Recent Activities on I nternational Grid Trust Federation Yoshio Tanaka (yoshio. tanaka@aist. go. jp yoshio. tanaka@aist. go. jp) ) Yoshio Tanaka ( APGrid PMA, Chair PMA, Chair APGrid Grid Technology Research Center, Grid Technology Research Center, AI ST, Japan Japan AI ST, National Institute of Advanced Industrial Science and Technology
Cont ent s I ntroduction of Grid I ntroduction of Grid Grid Security Grid Security St at us and problems How to implement trust f ederation How to implement trust f ederation Policy Management Aut horit y I nt ernat ional Grid Trust Federat ion Summary Summary
What is Grid? Flexible, secure, coordinated resource sharing among dynamic Flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources collections of individuals, institutions, and resources resources include not only comput ers but various kinds of resources such as dat abases, net works, sensors, et c. User Secure Secure Com puter Softw are Broadband Network Sensor Net Experts Visualization Storage Coordinated User User
What Grid makes it possible? Online Access to Remote I nstruments Online Access to Remote I nstruments Petabyte- - scale Data Analysis scale Data Analysis Petabyte Detector for LHCb experiment Detector for ALICE experiment
What Grid makes it possible? (cont ’d) Large- - scale Distributed Computing scale Distributed Computing Large Large- - scale scale Metacomputing Metacomputing Large
What Grid makes it possible? (cont ’d) High Throughput Computing High Throughput Computing I ntegration of Human Resources I ntegration of Human Resources
The Grid: A Brief Hist ory Early 90s Early 90s Gigabit t est beds, met acomput ing Mid to late 90s Mid to late 90s Early experiment s, academic sof t ware proj ect s, applicat ion experiment s Now Now Dozens of applicat ion communit ies & proj ect s in scient if ic and t echnical comput ing Maj or inf rast ruct ure deployment s De f act o st andard t echnology: Globus Toolkit TM Growing indust rial int erest Global Grid Forum: ~1000 people, 30+ count ries Status Status Grid is going t o be a product ion phase High-speed net work + High-perf ormance comput ers Grid middleware become mat ure
Large-scale QM/ MD simulat ion on AI ST-TeraGrid @ SC2004 QM simulation P32 (512 CPU) MD Simulation based on DFT TCS (512 CPU) @ PSC P32 (512 CPU) F32 (256 CPU) Run the simulation for more than 10 hours on 1793 cpus on AIST Super Cluster and TeraGrid
Grid Securit y GSI is based on X. 509 certif icates and PKI . GSI is based on X. 509 certif icates and PKI . Most organizat ions are launching t heir own Cert if icat e Aut horit ies (CA) f or issuing end-ent it y cert if icat es f or users, host s, services. Proxy Cert if icat es (RFC3820) f or single sign on and delegat ion A Virtual Organization (VO) is implemented by f ederations of A Virtual Organization (VO) is implemented by f ederations of multiple security domains. multiple security domains.
Grid Securit y (cont ’d) The most popular multi- - The most popular multi domain PKI architecture domain PKI architecture CA globus CA (in Grid) is cross- - (in Grid) is cross recognition recognition I ndependent CAs would somehow be licensed or audit ed by CA globus CA a mut ually recognized CA globus CA t rust ed aut horit y. e.g. CA globus CA AI ST t rust s KI STI CA operat ed by KI STI , CA globus CA CA globus Korea. CA KI STI t rust s AI ST GRI D CA operat ed by CA globus CA AI ST. CA globus CA CA globus CA
Grids in Asia Pacific Grids in Asia Pacific Architecture, technology Architecture, technology Based on GT2 Based on GT2 Allow multiple CAs Allow multiple CAs Build MDS Tree Build MDS Tree Grid middleware/tools from Asia Pacific Grid middleware/tools from Asia Pacific Ninf- Ninf -G ( G (GridRPC GridRPC programming) programming) Nimrod- -G (parametric modeling system G (parametric modeling system) Nimrod SCMSWeb (resource monitoring) Grid Data Farm (Grid File System), etc. Status Status 22 organizations (10 countries) 23 clusters (1688 CPUs)
Problems Problems of authentication f ederations Problems of authentication f ederations All CAs should keep t he same level of operat ion. How t he CA is securely operat ed? Use HSM? Dedicat ed CA room? … All CAs should have no conf lict in policy How t he CA ident if ies end ent it ies? Use f ace-t o-f ace meet ing? Telephone? et c. … Policy Management Authority (PMA) is a Policy Management Authority (PMA) is a coordination body of CA policies and coordination body of CA policies and operations. operations.
