Upload
merry-mcdonald
View
212
Download
0
Embed Size (px)
Citation preview
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 1
Security Middleware
Andrew McNab
High Energy PhysicsUniversity of Manchester
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 2
Overview
• Security in EDG/GridPP-1• Currently deployed (EDG 2.0)• Being integrated (EDG 2.1)• GridPP-2 requirements• GridPP-2 proposal• GGF Involvement• Research Areas
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 3
Security in EDG / GridPP-1
• When proposals were written, Security mostly just seen as Authentication (CAs etc)– From Globus, we inherited the static, manually
edited /etc/grid-security/grid-mapfile
• Better Authorization mechanisms were needed to make the Testbed actually work.
• In EDG, security effort split between WP7 (networking) and WP6 (“getting things to work”), but also components inside WP1-5.– In GridPP, security middleware effort from WP6.
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 4
Currently deployed middleware
• Pool accounts (from GridPP)
– an short term measure that’s become long term and ubiquitous.
• XML Grid Access Control Lists (from GridPP)
– used by Storage Element, but grew out of GridPP GridSite work.
• Other components:– INFN’s VO-LDAP server (GridSite
implementation of this used for GridPP+BaBar) – WP2 Java Security packages.– Specific security pieces inside each WP.
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 5
Middleware being integrated
• INFN-WP6/WP2 Virtual Organisation Membership Service is major component– (GACL support for VOMS attribute certs
already present in EDG 1.x/2.0)
• GACL support in WP4 LCAS/EDG Gatekeeper– so can write XML site access policies, rather
than use grid-mapfile
• VOMS, and new GSI + X509v3 support added to GridSite and mod_ssl-gridsite– HTTPS servers controlled by VOMS+GACL
• WP1 Logging and Bookkeeping using GACL
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 6
GridPP2 Security Middleware
• GridPP2 focuses on practical requirements of production systems (LCG + EGEE)
• Many gaps in functionality of security systems– eg accounting / usage control
• Based on WP6 + WP8 + LCG requirements documents, identified 8 tasks– extend GridPP 1 work to address urgent gaps
• Research rather than implementation areas left out of this– aim to get funding for these elsewhere
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 7
GridPP2 Proposal
• GridPP2 Security Middleware Proposal– Java and C++ APIs for GACL library– Add Usage Control (quotas etc) handling– Improve/generalise GridSite user interface– VO access and usage management
service(s)– Support for other systems: CAS, VOM etc– Auditing/Intrusion Detection– Porting to other Unix/Windows flavours
• This was estimated at 4 FTE, but with 2.5 FTE in GridPP2 proposal as submitted.
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 8
GGF Involvement
• Participating / influencing / following GGF standards clearly helps our work:– less effort supporting multiple protocols– our implementation attractive to more projects
• I’m co-chair of Authz WG and now the OGSA-Authz WG– aim to standardise policy language (cf GACL)– assertion protocol (eg SAML, LCAS callout)– attribute formats (eg VOMS)
• Also contacts with Accounting GGF groups, via Manchester Computing / eSNW.
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 9
Research areas
• PPARC-funded e-Science Studentship– Starting now, on Authorization/Accounting.– Aim to get involved in GGF WGs’ protocols
and models work, and apply to HEP contexts.– This may feed into GridPP2 implementations.
• Other research proposals underway:– How to support ad-hoc, short term VOs– Using SlashGrid to create on-demand security
contexts and sandboxes for native binaries– Medical Applications, including extensions of
PPARC/MRC project at Manchester
Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 10
Summary
• GridPP has made significant security middleware contributions to EDG– More will be deployed when EDG 2.1 released
• For GridPP-2, we identified key practical requirements– wait to see how many can be addressed
• Direct involvement in GGF standards process• Other funding obtained (studentship) or
being sought (EU and MRC/DoH) for further research rather than implementation