Enabling Grids for E-sciencE Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS & Grids meeting, Dublin, 1st September 2008 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and gLite are registered trademarks
Overview Enabling Grids for E-sciencE • Introduction to EGEE(-III) • Grid security model – Requirements and aims • Authorisation (AuthZ) – Use of Attributes • Developments in Grid AuthZ – Middleware – VOMS – IGTF and JSPG policy • Final thoughts Disclaimer: Not officially “EGEE approved” – some personal opinions! Kelsey - AuthZ EGEE-III INFSO-RI-222667 2
Who am I? Enabling Grids for E-sciencE • David Kelsey • STFC – Rutherford Appleton Laboratory, UK • Head of Particle Physics Computing • Work on GridPP, EGEE and LCG (CERN LHC Grid) • Main interest: Grid Security (from policy side) – Authentication, Authorisation, Operational Security, Policy… • I lead the Joint (EGEE/WLCG) Security Policy Group – JSPG • Not an expert in all matters related to Authorisation! – Not involved in middleware development – Christoph Witzig (EGEE Security Architect) is here Kelsey - AuthZ EGEE-III INFSO-RI-222667 3
Thanks to Enabling Grids for E-sciencE • I used slides from several people (thanks!) • Bob Jones, EGEE Project Director • Erwin Laure, EGEE Technical Director • Vincenzo Ciaschini, VOMS lead developer (INFN) Kelsey - AuthZ EGEE-III INFSO-RI-222667 4
Enabling Grids for E-sciencE • Archeology • Astronomy • Astrophysics • Civil Protection • Comp. Chemistry • Earth Sciences • Finance • >250 sites • Fusion • 48 countries • Geophysics • >50,000 CPUs • High Energy Physics • >20 PetaBytes • Life Sciences • >10,000 users • Multimedia • >150 VOs • Material Sciences • >150,000 jobs/day • … Kelsey - AuthZ EGEE-III INFSO-RI-222667 5
Collaborating e-Infrastructures Enabling Grids for E-sciencE Kelsey - AuthZ EGEE-III INFSO-RI-222667 6
EGEE-III Enabling Grids for E-sciencE EGEE-III • – Co-funded under European Commission call INFRA-2007-1.2.3 – 32M€ EC funds compared to ~37M € for EGEE-II – 9010 person months/375 FTEs (~20% less than EGEE-II) – 2 year period – 1 May 2008 to 30 April 2010 • Key objectives – Expand/optimise existing EGEE infrastructure, include more resources and user communities – Prepare migration from a project-based model to a sustainable federated infrastructure based on National Grid Initiatives • Consortium – Structured on a national basis (National Grid Initiatives/Joint Research Units) – From 91 partners in EGEE-II (+ further 48 JRU members) to 42 beneficiaries in EGEE-III (+ 100 JRU members) Kelsey - AuthZ EGEE-III INFSO-RI-222667 7
The security model Enabling Grids for E-sciencE AuthN : User obtains a long-lived X.509 certificate • – from their national CA � Renewed annually – or short-lived certificates from another IDP � e.g. Shibboleth AAI – IGTF - a global trust federation – one electronic identity valid everywhere • Grid sites devolve all user registration to the VOs VO registers with each Grid infrastructure • – EGEE, OSG (USA), NorduGrid, national Grids, … • VO and User behaviour controlled by policy documents – Common policies across all Grids • User registers once with a VO – Accepts Grid AUP during registration – Renewed annually • AuthZ : VO manager confirms membership request – And assigns the user his/her groups and/or roles • The VO Membership Service (VOMS) – Issues AuthZ attributes – Attribute Certificate in proxy • AuthZ attributes are used for access control, priorities, quotas, … – Fine grained control (but typically uses mapping to UNIX uid/gid) Kelsey - AuthZ 8 EGEE-III INFSO-RI-222667
Requirements for managing users and VOs Enabling Grids for E-sciencE • User only registers once (per year) with the VO – This gives access to EGEE resources (and indeed other Grids) • The Grid Sites have to trust the VO to – Operate according to agreed procedures and policies – Do proper checks during user registration – Allocate user attributes (roles/groups) correctly – Define a VO AUP describing the aims � Users accept a Grid AUP during registration • They will only perform work consistent with the VO AUP • Sites require full traceability and audit logs down to individual user – who did what, when and where? – Security incident response is very important • VOs require fine-grained authorisation and accounting at the individual user-level (data privacy issues!) Kelsey - AuthZ EGEE-III INFSO-RI-222667 9
