GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.

GRID middleware and security, the missing bits

David KelseyTAC, Malaga8 Jun 2009

8 Jun 09 Grids, TAC, Kelsey 2

Outline• EGEE and EGI – Introduction• Federated Identity Management• Virtual Organisations, Global Trust and Attribute Management• Operational Security

• Disclaimers: • My personal views

– not the official views of any Grid project, IGTF etc.• “Middleware” - just Authentication and Authorisation• “Missing bits” – well at least some pointers to possibilities for

future coordination

• Thanks to (for slides): Bob Jones and David Groep– With some modifications by me

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667 EGEE - Bob Jones - Research Connection, Prague, May 2009 3

EGEE-III

Main Objectives– Expand/optimise existing EGEE

infrastructure, include more resources and user communities

– Prepare migration from a project-based model to a sustainable federated infrastructure based on National Grid Initiatives

Flagship Grid infrastructure project co-funded by the European Commission

Duration: 2 years Consortium: ~140 organisations across 33 countriesEC co-funding: 32Million €


EGEE-III INFSO-RI-222667 4EGEE - Bob Jones - Research Connection, Prague, May 2009

~280 sites45 countries>80,000 CPUs>20 PetaBytes>14,000 users>250,000 jobs/day



Applications

• >260 VOs from several scientific domains– Astronomy & Astrophysics– Civil Protection– Computational Chemistry– Comp. Fluid Dynamics– Computer Science/Tools– Condensed Matter Physics– Earth Sciences– Fusion– High Energy Physics– Life Sciences

• More applications and user communities every month



Collaborating e-Infrastructures

Goal: Long-term sustainability of grid infrastructures in Europe

Approach: Establish a federated model bringing together National Grid Infrastructures (NGIs) to build the European Grid Infrastructure (EGI)

EGI Organisation: Coordination and operation of a common multi-national, multi-disciplinary Grid infrastructure

To enable and support international Grid-based collaborationTo provide support and added value to NGIsTo liaise with corresponding infrastructures outside Europe

7

EGI workshop, Catania

March 2nd, 2009 8

EGI and NGI Tasks

EGI tasksNGI international tasksNGI local tasks

EGI

NGI

NGINGI

NGI

Federated Identity Management for Grids

• International Grid Trust Federation (IGTF)– 3 geographical Policy Management

Authorities

• Coordinates a Global PKI (X.509)– Used by many different Grids

• IGTF defines minimum requirements and best practices– Accredits CAs against– 3 different authentication profiles


OGF25 IGTF Work shop– Mar 2009 - 10David Groep – [email protected]

Geographical coverage of the EUGridPMA

25 of 27 EU member states (all except LU, MT) + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU,

TR,UA, SEE-GRID + CA, CERN (int), DoEGrids(US)*

Pending or in progress BY, MD, SY, LV, ZA, SN

1116th EUGridPMA Mtg, 11 May 09 Vinod Rebello – [email protected]

TAGPMA Membership

NRC – Canada ESnet (DOEGrids) – USA EELA – InternationalFermi National Accelerator Laboratory - USAHEBCA/USHER/Dartmouth College – USAIBDS (ANSP) - BrazilWLCG – InternationalNCSA – USANERSC – USAOpen Science Grid – InternationalPurdue University – USA REUNA – ChileSan Diego Supercomputer Center – USA SENAMHI – PeruTACC – USATeraGrid (PSC) – USA Texas High Energy Grid – USAUniversity of Virginia – USA UFF – BrazilULA – Venezuela UNAM – Mexico UNLP – Argentina

IGTF Accredited CA OperatorsCA Accreditation in progressInterested in accreditationRelying Party

APGridPMA members• AIST (JP)• APAC (AU)• ASGCC (TW)• CNIC (CN)• HKU (HK)• IGCA (IN)• IHEP (CN)