APGrid PMA: Asia Pacif ic Grid PMA General Policy Management Authority in Asia Pacif ic General Policy Management Authority in Asia Pacif ic Not specif ic f or ApGrid, Not specif ic f or PRAGMA… st , 2004 Launched on June 1 st , 2004 Launched on June 1 Def ines minimum CA requirements Def ines minimum CA requirements APGrid PMA approved that we accept two levels of PMA approved that we accept two levels of APGrid CA: CA: Experiment al-level CA Alt ernat ive of t he Globus CA Can be t rust ed wit hin A-P communit ies Product ion-level CA St rict management is necessary Expect ed t o be t rust ed by int ernat ional communit ies
APGridPMA: St at us (Members and CAs) Af f iliation Name Production CA Experimental CA AI ST / J apan Yoshio Tanaka in operat ion will close ASCC / Taiwan Eric Yen in operat ion none KI STI / Korea J ae-Hyuck Kwak in operat ion in operat ion CAS / China Kai Nan in operat ion in operat ion I HEP / China Gonxing Sun in operat ion none VPAC/ Aust ralia Damon Smit h planning in operat ion NAREGI / J apan Shinj i Shimoj o Planning in operat ion NCHC / Taiwan J ulian Yu-Chung Chen planning in operat ion Osaka U / J apan Susumu Dat e planning in operat ion SDSC / USA Mason Kat z no plan planning HKU / HongKong Chen Lin, Elaine no plan in operat ion U of Hyd / I ndia Arun Agarwal no plan in operat ion USM / Malaysia Boon Yaik no plan in operat ion BI I / Singapore Kishore Sakharkar no plan in operat ion
APGridPMA: St at us 7 ex of f icio members, 7 general members 7 ex of f icio members, 7 general members Regular (monthly) VTC. Regular (monthly) VTC. (physical) f ace- - to to- - f ace meeting once per year. f ace meeting once per year. (physical) f ace We have started mutual audit We have started mutual audit NAREGI PKI WG has subj ect ively select ed crit eria f or audit ing Grid CAs. based on AI CPA/ CI CA WebTrust SM/ TM Program f or Cert if icat ion Aut horit y minimum CA requirement s of APGrid PMA and EUGrid PMA AI ST CA has audit ed Academia Sinica CA (Taiwan) All APGrid PMA Product ion-level CAs will be audit ed by ext ernal audit ors in a year. Audit checklist and experiences will be document ed at t he GGF CAOPs WG.
St at us of PMAs Currently, there are three regional PMAs PMAs Currently, there are three regional EUGrid PMA (est ablished May 2004) Former: EUDG WP6 CA Coordinat ion Group (st art ed in 2002) TAG PMA (going t o be est ablished) Former: DOEGrid PMA (st art ed in 2002) APGrid PMA (est ablished J une 2004) Unof f icially st art ed in 2003 Each regional PMA is responsible f or Each regional PMA is responsible f or coordinat ion of CA policy wit hin t he region coordinat ion of CA policy wit h t he ot her regional PMAs Three PMAs PMAs are the f ounders of the I nternational are the f ounders of the I nternational Three Grid Trust Federation (I GTF) Grid Trust Federation (I GTF)
Role of PMAs (examples) Can EGEE trust your CA? Can EGEE trust your CA? How is t he procedure f or reviewing/ accredit ing your CA? Does your CA need t o be reviewed by individual organizat ions in EGEE? I f t he ot her CA in Asia wish t o be t rust ed by EGEE, is separat e review necessary? APGridPMA will accredit your CA. EGEE does not need t o review/ accredit your CA. Can your organization trust CAs CAs in EGEE? in EGEE? Can your organization trust How is t he procedure f or reviewing? Do you need t o review all CAs in EGEE? EUGridPMA will accredit CAs. Bot h you and APGridPMA do not need t o review/ accredit CAs in EGEE. I f you will launch a new CA that is expected to be trusted by I f you will launch a new CA that is expected to be trusted by organizations in EGEE, how should you design policy and organizations in EGEE, how should you design policy and practices of your CA? practices of your CA? APGrid PMA provides minimum CA requirement s.
Hist ory of I GTF act ivit ies GGF7@Tokyo, March 2003 GGF7@Tokyo, March 2003 First meet ing wit h EU, DOE, and AP members Agreed wit h working on f orming t he Grid PMA. develop minimum requirement s develop GridPMA chart er Continuous discussions between AP, EU, and TAG Continuous discussions between AP, EU, and TAG PMA f or I nternational Grid Trust Federation. PMA f or I nternational Grid Trust Federation. GGF12 and EUGrid PMA meet ing@Brussels, Sept ember 2004 GGF13@Seoul, March 2005 EUGridPMA meet ing@Tallinn, May 2005 GGF14@Chicago, J une 2005 GGF15@Bost on, Oct . 2005
Recommend
More recommend