Virtual Organisations in GridsTERENA TF-EMC2, Barcelona
8 September 2005
David KelseyCCLRC/RAL, UK
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 2
Introduction• Who am I?
– Head of Particle Physics Computing at Rutherford Appleton Laboratory
– Member of 3 Grid projects• UK GridPP (Chair of Deployment Board)• EU EGEE (Chair of Joint Security Policy Group)• Global LCG (Chair of Security Group)
• Why am I here?– Pleasure to have been invited!– In Particle Physics, no desire to run networking
services that can be provided by others• Disclaimer
– These are my personal views– Not official views of the projects or RAL
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 3
Outline• The LCG and EGEE projects• What is a Grid VO?• The Security Model
– Authentication (AuthN)– Authorization (AuthZ)
• Policy issues• AuthZ Technology• Legal issues• NRENs and Grid VOs• Final words
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 4
The LHC Computing Grid Project (LCG)
& Enabling Grids for EsciencE (EGEE)
LCG LHC Computing Grid Project – LCG
LCG Project OverviewJune 2005
Les Robertson – CERN
LCG
les robertson - cern-it-6last update 22/04/23 08:49
LCG LHC DATAThis is reduced by online computers that filter out a few hundred “good” events per sec.
The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors
The LHC accelerator – the largest superconducting installation in the world 27 kilometres of magnets cooled to – 300o C colliding proton beams at an energy of 14 TeV
The LHC Accelerator
Which are recorded on disk and magnetic tapeat 100-1,000 MegaBytes/sec ~15 PetaBytes per year
les robertson - cern-it-7last update 22/04/23 08:49
LCG
les robertson - cern-it-8last update 22/04/23 08:49
LCG
25 Universities4 National Labs2800 CPUs
Grid3
July 2005140 Grid sites34 countries12,000 CPUs
30 sites3200 cpus
Inter-operation EGEE, Open Science Grid in the US and NorduGrid: Very early days for standards – still getting basic experience Focus on baseline services to meet specific experiment requirements
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
The EGEE Project Status
Ian BirdEGEE Operations ManagerCERNGeneva, Switzerland
ISGC, Taipei
27thApril 2005
David Kelsey, VOs/Grids, TF-EMC2 10
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE goals
• Goal of EGEE: develop a service grid infrastructure which is available to scientists 24 hours-a-day
• The project concentrates on: – building a consistent, robust and secure Grid network that will
attract additional computing resources
– continuously improve and maintain the middleware in order to deliver a reliable service to users
– attracting new users from industry as well as science and ensure they receive the high standard of training and support they need
David Kelsey, VOs/Grids, TF-EMC2 11
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE EGEE is the largest Grid infrastructure project in Europe: • 70 leading institutions in 27 countries,
federated in regional Grids
• Leveraging national and regional grid activities
• ~32 M Euros EU funding for initially 2 years starting 1st April 2004
• EU review, February 2005 successful
• Preparing 2nd phase of the project – proposal to EU Grid call September 2005
• Promoting scientific partnership outside EU
David Kelsey, VOs/Grids, TF-EMC2 12
Enabling Grids for E-sciencE
INFSO-RI-508833
Deployment of applications• Pilot applications
– High Energy Physics– Biomed applications
http://egee-na4.ct.infn.it/biomed/applications.html• Generic applications –
Deployment under way– Computational Chemistry– Earth science research – EGEODE: first industrial application– Astrophysics
• With interest from – Hydrology– Seismology – Grid search engines – Stock market simulators– Digital video etc.– Industry (provider, user, supplier)
• Many users– broad range of needs– different communities with different background and internal organization
Pilot New
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 13
What are Grid VOs?
