Upload
jeffrey-lewis
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
2
Outline
• Brief Introduction to the LCG and EGEE projects
• What is Grid Trust?• What is a Grid Virtual Organisation (VO)?• The Grid Security Model• Authentication (AuthN)
– The International Grid Trust Federation• Authorization (AuthZ)• Policy and Legal issues• NRENs, Grids and Federations• Future plans• Final words
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
3
The LHC Computing Grid Project (LCG)
& Enabling Grids for EsciencE (EGEE)
Les Les RobertsonLCG Project LeaderLCG Project Leader
High Energy Physicsusing a worldwidecomputing grid
CERNDecember 2005
les robertson - cern-it-5last update 04/19/23 11:43
LCG
The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors
The LHC Accelerator
les robertson - cern-it-6last update 04/19/23 11:43
LCG LHC DATA
This is reduced by online computers that filter out a few hundred “good” events per sec.
Which are recorded on disk and magnetic tapeat 100-1,000 MegaBytes/sec ~15 PetaBytes per year for all four experiments
les robertson - cern-it-7last update 04/19/23 11:43
LCG Resources for LHCData Handling
15 PetaBytes of new data each year
CMS
LHCb
ATLAS
ALICE1 Petabyte (1PB) = 1000TB = 10 times the text content of the World Wide Web**
** Urs Hölzle, VP Operations at Google
100,000 of today’s fastest processors
150 times the total content of the Web each year
les robertson - cern-it-8last update 04/19/23 11:43
LCGHigh Energy Physics: a
global community
1800 physicists (including 400 students)
150 universities/laboratories34 countries.
HEPiX Rome 05apr06
LCG
LCG depends on two major science grid infrastructures ….EGEE - Enabling Grids for E-ScienceOSG - US Open Science Grid
LCG
IN2P3
GridKa
TRIUMF
ASCC
Fermilab
Brookhaven
Nordic
CNAF
SARAPIC
RAL
T2
T2
T2
T2
T2
T2T2
T2
T2
T2
T2
T2s and T1s are inter-connectedby the general purpose research
networks
10 Gbit linksOptical Private Network
T2
Any Tier-2 mayaccess data atany Tier-1 T2
T2
T2
IN2P3
GridKa
TRIUMF
ASCC
Fermilab
Brookhaven
NordicNordic
CNAF
SARAPIC
RAL
T2
T2
T2T2
T2
T2
T2
T2
T2T2T2T2
T2T2
T2T2
T2
T2T2
T2s and T1s are inter-connectedby the general purpose research
networks
10 Gbit linksOptical Private Network
T2T2
Any Tier-2 mayaccess data atany Tier-1 T2T2T2
T2T2
T2T2
.. and an excellent Wide Area Network
David Kelsey, Grid Trust Fabric, TNC 2006Ian Bird, SA1, EGEE Final Review 23-24th May 2006
11
Enabling Grids for E-sciencE
INFSO-RI-508833
A global, federated e-Infrastructure
EGEE infrastructure~ 200 sites in 39 countries~ 20 000 CPUs> 5 PB storage> 20 000 concurrent jobs per day> 60 Virtual Organisations
EUIndiaGrid
EUMedGrid
SEE-GRID
EELA
BalticGrid
EUChinaGridOSGNAREGI
David Kelsey, Grid Trust Fabric, TNC 2006 12
Enabling Grids for E-sciencE
INFSO-RI-508833
The EGEE project
• Objectives– consistent, robust and secure service
grid infrastructure for many applications
– improving and maintaining the middleware
– attracting new resources and users
• Structure
– 13 federations in 32 countries– leveraging national and regional grid
activities worldwide– Co-funded by the EU with ~32 M Euros
for first 2 years from 1st April 2004– EGEE-II started April 2006
David Kelsey, Grid Trust Fabric, TNC 2006 13
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE Highlights - Applications
Support applications from– Astrophysics– Computational Chemistry– Earth Sciences – Finance– Fusion– Geophysics– High Energy Physics– Life Sciences– Material Sciences– Multimedia– etc.…
• See recent press release on search for drugs against Avian Fluhttp://www.eu-egee.org/news/egee-grid-attacks-avian-flu/
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
14
What is Grid Trust?
