Wide Web ** ** Urs Hölzle, VP Operations at Google 100,000 of today’s fastest processors 150 times the total content of the Web each year

8 last update 04/09/2015 00:07 LCG les robertson - cern-it-8 High Energy Physics: a global community 1800 physicists (including 400 students) 150 universities/laboratories 34 countries.

9 HEPiX Rome 05apr06 LCG les.robertson@cern.ch LCG depends on two major science grid infrastructures …. EGEE - Enabling Grids for E-Science OSG - US Open Science Grid

10 LCG.. and an excellent Wide Area Network

11 Enabling Grids for E-sciencE INFSO-RI-508833 David Kelsey, Grid Trust Fabric, TNC 2006Ian Bird, SA1, EGEE Final Review 23-24 th May 2006 11 A global, federated e-Infrastructure EGEE infrastructure ~ 200 sites in 39 countries ~ 20 000 CPUs > 5 PB storage > 20 000 concurrent jobs per day > 60 Virtual Organisations EUIndiaGrid EUMedGrid SEE-GRID EELA BalticGrid EUChinaGrid OSG NAREGI

12 Enabling Grids for E-sciencE INFSO-RI-508833 David Kelsey, Grid Trust Fabric, TNC 2006 12 The EGEE project Objectives –consistent, robust and secure service grid infrastructure for many applications –improving and maintaining the middleware –attracting new resources and users Structure –13 federations in 32 countries –leveraging national and regional grid activities worldwide –Co-funded by the EU with ~32 M Euros for first 2 years from 1st April 2004 –EGEE-II started April 2006

13 Enabling Grids for E-sciencE INFSO-RI-508833 David Kelsey, Grid Trust Fabric, TNC 2006 13 EGEE Highlights - Applications Support applications from –Astrophysics –Computational Chemistry –Earth Sciences –Finance –Fusion –Geophysics –High Energy Physics –Life Sciences –Material Sciences –Multimedia –etc.… See recent press release on search for drugs against Avian Flu http://www.eu-egee.org/news/egee-grid-attacks-avian-flu/ http://www.eu-egee.org/news/egee-grid-attacks-avian-flu/

14 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200614 What is Grid Trust?

15 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200615 Grid Trust Many components (in ascending scale of difficulty) –Technical Interoperable security, standards-based –Policy and Procedures Ensure participants act in a predictable way –Legal International aspects particularly hard –Social Have spent last 6 years building “trust” Many face to face meetings Last 2 years, working towards a federated approach Sites need to trust VO’s (and vice versa) –To take care of Users, Data, Operations, …

16 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200616 What is a Grid Virtual Organisation (VO)?

17 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200617 Grid VOs Several different views! The original Globus definition included resources –A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules The EGEE View – just people –A grouping of individuals, often not bound to a single institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid There are many Grids –Defined by shared services and common policy –Single Information System –Common operations (distributed) –Politics and/or Funding

18 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200618 The Grid/VO/Site Model

19 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200619 Grid/VO/Site Model Users have a single electronic identity They register once per VO (and renew) –Can/do belong to more than one VO Users do not register at sites or Grids VOs register with Grid (again once per Grid) Aim for single instance of VO membership database –To be used across multiple Grids Sites can/do provide resources to multiple Grids Sites decide which VOs to support –Distributed Grid Operations facilitates this Deployment, configuration etc

20 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200620 Grid Security Model

21 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200621 The Grid Security Model Authentication – proof of identity –GSI: Globus Grid Security Infrastructure (interoperate) –Single sign-on via X.509 certificates (PKI) OpenSSL –Delegation (via short-lived proxy certs) to services Global Authorization – right to access resources –Virtual Organisation (VO) – e.g. a Biomed experiment Maintains list of registered users Allocates users to groups and roles Controls global policy and allocations Local Authorization – site access control –Via local (e.g. Unix) mechanisms or –Callouts to local AuthZ enforcement (Grid developments) –Grid ACL’s - global identity or VO AuthZ attributes Policy –Grids (e.g. EGEE, Open Science Grid) define security policy –Policies must be interoperable, e.g. common AUP

22 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200622 Security Policy Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders

23 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200623 Authentication

24 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200624 Authentication Keep Authentication and Authorization separate –Authentication best done at Institute level –Authorization best done at VO level Provide the User with one (Grid) electronic identity –For use in many Grids or VOs –For user convenience Have successfully built a global PKI (X.509) –Mutual Authentication of people and services What is the most appropriate scale? –One CA per country/region (ideally for all eScience) EU Grid PMA has coordinated the (global) CA’s –“minimum requirements” for accredited CA’s Now IGTF takes over the global coordination

25 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200625 IGTF International Grid Trust Federation –Formed in October 2005 –Federate to solve scaling problems Coordinates the three regional Policy Management Authorities (PMA) –EU Grid PMA –Asia/Pacific Grid PMA –The Americas Grid PMA Each PMA –Accredits Identity Providers for Grid Authentication –Owns and maintains various authentication profiles –Coordinates the X.509 namespace –Distributes roots of trust (globally) –Members are the CAs and major relying parties

26 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200626 IGTF (2) Authentication Profiles –Classic PKI long-lived (12 months) certificates held by the end entities Medium assurance level –Photo-ID and face-to-face User RA CRLs issued –SLCS (recent addition) short-lived certificate services Certificates automatically generated From local site authentication services (e.g. Kerberos) No CRLs –Experimental CAs Working towards an OCSP definition and service –With CAOPS-WG in GGF TACAR is an important independent source of roots of trust –TERENA Academic CA repository