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 14
Grid VOs• Several different views!• The original Globus definition included resources
– A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules
• The EGEE View – just people– A grouping of individuals, often not bound to a single
institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid
• There are many Grids– Defined by shared services and common policy– Single Information System– Common operations (distributed)– Politics and/or Funding
Event - 15/totalSpeaker Name – [email protected]
Virtual vs. Organic structure
Organization A Organization B
Compute Server C1Compute Server C2
Compute Server C3
File server F1 (disks A and B)
Person C(Student)
Person A(Faculty)
Person B(Staff) Person D
(Staff)Person F(Faculty)
Person E(Faculty)
Virtual Community C
Person A(Principal Investigator)
Compute Server C1'Person B
(Administrator)File server F1
(disk A)Person E
(Researcher)
Person D(Researcher)
Graphic by Frank Siebenlist, ANL & Globus Alliance
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 16
The Security Model
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 17
Security Model• Users have single electronic identity• They register once per VO (and renew)
– Can belong to more than one VO• Users do not register at sites/resources• VOs register with Grid (again once per Grid)• Aim for single instance of VO membership
database– To be used across multiple Grids
• Sites/Resource decide which VOs to support– Grid Operations facilitates this support
• Configuration etc
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 18
The Security Model (2)• Authentication – proof of identity
– GSI: Globus Grid Security Infrastructure (interoperate)– Single sign-on via X.509 certificates (PKI)– Delegation (via short-lived proxy certs) to services
• Global Authorization – right to access resources– Virtual Organisation (VO) – e.g. a Biomed experiment
• Maintains list of registered users• Allocates users to groups and/or roles• Controls global policy and allocations
• Local Authorization – site access control– Via local (e.g. Unix) mechanisms or– Callouts to local AuthZ enforcement (Grid
developments)– Grid ACL’s - global identity or VO AuthZ attributes
• Policy– Grids (e.g. EGEE, OSG) define security policy– Many stakeholders also contribute to “policy”
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 19
Security Policy
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
Graphics fromGlobus Alliance& GGF OGSA-WG
Policy comes from many stakeholders
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 20
Authentication
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 21
Authentication
• Keep Authentication and Authorization separate– Authentication best done at Institute level– Authorization best done at VO level
• Provide the User with one (Grid) electronic identity– For use in many Grids or VOs– For user convenience
• Have successfully built a global PKI (X.509)– Mutual Authentication of people and services
• What is the most appropriate scale?– One CA per country/region (ideally for all eScience)
• EU Grid PMA has coordinated the (global) CA’s– “minimum requirements” for accredited CA’s
• Now three worldwide PMA’s for Authentication– Asia/Pacific, The Americas and EU– International Grid Trust Federation coordinates these
• Using TACAR for roots of trust
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 22
Policy issues
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 23
EGEE/LCG Security Policy
Security & Availability Policy
UserAUP
Certification Authorities
AuditRequirements
Incident Response
User Registration & VO Management
http://cern.ch/proj-lcg-security/documents.html
Application Development& Network Admin Guide
picture from Ian Neilson
VOAUP
Under Revision
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 24
Policy• Acceptable Use Policy
– One simple common User AUP• for EGEE and OSG• And other national Grids• Applies to all registered VOs• Binds user to VO AUP
– Each VO defines its own aims and AUP• Sites can then decide to support or not
– User accepts these during registration• And regular renewal (every 12 months)
• Robust User Registration procedures are required– Sites have delegated user registration to VOs
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 25
AuthZ Technology
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 26
Authorization & VO Management
• In EGEE gLite and LCG middleware• Global AuthZ (VOMS)
– Virtual Organization Membership Service• VO members, their groups and roles• Provides digitally signed AuthZ attribute certificate
– Included in the grid proxy certificate– A “PUSH” model (user can select roles and VOs)
• Local AuthZ– Local Centre Authorization Service (LCAS)
• A framework to handle local policy (e.g. banned users)– Local Credential Mapping (LCMAPS)
• Provides local credentials (Kerberos/AFS, ldap nss…)• Local policy decisions (CE and SE)
– Can decide and enforce policy on VOMS attributes• n.b. LCAS/LCMAPS is just one local AuthZ service
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 27
AuthZ – VOMS & LCAS
VO-VOMS
user service
authentication & authorization info
user cert(long life)
VO-VOMS
VO-VOMS
VO-VOMS
CA CA CAlow frequencyhigh
frequencyhost cert(long life)
authz cert(short life)
service cert(short life)
authz cert(short life)
proxy cert(short life)
voms-proxy-init
crl update
registration
registration
LCAS
PUSH Model
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 28
Legal issues
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 29
(some) Legal issues• Sites/Resources require
– Auditing at individual user level– Read access to User registration data in VO
• VOs require– Accounting (usage) data from resources– At individual user level
• Privacy & data protection laws forbid sites publicly identifying individual users– No solution to this conflict yet!
• VOs are not (in general) legal entities– Makes life interesting!
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 30
NRENs and Grids?
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 31
NRENs and Grids?• No desire to run net services that can be provided by
others• AuthN/Identity services
– Currently constrained to be X.509 PKI– Several NRENs run Certification Authorities
• For Grids today, e.g. CESNET– AuthN best done by home institute– We should continue to work together here
• For large/long-lived VOs– Global AuthZ must be managed by the VO– Role/Group names must be defined by VO and
understood by Sites/Resources (across all Grids)• Dynamic/Short-lived VOs
– Small groups of collaborating scientists• “Laymen rather than experts”
– VO cannot register with Grid Infrastructure– Interesting to explore possibilities for NRENs here
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 32
References• LCG/EGEE Joint Security Policy Group
http://proj-lcg-security.web.cern.ch/• EGEE JRA3 (Security)
http://egee-jra3.web.cern.ch/• Open Science Grid Security
http://www.opensciencegrid.org/techgroups/security/• EU DataGrid Security
http://hep-project-grid-scg.web.cern.ch/• LCG Guide to Application, Middleware and Network
Securityhttps://edms.cern.ch/document/452128
• EU Grid PMA (CA coordination)http://www.eugridpma.org/
• TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 33
Final Words• Grids require robust AuthN
– Government issued photo-ID• There are technology constraints
– Today’s Grid middleware (e.g. X.509)• Standards are essential
– For interoperability between Grids– GGF is important body– Grid Security will implement new standards
• WS-Security, SAML, XACML, etc• People aspects even more important
– Building International Trust takes time– Between Grids, Sites and VOs
• We (Grids and NRENs) must keep talking to each other