Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester

Andrew McNab Security Middleware, GridPP8, 23 Sept 2003 Slide 1

Security Middleware

Andrew McNab

High Energy PhysicsUniversity of Manchester


Overview

• Security in EDG/GridPP-1• Currently deployed (EDG 2.0)• Being integrated (EDG 2.1)• GridPP-2 requirements• GridPP-2 proposal• GGF Involvement• Research Areas


Security in EDG / GridPP-1

• When proposals were written, Security mostly just seen as Authentication (CAs etc)– From Globus, we inherited the static, manually

edited /etc/grid-security/grid-mapfile

• Better Authorization mechanisms were needed to make the Testbed actually work.

• In EDG, security effort split between WP7 (networking) and WP6 (“getting things to work”), but also components inside WP1-5.– In GridPP, security middleware effort from WP6.


Currently deployed middleware

• Pool accounts (from GridPP)

– an short term measure that’s become long term and ubiquitous.

• XML Grid Access Control Lists (from GridPP)

– used by Storage Element, but grew out of GridPP GridSite work.

• Other components:– INFN’s VO-LDAP server (GridSite

implementation of this used for GridPP+BaBar) – WP2 Java Security packages.– Specific security pieces inside each WP.


Middleware being integrated

• INFN-WP6/WP2 Virtual Organisation Membership Service is major component– (GACL support for VOMS attribute certs

already present in EDG 1.x/2.0)

• GACL support in WP4 LCAS/EDG Gatekeeper– so can write XML site access policies, rather

than use grid-mapfile

• VOMS, and new GSI + X509v3 support added to GridSite and mod_ssl-gridsite– HTTPS servers controlled by VOMS+GACL

• WP1 Logging and Bookkeeping using GACL


GridPP2 Security Middleware

• GridPP2 focuses on practical requirements of production systems (LCG + EGEE)

• Many gaps in functionality of security systems– eg accounting / usage control

• Based on WP6 + WP8 + LCG requirements documents, identified 8 tasks– extend GridPP 1 work to address urgent gaps

• Research rather than implementation areas left out of this– aim to get funding for these elsewhere


GridPP2 Proposal

• GridPP2 Security Middleware Proposal– Java and C++ APIs for GACL library– Add Usage Control (quotas etc) handling– Improve/generalise GridSite user interface– VO access and usage management

service(s)– Support for other systems: CAS, VOM etc– Auditing/Intrusion Detection– Porting to other Unix/Windows flavours

• This was estimated at 4 FTE, but with 2.5 FTE in GridPP2 proposal as submitted.


GGF Involvement

• Participating / influencing / following GGF standards clearly helps our work:– less effort supporting multiple protocols– our implementation attractive to more projects

• I’m co-chair of Authz WG and now the OGSA-Authz WG– aim to standardise policy language (cf GACL)– assertion protocol (eg SAML, LCAS callout)– attribute formats (eg VOMS)

• Also contacts with Accounting GGF groups, via Manchester Computing / eSNW.


Research areas

• PPARC-funded e-Science Studentship– Starting now, on Authorization/Accounting.– Aim to get involved in GGF WGs’ protocols

and models work, and apply to HEP contexts.– This may feed into GridPP2 implementations.

• Other research proposals underway:– How to support ad-hoc, short term VOs– Using SlashGrid to create on-demand security

contexts and sandboxes for native binaries– Medical Applications, including extensions of

PPARC/MRC project at Manchester


Summary

• GridPP has made significant security middleware contributions to EDG– More will be deployed when EDG 2.1 released

• For GridPP-2, we identified key practical requirements– wait to see how many can be addressed

• Direct involvement in GGF standards process• Other funding obtained (studentship) or

being sought (EU and MRC/DoH) for further research rather than implementation

Documents

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester