Let's talk about Ceph Terena TF-Storage Meeting – February 12th ...
Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005
description
Transcript of Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005
![Page 1: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/1.jpg)
Virtual Organisations in GridsTERENA TF-EMC2, Barcelona
8 September 2005
David KelseyCCLRC/RAL, UK
![Page 2: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/2.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 2
Introduction• Who am I?
– Head of Particle Physics Computing at Rutherford Appleton Laboratory
– Member of 3 Grid projects• UK GridPP (Chair of Deployment Board)• EU EGEE (Chair of Joint Security Policy Group)• Global LCG (Chair of Security Group)
• Why am I here?– Pleasure to have been invited!– In Particle Physics, no desire to run networking
services that can be provided by others• Disclaimer
– These are my personal views– Not official views of the projects or RAL
![Page 3: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/3.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 3
Outline• The LCG and EGEE projects• What is a Grid VO?• The Security Model
– Authentication (AuthN)– Authorization (AuthZ)
• Policy issues• AuthZ Technology• Legal issues• NRENs and Grid VOs• Final words
![Page 4: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/4.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 4
The LHC Computing Grid Project (LCG)
& Enabling Grids for EsciencE (EGEE)
![Page 5: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/5.jpg)
LCG LHC Computing Grid Project – LCG
LCG Project OverviewJune 2005
Les Robertson – CERN
LCG
![Page 6: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/6.jpg)
les robertson - cern-it-6last update 22/04/23 08:49
LCG LHC DATAThis is reduced by online computers that filter out a few hundred “good” events per sec.
The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors
The LHC accelerator – the largest superconducting installation in the world 27 kilometres of magnets cooled to – 300o C colliding proton beams at an energy of 14 TeV
The LHC Accelerator
Which are recorded on disk and magnetic tapeat 100-1,000 MegaBytes/sec ~15 PetaBytes per year
![Page 7: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/7.jpg)
les robertson - cern-it-7last update 22/04/23 08:49
LCG
![Page 8: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/8.jpg)
les robertson - cern-it-8last update 22/04/23 08:49
LCG
25 Universities4 National Labs2800 CPUs
Grid3
July 2005140 Grid sites34 countries12,000 CPUs
30 sites3200 cpus
Inter-operation EGEE, Open Science Grid in the US and NorduGrid: Very early days for standards – still getting basic experience Focus on baseline services to meet specific experiment requirements
![Page 9: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/9.jpg)
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
The EGEE Project Status
Ian BirdEGEE Operations ManagerCERNGeneva, Switzerland
ISGC, Taipei
27thApril 2005
![Page 10: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/10.jpg)
David Kelsey, VOs/Grids, TF-EMC2 10
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE goals
• Goal of EGEE: develop a service grid infrastructure which is available to scientists 24 hours-a-day
• The project concentrates on: – building a consistent, robust and secure Grid network that will
attract additional computing resources
– continuously improve and maintain the middleware in order to deliver a reliable service to users
– attracting new users from industry as well as science and ensure they receive the high standard of training and support they need
![Page 11: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/11.jpg)
David Kelsey, VOs/Grids, TF-EMC2 11
Enabling Grids for E-sciencE
INFSO-RI-508833
EGEE EGEE is the largest Grid infrastructure project in Europe: • 70 leading institutions in 27 countries,
federated in regional Grids
• Leveraging national and regional grid activities
• ~32 M Euros EU funding for initially 2 years starting 1st April 2004
• EU review, February 2005 successful
• Preparing 2nd phase of the project – proposal to EU Grid call September 2005
• Promoting scientific partnership outside EU
![Page 12: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/12.jpg)
David Kelsey, VOs/Grids, TF-EMC2 12
Enabling Grids for E-sciencE
INFSO-RI-508833
Deployment of applications• Pilot applications
– High Energy Physics– Biomed applications
http://egee-na4.ct.infn.it/biomed/applications.html• Generic applications –
Deployment under way– Computational Chemistry– Earth science research – EGEODE: first industrial application– Astrophysics
• With interest from – Hydrology– Seismology – Grid search engines – Stock market simulators– Digital video etc.– Industry (provider, user, supplier)
• Many users– broad range of needs– different communities with different background and internal organization
Pilot New
![Page 13: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/13.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 13
What are Grid VOs?