Requirements(2) Enabling Grids for E-sciencE • All of the above makes the support of short-lived dynamic VOs rather difficult! • EGEE addresses this by trying to make the process for creating a VO easy (-ier!) and well supported – But we still need to build trust between VO and Sites • Groups within a VO are more dynamic – But trust is still built at the VO level • Scaling problems re VOs – If a VO uses resources in many Sites (and even Grids) – Will be impossible to build trust between the VO and Site – The Grid has to establish Trust with the VO (on behalf of sites) Kelsey - AuthZ EGEE-III INFSO-RI-222667 10
Requirements (3) Enabling Grids for E-sciencE • Interoperability is needed – Several large VOs use resources from many Grids – JSPG aims to achieve common policies – i.e. not just a question of standards based protocols/services • VO Naming: DNS-style name for a VO • Today we have little technical control (other than via written policies) as to what work a user does – Hence all the heavy needs for audit logs and incident response • We are working on policies for Grid portals – In some cases the work submitted can then be more tightly controlled – May be possible to relax some of the policy constraints � Identity is less important when actions are controlled Kelsey - AuthZ EGEE-III INFSO-RI-222667 11
Authorization in EGEE Enabling Grids for E-sciencE • Gaining access to EGEE resources is governed by VO membership • EGEE does not own or manage resources – Resource centers are independent and allow certain VOs to access their resources – Resource centers govern the usage policy � Set quotas, priorities, shares etc. for VO members – EGEE provides mechanisms for VOs and resource centers to negotiate usage (out of band) • Users are identified via X.509 proxies – VO membership via VOMS – VO information can be passed inside proxy or is used implicit when generating gridmap files Kelsey - AuthZ EGEE-III INFSO-RI-222667 12
Use of VO Attributes Enabling Grids for E-sciencE • Each VO defines and implements its attributes – Groups – Roles – Generic attributes • Standardisation between VOs – has been found to be impossible • Some other attributes are kept in the VO database – Employing institute, Email address, telephone number, … – Not contained in VOMS AC � Site has access to the data • Via the VO manager • to contact the user Kelsey - AuthZ 13 EGEE-III INFSO-RI-222667
Separation of Concerns Enabling Grids for E-sciencE • VOs manage their membership and associated information (groups, roles, etc.) • Resource Centers ensure fulfillment of their commitments to VOs using their own policies – E.g. fair share, fixed quota etc. • Problem: – VOs want to have ways to control how their allocation at a resource center is being shared among the VO members Kelsey - AuthZ EGEE-III INFSO-RI-222667 14
AuthZ Developments Enabling Grids for E-sciencE • Technology – gLite middleware – VOMS developments • Policy – JSPG: New policies for trust between VO, Grid and Sites � VO Registration � VO Membership Management � Grid Portals and Pilot Jobs – IGTF: New minimum standards for running a VO Attribute Authority Kelsey - AuthZ EGEE-III INFSO-RI-222667 15
AuthZ in gLite Enabling Grids for E-sciencE • EGEE is revising its authorization framework – Requirements : � Uniform authorization and policy management in gLite � Compatible with SAML and XACML standards � Built on the experience of previous systems • LCAS/LCMAPS, SCAS, G-PBox, gJAF � Usable with different authentication mechanisms • X.509 proxies, uid/password, shibboleth, kerberos tokens … – Preserve separation of concerns � But provide hooks in policy decision point together with flexible ways of specifying the execution environment (virtual machine, uid/gid, …) • Provide a generic VO scheduler framework with reference scheduler? Kelsey - AuthZ EGEE-III INFSO-RI-222667 16
What is VOMS?, in short Enabling Grids for E-sciencE • VOMS is a X.509 compliant Attribute Authority – See RFC 3281 – with special support for Grids and VOs • VOMS is a SAML Attribute Authority – See SAML V2.0 Deployment Profile for X.509 Subjects � And an OGF document • VOMS is a Membership management tool • VOMS integrates with Shibboleth – In the sense that VOMS makes Shibboleth attributes available to Grid services � Or to X509 based services in general Kelsey - AuthZ EGEE-III INFSO-RI-222667 17
Recommend
More recommend
