View
218
Download
0
Category
Tags:
Preview:
Citation preview
Security Middleware andVOMS service status
Andrew McNabGrid Security Research Fellow
University of Manchester
11 January 2006 A.McNab – Grid Security
Outline
● GridSiteWiki● Shibboleth● Delegation● GridHTTP● SiteCast● VOMS middleware● VOMS service
11 January 2006 A.McNab – Grid Security
GridSiteWiki
• Uses software developed for the collaborative “Wikipedia” encyclopedia– Added support for certificates that grid
users have for authentication– So no need to remember passwords
• Raises the question of what other “legacy” web systems can be gridified
• But there's Shibboleth going live soon too...
11 January 2006 A.McNab – Grid Security
Shibboleth
• Shibboleth is being adopted by JISC to replace ATHENS for library / database services– For all UK University / NHS staff & students
• As part of FAME-PERMIS, we've implemented a stopgap Shibboleth Identity Provider– Leverages X.509 Certs/DNs by allowing user
to choose a username / password to use.• Adding support to GridSite for Shibboleth
attributes, to turn GridSites into Service Providers
11 January 2006 A.McNab – Grid Security
Delegation
● GSI proxy delegation was part of Globus 2 binary protocols
● For Web Service / SOAP grids, need a new way to do this● We proposed a set of HTTP delegation methods during EDG
● For EGEE, we wrote the WSDL / SOAP delegation portType now used by EGEE (Manchester-UK & KTH-SE) implementations, and by WLMS and Data Management
● There are ongoing discussions with OSG and Globus about merging the EGEE portType with Globus's new delegation service.– During January, we (Manchester-UK & KTH-SE) are
producing C and Java for revised EGEE portType
11 January 2006 A.McNab – Grid Security
GridHTTP
● htcp and GridSite make it easy to use HTTP(S) for reading and writing files on remote servers
● One advantage of GridFTP was support for 3rd party transfers between remote sites
● GridSite now supports this using WebDAV COPY method and onetime passcodes– Authentication / authorization / obtain
passcode via HTTPS– File transfer via HTTP using onetime passcode
● Currently adding multistream remote transfers– managing remotely passcodes is the issue...
11 January 2006 A.McNab – Grid Security
SiteCast
● Using HTTP(S) for file transfers has also been taken up by EGEE WLMS
● We're now looking at how to locate local replicas of files on GridSite HTTP(S) servers
● Have designed a simple replica location system for farms with many disks/hosts– Now implemented in server-side and htcp– Uses UDP multicast to find lists of replicas of a
given file: looks at filesystem rather than database
● Intend to do test deployments on some of the Tier-2 equipment (pre-production farm first)
11 January 2006 A.McNab – Grid Security
VOMS middleware
● GridSite parses VOMS attribute certificates from LCG / EGEE VOMS servers
● As VOMS is deployed, scaling problems are emerging– Need to distribute certificate of each VOMS to
each host (WN?) which will check them– N(hosts) x N(VOs) ?!?!?
● One solution is to include VOMS cert along with attribute certificate– Being implemented by INFN-IT (server),
Manchester-UK (client C) and KTH-SE (client Java) this month
GridPP VOMS(slides from Alessandra Forti)
• GridPP national VOMS to support:– Smaller VOs as phenogrid, t2k– Local VOs
• Agreement with NGS for mutual
support – Common infrastructure to maintain the
VOMS servers– Common VOs support– Common distribution of information – Enable each other VOs on each other
systems
What is
happening• ½ FTE for VO management support: – Sergey Dolgodobrov
• Support part of the Tier2 infrastructure – 3 servers for GridPP: 1 Test, 1 production, 1
backup– 2 servers for NGS: 1 production, 1 backup
• Sergey will be the VOMS administrator and will do VOs support
• Production VOMS servers (voms.gridpp.ac.uk) has been installed and is ready to be used
• 2 VOs have been already enabled– Gridpp for testing– T2k
How to enable a
VO• A formal request has to be made to the ROC– ask Jeremy Coles
• Information about the VO has to be supplied in the request– Name, description, Vo manager, VO security contact
• The request has to be approved by the PMB– PMB meets every week so it won’t take long
• After approval the VO gets created on the VOMS– VO manager will be than able to add users
• The information to enable the VO at sites will be then downloadable from the gridpp WEB site. – This might change in the future if CIC portal will be used
instead. – VOs will be responsible to maintain the information up-to-
date
• More details on the procedure can be found at http://www.gridpp.ac.uk/deployment/users/newvo.html
11 January 2006 A.McNab – Grid Security
Summary
● Through JISC funding, we're doing some work on Shibboleth support
● We continue to work with EGEE JRA3 to provide tools for other parts of EGEE / LCG.
● Delegation and VOMS support are being reworked currently.
● “GridHTTP” extended to support 3rd party transfers
● SiteCast offers lightweight replica location.● Joseph, Yibiao and Sergey are making a big contribution to all these ongoing subprojects
Recommended