Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002.

Published byDonald Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002."— Presentation transcript:

1 Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002

2 Oxford University e-Science Centre 2 Managing Access 4 Dec. 2002 Aims of the Workshop To bring together:- –Those building Grid environments –Those in University IT community with responsible for managing access to computing resources Reviewing methods of :- –authentication (am) e-Science programme Three JISC funded projects –authorisation (pm) 3 systems offering authorisation A working process for mapping Grid users into local accounts (EDG) User registration for Grid resources

3 Oxford University e-Science Centre 3 Managing Access 4 Dec. 2002 Authentication – e-Science Costs institution about £1000 to create RA Current cost about £200 (£20) per certificate to the CA (RA) Current capacity c. 1000 certificates (194 certificates so far) –Issuing 60 certificates/month Renaissance Worldwide, “Choosing a PKI Vendor” –$400-800/certificate assuming 1000/year Certificates must be renewed annually Certificate must be cared for like a passport Looking for approval of EDG CA and Grid CAs outside Europe Will update CP/CPS (contract) “This is a frighteningly high cost to protect computers”

4 Oxford University e-Science Centre 4 Managing Access 4 Dec. 2002 Authentication – JISC Projects… Digital Certificate Operation in a Complex Environment (M Dovey) –To provide a detailed evaluation and implementation of digital certificates at Univ of Oxford –How do we expand RA for e-Science to general RA for University? –Will explore development beyond project –Why not just username and password? Open Source Certificate Authority (E Carter, D Holdsworth) –Automated registration authority User account generation/certificate issue –Online, scalable –Revocation is done best at authorisation

5 Oxford University e-Science Centre 5 Managing Access 4 Dec. 2002 … continued Technologies for Information Environment Security (A Ferguson/S Shaw) –Proof of concept for an authentication service for licensed resources (assets) of the JISC IE Accessed by standard browsers –Consider the wider use of digital certificates in HE –Is a two-tier policy required for institutions? Basic level assurance for JISC IE Higher level of additional services

6 Oxford University e-Science Centre 6 Managing Access 4 Dec. 2002 Am Authentication Discussion 1.Strong view from floor that ‘going over top’ for general authentication use in CP/CPS (at least 50%) CP/CPS requires that user identifies himself/herself –Institutions will wish to use existing registration to identify as already personal identification process happened and combine CA –Otherwise not scalable Context is very important –If wish to inter-work with abroad, then need to meet their requirements Why not just use username and password? –There is now trend for server to define format of password –Exposing different requirements – certificates are needed for Grid Principal drivers for certificates are Grid, medical schools (complexity of trust models) and high assurance Government services –So we will have to learn to use certificates in higher numbers

7 Oxford University e-Science Centre 7 Managing Access 4 Dec. 2002 EDG Account Management Within the lifecycle of a job, each step requires authorisation How can Grid users gain access without creating new accounts every day, be limited, audited, and their files be tracked Local access control and account management.. EDG has LDAP VO Mkgridmap tool builds local grid-mapfile from VO server each day –Grid-mapfile: users which can use resource Process: –Users first join Acceptable Use Policy VO (using Certificate) –  Users can then join the VO of their application VOMS – Similar to CAS, but retains user identity (like VO or sub- group membership) –No longer need to fetch membership, as VO members will be accepted as they have right GGF Authorization Working Group (Authz) –Converge authorisation solutions and move from Grid to web services

8 Oxford University e-Science Centre 8 Managing Access 4 Dec. 2002 CAS GSI – X.509 –Certificate on base machine, then create proxy with further information attached –Current policy is GridMap file; but not scalable –CAS addresses this; CAS produces a proxy when a user is authorised –CAS investigation being reviewed using JISC funding CAS enabled gatekeeper –Policy Enforcement Point encapsulated into certificate Virtual Organisation Management Portal (VOM) –Certificate used on portal browser to join VO, then can proceed through VO manager to have request approved and then move to resource manager

9 Oxford University e-Science Centre 9 Managing Access 4 Dec. 2002 Akenti (Complex) Access Management system from LBL –Assumes PKI –Allows each stakeholder to define access Authentication: X.509 Authorisation: Three types of signed certificates (not X.509) –Policy: one per resource –User attribute –Resource use-condition: supplied by stakeholders These then make the access control decision Interfaced to Globus, and in web context – Apache model Possible reservation: its own ‘certificates’ are not standards- based

10 Oxford University e-Science Centre 10 Managing Access 4 Dec. 2002 PERMIS Policy based authorisation system –Similar to XACML but simpler –Can push or pull –Not AAA, simply policy based authorisation used XML –The target/resource is the root of trust

11 Oxford University e-Science Centre 11 Managing Access 4 Dec. 2002 Pm Authorisation Discussion Any primary authorisation server/policy engine will attract hackers How would system managers react to deploying the EDG Account Management? –Group accounts are potentially worrying –File system approach is Linux specific (open AFS coming) How close are VOM and VOMS? –Very similar apart from backend Revocation should be achieved through Authorisation –Possibly need different levels of priority At a sufficiently early stage not to know details in order to give feedback to developers Need quick feedback from projects to see how they would, or not help

12 Oxford University e-Science Centre 12 Managing Access 4 Dec. 2002 Common Acceptable Use Conditions Can we have a single set of regulations for all institutions? –Answer no The UCISA statement is a good start for a “Grid CAU” Or EDG or AKENTI statements –Need a superset of conditions but with some irrelevant parts removed –There will need to agreement that it will be enforced by the home institution when a user misbehaves –Then circulate the draft text When will the ‘Grid regulations’ be “signed”? –At the time of registration through the RA? How do we make this international?

Download ppt "Oxford University e-Science Centre 1 Managing Access 4 Dec. 2002 Managing Access to Resources on the Grid 4 December 2002."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.

Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.
4 December 2002 Grid Resource Access Workshop, NeSC 1 Managing Access to Resources on the Grid David Boyd CLRC e-Science Centre

4 December 2002 Grid Resource Access Workshop, NeSC 1 Managing Access to Resources on the Grid David Boyd CLRC e-Science Centre
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
TIES — Technologies for Information Environment Security Sandy Shaw University of Edinburgh.

TIES — Technologies for Information Environment Security Sandy Shaw University of Edinburgh.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Similar presentations

Ads by Google