• KEK (JP)• KISTI (KR)• NAREGI (JP)• NCHC (TW)• NECTEC (TH)• NGO/Netrust (SG)• PRAGMA-UCSD

(US)8 Jun 09 Grids, TAC, Kelsey 12

Interfederation Grids-NRENs

• A growing number of CAs are now run by NRENs (or NGIs)

• Future challenges for Grid IdM– Scaling– Ease of use

• -> Interfederation: IGTF and R&E AAIs– Started with SWITCH



A Federated Grid CA

Use your federation ID ... to authenticate to a service ... that issues a certificate ... recognised by the Grid today

Graphic from: Jan Meijer, UNINETT


Matching the Grid requirements

Persistent and unique naming IdPs historically tended to recycle login names even eduPersonPrincipalName is often recyled only eduPersonTargetedID is immune to thus,

but not supported everywhere (and is usually opaque) this adds a requirement to the federation or to the IdPs

Reasonable representation of names Given name, surname and nickname are usually

considered privacy sensitive user-approved release of these appears doable requires evaluation of legal framework


New: TERENA Grid CA Service

Initial partners: FEIDE, SURFfederatie, HAKA, WAYF, Swamid, TERENA(replaces DutchGrid and NorduGrid CAs)

Trans-national, cross-federation service But not (yet) confederated

How many SLCS/MICS CAs does Europe need ? Consolidate operational PKI skills in one place Better sustainability, in line with the European trend


Federated CAs in Europe

SWITCH: May 2007 TERENA: Summer 2009 Others interested

(CESNET, …)

Some issues

• LoA– Grids demand stricter identity vetting

than some other applications

• Data Privacy– Grids require release of display

names


Virtual Organisations and Global Trust

• Security/Trust model– User registers once with VO

• Sites delegate this to the VO

– VO builds trust with a Grid– Interoperable common simple policy

documents essential to regulate behaviour• User, Site, VO AUP & security policies


Grid Authorisation:Attribute Management

• VO Membership Service (VOMS)– RBAC– Attribute Certificate (signed by VO) extension in proxy

cert• Contains groups, roles, and generalised attributes

• VO is SOA for these attributes– Needs to stay in control

• Aggregation of attributes (VO and Institute IdP)– some work already started in EGEE (SWITCH) VASH

• Should we (can we?) standardise some attributes?– SCHAC schema


Trustworthy AuthZ AA services

• IGTF working on min requirements and best practice for operation of a Grid Attribute Authority

• A possible scalable accreditation process• NGIs (or NRENs) could do it• according to IGTF standards


Grid Security Operations• EGEE Operational Security Coordination Team

(OSCT)– Regional structure (11 centres)

• Incident Response, Monitoring, Training• Coordination already being explored with TF-

CSIRTS (and TRANSITS training)– mutual benefits

• GRID-SEC being established to enable incident communication between GRIDs and GRIDs and NRENs


More details – further work

• Romain Wartel – talk at 17:00 today– “NRENs and Grid security teams: a

critical cooperation”• Supporting virtual technologies track

• And a BOF on Tuesday evening (19:00)


NRENs and Grids

• What about network operations?• advertise the upcoming NRENs and

Grids workshop at EGEE'09– Jointly organised by TERENA and

EGEE-SA2• http://www.terena.org/activities/nrens-

n-grids/


Uniting our strengths to realise a sustainable European grid

Links• EGEE http://www.eu-egee.org/• EGI http://www.eu-egi.eu/• IGTF http://www.igtf.net/• JSPG: http://www.jspg.org• EGEE OSCThttp://osct.web.cern.ch/osct/• GRID-SEC http://grid-sec.web.cern.ch/grid-

sec/Site/GRID-SEC.html


NRENS & Grids• Identity Management

– Inter-federation already happening, but room for growth

– Room to work together, e.g. on LoA

• Attribute Management (AuthZ)– How to build a scalable trust fabric– Attributes defined in SCHAC?

• Operational Security– not replacing national CSIRTS, but adding value– encourage collaboration


Discussion


GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.

Documents

Transcript of GRID middleware and security, the missing bits David Kelsey TAC, Malaga 8 Jun 2009.