27 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200627 IGTF(3) common, global best practices for trust establishment better manageability and response of the PMAs TAGPMA APGridPMA Slide from David Groep

28 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200628 IGTF (4) More than 50 countries/regions worldwide are members Europe is well covered “Catch-all” CA for gaps

29 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200629 AuthZ Technology

30 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200630 Authorization & VO Management In EGEE gLite middleware Global AuthZ (VOMS) –Virtual Organization Membership Service VO members, their groups and roles Provides digitally signed AuthZ attribute certificate –Included in the grid proxy certificate –A “PUSH” model (user can select roles and VOs) Local AuthZ –Local Centre Authorization Service (LCAS) A framework to handle local policy (e.g. banned users) –Local Credential Mapping (LCMAPS) Provides local credentials (Kerberos/AFS, ldap nss…) Local policy decisions (Compute and Storage Elements) –Can decide and enforce policy on VOMS attributes

31 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200631 VO Groups and Roles Each VO assigns its members to groups and roles Groups –Collections of individuals with something in common E.g. group of scientists working on a particular topic Used for access control and quotas/priorities Roles –Capabilities/Privileges assigned to individuals or groups e.g. production processing manager, DBA, … We started to explore common role names –Some agreement possible but its close to impossible! Too many VO’s and differences –At very least, names and semantics must be well understood within a VO context

32 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200632 Policy and Legal issues

33 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200633 EGEE/LCG Security Policy Security & Availability Policy Grid AUP Certification Authorities Audit Requirements Incident Response User Registration & VO Management http://cern.ch/proj-lcg-security/documents.html Application Development & Network Admin Guide picture from Ian Neilson VO AUP

34 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200634 Policy Acceptable Use Policy –One general/simple/short common Grid AUP for EGEE and Open Science Grid (USA) And EU national Grids For all registered VOs and binds user to VO AUP –Each VO defines its own aims and AUP Sites can then decide to support or not –User accepts these during registration And regular renewal (every 12 months) Robust User Registration procedures are required –Sites have delegated user registration to VOs Agreed operational security procedures important –Security incident response

35 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200635 Federation legal issues Sites/Resources require –Auditing at individual user level –Read access to User registration data in VO VOs require –Accounting (usage) data from resources –At individual user level EU Privacy & Data Protection laws control sites publicly identifying individual users –Working on a solution for this VOs are not (in general) legal entities –Makes life interesting!

36 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200636 NRENs, Grids & Federations?

37 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200637 eIRG Roadmap e-IRG: e-Infrastructure Reflection Group Roadmap for i2010: commitment to the federated approach vision of an integrated AA infrastructure for eEurope Towards an integrated AAI for academia in Europe and beyond The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004) The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005)

38 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200638 NRENs, Grids & Federations? No desire to run net services if can be provided by NRENs AuthN/Identity services –Many NRENs run Certification Authorities ~ 10 for Grids today and growing –AuthN best done by home institute –NRENs/Grids should continue to work together here Federated Identity services For large/long-lived VOs –Global AuthZ must be managed by the VO –Role/Group names must be defined by VO and understood by Sites/Resources (across all Grids) The TERENA series of workshops on “NRENs and Grids” is one way of exchanging information & collaborating

39 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200639 Federations (2) Dynamic/Short-lived VOs –Small groups of collaborating scientists “Laymen rather than experts” –VO cannot register with Grid Infrastructure –Interesting to explore possibilities for NRENs here With move to short-lived certificates (SLCS) –Linked to a site authentication infrastructure –Scaling problems for IGTF accreditation –IGTF needs the country to present a single coordinated identity federation a role for NRENs?

40 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200640 Some future plans Interoperability – ongoing work –GGF “Grid Interoperability Now” (GIN) project –AuthN and AuthZ recognised as very important –IGTF for AuthN –EGEE active in GIN AuthZ Running VOMS service for GIN New developments on policy expression/evaluation We have a requirement from some VO’s to be able to register and use only those services they trust –Mutual AuthZ EGEE-II working on Shibboleth/gLite

41 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200641 References LCG/EGEE Joint Security Policy Group http://proj-lcg-security.web.cern.ch/ EGEE Security http://egee-jra3.web.cern.ch/ http://egee-jra3.web.cern.ch/ Open Science Grid http://www.opensciencegrid.org IGTF http://www.gridpma.org/ EU Grid PMA http://www.eugridpma.org/ http://www.eugridpma.org/ TERENA Tacar http://www.tacar.org/ http://www.tacar.org/ Grid AUP https://edms.cern.ch/document/428036

42 16-May-2006David Kelsey, Grid Trust Fabric, TNC 200642 Final Words International federated identity for Grids is working –Many CA’s already run for us by NRENs –Must work towards integration of other federated IDPs AuthZ is more difficult – but making good progress –attributes must be managed by the VO Standards are essential – for interoperability –GGF is important body –Grid Security will implement new standards People/Social aspects even more important –Building international trust takes time –Between Grids, Sites and VOs NRENs and Grids have been tackling different aspects of the federation problem space We (Grids and NRENs) must collaborate and work towards common solutions wherever possible

Download ppt "Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK"

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
The LHC Computing Grid – February 2008 The Worldwide LHC Computing Grid Dr Ian Bird LCG Project Leader 15 th April 2009 Visit of Spanish Royal Academy.

The LHC Computing Grid – February 2008 The Worldwide LHC Computing Grid Dr Ian Bird LCG Project Leader 15 th April 2009 Visit of Spanish Royal Academy.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google