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
15
Grid Trust
• Many components (in ascending scale of difficulty)– Technical
• Interoperable security, standards-based
– Policy and Procedures• Ensure participants act in a predictable way
– Legal• International aspects particularly hard
– Social• Have spent last 6 years building “trust”• Many face to face meetings• Last 2 years, working towards a federated approach
• Sites need to trust VO’s (and vice versa)– To take care of Users, Data, Operations, …
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
16
What is a Grid Virtual Organisation (VO)?
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
17
Grid VOs
• Several different views!• The original Globus definition included resources
– A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules
• The EGEE View – just people– A grouping of individuals, often not bound to a single
institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid
• There are many Grids– Defined by shared services and common policy– Single Information System– Common operations (distributed)– Politics and/or Funding
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
18
The Grid/VO/Site Model
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
19
Grid/VO/Site Model
• Users have a single electronic identity• They register once per VO (and renew)
– Can/do belong to more than one VO• Users do not register at sites or Grids• VOs register with Grid (again once per Grid)• Aim for single instance of VO membership
database– To be used across multiple Grids
• Sites can/do provide resources to multiple Grids
• Sites decide which VOs to support– Distributed Grid Operations facilitates this
• Deployment, configuration etc
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
20
Grid Security Model
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
21
The Grid Security Model• Authentication – proof of identity
– GSI: Globus Grid Security Infrastructure (interoperate)– Single sign-on via X.509 certificates (PKI)
• OpenSSL– Delegation (via short-lived proxy certs) to services
• Global Authorization – right to access resources– Virtual Organisation (VO) – e.g. a Biomed experiment
• Maintains list of registered users• Allocates users to groups and roles• Controls global policy and allocations
• Local Authorization – site access control– Via local (e.g. Unix) mechanisms or– Callouts to local AuthZ enforcement (Grid developments)– Grid ACL’s - global identity or VO AuthZ attributes
• Policy– Grids (e.g. EGEE, Open Science Grid) define security policy– Policies must be interoperable, e.g. common AUP
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
22
Security Policy
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
Graphics fromGlobus Alliance& GGF OGSA-WG
Policy comes from many stakeholders
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
23
Authentication
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
24
Authentication
• Keep Authentication and Authorization separate– Authentication best done at Institute level– Authorization best done at VO level
• Provide the User with one (Grid) electronic identity– For use in many Grids or VOs– For user convenience
• Have successfully built a global PKI (X.509)– Mutual Authentication of people and services
• What is the most appropriate scale?– One CA per country/region (ideally for all eScience)
• EU Grid PMA has coordinated the (global) CA’s– “minimum requirements” for accredited CA’s
• Now IGTF takes over the global coordination
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
25
IGTF
• International Grid Trust Federation– Formed in October 2005– Federate to solve scaling problems
• Coordinates the three regional Policy Management Authorities (PMA)– EU Grid PMA– Asia/Pacific Grid PMA– The Americas Grid PMA
• Each PMA– Accredits Identity Providers for Grid Authentication– Owns and maintains various authentication profiles– Coordinates the X.509 namespace– Distributes roots of trust (globally)– Members are the CAs and major relying parties
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
26
IGTF (2)• Authentication Profiles
– Classic PKI• long-lived (12 months) certificates • held by the end entities• Medium assurance level
– Photo-ID and face-to-face User <-> RA• CRLs issued
– SLCS (recent addition)• short-lived certificate services• Certificates automatically generated• From local site authentication services (e.g. Kerberos)• No CRLs
– Experimental CAs• Working towards an OCSP definition and service
– With CAOPS-WG in GGF• TACAR is an important independent source of roots of
trust– TERENA Academic CA repository
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
27
IGTF(3)
• common, global best practices for trust establishment• better manageability and response of the PMAs
TAGPMA APGridPMA
Slide from David Groep
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
28
IGTF (4)
• More than 50 countries/regions worldwide are members
• Europe is well covered• “Catch-all” CA for gaps
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
29
AuthZ Technology
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
30
Authorization & VO Management
• In EGEE gLite middleware• Global AuthZ (VOMS)
– Virtual Organization Membership Service• VO members, their groups and roles• Provides digitally signed AuthZ attribute certificate
– Included in the grid proxy certificate
– A “PUSH” model (user can select roles and VOs)• Local AuthZ
– Local Centre Authorization Service (LCAS)• A framework to handle local policy (e.g. banned users)
– Local Credential Mapping (LCMAPS)• Provides local credentials (Kerberos/AFS, ldap nss…)
• Local policy decisions (Compute and Storage Elements)– Can decide and enforce policy on VOMS attributes
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
31
VO Groups and Roles
• Each VO assigns its members to groups and roles• Groups
– Collections of individuals with something in common• E.g. group of scientists working on a particular topic• Used for access control and quotas/priorities
• Roles– Capabilities/Privileges assigned to individuals or
groups• e.g. production processing manager, DBA, …
• We started to explore common role names– Some agreement possible but its close to impossible!
• Too many VO’s and differences
– At very least, names and semantics must be well understood within a VO context
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
32
Policy and Legal issues
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
33
EGEE/LCG Security Policy
Security & Availability Policy
GridAUP
Certification Authorities
AuditRequirements
Incident Response
User Registration & VO Management
http://cern.ch/proj-lcg-security/documents.html
Application Development& Network Admin Guide
picture from Ian Neilson
VOAUP
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
34
Policy
• Acceptable Use Policy– One general/simple/short common Grid AUP
• for EGEE and Open Science Grid (USA)• And EU national Grids• For all registered VOs and binds user to VO AUP
– Each VO defines its own aims and AUP• Sites can then decide to support or not
– User accepts these during registration• And regular renewal (every 12 months)
• Robust User Registration procedures are required– Sites have delegated user registration to VOs
• Agreed operational security procedures important– Security incident response
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
35
Federation legal issues
• Sites/Resources require– Auditing at individual user level– Read access to User registration data in VO
• VOs require– Accounting (usage) data from resources– At individual user level
• EU Privacy & Data Protection laws control sites publicly identifying individual users– Working on a solution for this
• VOs are not (in general) legal entities– Makes life interesting!
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
36
NRENs, Grids & Federations?
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
37
eIRG Roadmap
e-IRG: e-Infrastructure Reflection Group Roadmap for i2010:
• commitment to the federated approach• vision of an integrated AA infrastructure for eEurope
Towards an integrated AAI for academia in Europe and beyond
• The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004)
• The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005)
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
38
NRENs, Grids & Federations?
• No desire to run net services if can be provided by NRENs
• AuthN/Identity services– Many NRENs run Certification Authorities
• ~ 10 for Grids today and growing
– AuthN best done by home institute– NRENs/Grids should continue to work together here
• Federated Identity services
• For large/long-lived VOs– Global AuthZ must be managed by the VO– Role/Group names must be defined by VO and
understood by Sites/Resources (across all Grids)• The TERENA series of workshops on “NRENs and Grids”
is one way of exchanging information & collaborating
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
39
Federations (2)
• Dynamic/Short-lived VOs– Small groups of collaborating scientists
• “Laymen rather than experts”
– VO cannot register with Grid Infrastructure– Interesting to explore possibilities for NRENs
here• With move to short-lived certificates (SLCS)
– Linked to a site authentication infrastructure– Scaling problems for IGTF accreditation– IGTF needs the country to present a single
coordinated identity federation• a role for NRENs?
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
40
Some future plans
• Interoperability – ongoing work– GGF “Grid Interoperability Now” (GIN) project– AuthN and AuthZ recognised as very important– IGTF for AuthN– EGEE active in GIN AuthZ
• Running VOMS service for GIN
• New developments on policy expression/evaluation• We have a requirement from some VO’s to be able
to register and use only those services they trust– Mutual AuthZ
• EGEE-II working on Shibboleth/gLite
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
41
References
• LCG/EGEE Joint Security Policy Grouphttp://proj-lcg-security.web.cern.ch/
• EGEE Securityhttp://egee-jra3.web.cern.ch/
• Open Science Gridhttp://www.opensciencegrid.org
• IGTFhttp://www.gridpma.org/
• EU Grid PMAhttp://www.eugridpma.org/
• TERENA Tacarhttp://www.tacar.org/
• Grid AUPhttps://edms.cern.ch/document/428036
16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006
42
Final Words• International federated identity for Grids is working
– Many CA’s already run for us by NRENs– Must work towards integration of other federated
IDPs• AuthZ is more difficult – but making good progress
– attributes must be managed by the VO• Standards are essential – for interoperability
– GGF is important body– Grid Security will implement new standards
• People/Social aspects even more important– Building international trust takes time– Between Grids, Sites and VOs
• NRENs and Grids have been tackling different aspects of the federation problem space
• We (Grids and NRENs) must collaborate and work towards common solutions wherever possible