![Page 14: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/14.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 14
Grid VOs• Several different views!• The original Globus definition included resources
– A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules
• The EGEE View – just people– A grouping of individuals, often not bound to a single
institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid
• There are many Grids– Defined by shared services and common policy– Single Information System– Common operations (distributed)– Politics and/or Funding
![Page 15: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/15.jpg)
Event - 15/totalSpeaker Name – [email protected]
Virtual vs. Organic structure
Organization A Organization B
Compute Server C1Compute Server C2
Compute Server C3
File server F1 (disks A and B)
Person C(Student)
Person A(Faculty)
Person B(Staff) Person D
(Staff)Person F(Faculty)
Person E(Faculty)
Virtual Community C
Person A(Principal Investigator)
Compute Server C1'Person B
(Administrator)File server F1
(disk A)Person E
(Researcher)
Person D(Researcher)
Graphic by Frank Siebenlist, ANL & Globus Alliance
![Page 16: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/16.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 16
The Security Model
![Page 17: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/17.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 17
Security Model• Users have single electronic identity• They register once per VO (and renew)
– Can belong to more than one VO• Users do not register at sites/resources• VOs register with Grid (again once per Grid)• Aim for single instance of VO membership
database– To be used across multiple Grids
• Sites/Resource decide which VOs to support– Grid Operations facilitates this support
• Configuration etc
![Page 18: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/18.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 18
The Security Model (2)• Authentication – proof of identity
– GSI: Globus Grid Security Infrastructure (interoperate)– Single sign-on via X.509 certificates (PKI)– Delegation (via short-lived proxy certs) to services
• Global Authorization – right to access resources– Virtual Organisation (VO) – e.g. a Biomed experiment
• Maintains list of registered users• Allocates users to groups and/or roles• Controls global policy and allocations
• Local Authorization – site access control– Via local (e.g. Unix) mechanisms or– Callouts to local AuthZ enforcement (Grid
developments)– Grid ACL’s - global identity or VO AuthZ attributes
• Policy– Grids (e.g. EGEE, OSG) define security policy– Many stakeholders also contribute to “policy”
![Page 19: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/19.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 19
Security Policy
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
Graphics fromGlobus Alliance& GGF OGSA-WG
Policy comes from many stakeholders
![Page 20: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/20.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 20
Authentication
![Page 21: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/21.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 21
Authentication
• Keep Authentication and Authorization separate– Authentication best done at Institute level– Authorization best done at VO level
• Provide the User with one (Grid) electronic identity– For use in many Grids or VOs– For user convenience
• Have successfully built a global PKI (X.509)– Mutual Authentication of people and services
• What is the most appropriate scale?– One CA per country/region (ideally for all eScience)
• EU Grid PMA has coordinated the (global) CA’s– “minimum requirements” for accredited CA’s
• Now three worldwide PMA’s for Authentication– Asia/Pacific, The Americas and EU– International Grid Trust Federation coordinates these
• Using TACAR for roots of trust
![Page 22: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/22.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 22
Policy issues
![Page 23: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/23.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 23
EGEE/LCG Security Policy
Security & Availability Policy
UserAUP
Certification Authorities
AuditRequirements
Incident Response
User Registration & VO Management
http://cern.ch/proj-lcg-security/documents.html
Application Development& Network Admin Guide
picture from Ian Neilson
VOAUP
Under Revision
![Page 24: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/24.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 24
Policy• Acceptable Use Policy
– One simple common User AUP• for EGEE and OSG• And other national Grids• Applies to all registered VOs• Binds user to VO AUP
– Each VO defines its own aims and AUP• Sites can then decide to support or not
– User accepts these during registration• And regular renewal (every 12 months)
• Robust User Registration procedures are required– Sites have delegated user registration to VOs
![Page 25: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/25.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 25
AuthZ Technology
![Page 26: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/26.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 26
Authorization & VO Management
• In EGEE gLite and LCG middleware• Global AuthZ (VOMS)
– Virtual Organization Membership Service• VO members, their groups and roles• Provides digitally signed AuthZ attribute certificate
– Included in the grid proxy certificate– A “PUSH” model (user can select roles and VOs)
• Local AuthZ– Local Centre Authorization Service (LCAS)
• A framework to handle local policy (e.g. banned users)– Local Credential Mapping (LCMAPS)
• Provides local credentials (Kerberos/AFS, ldap nss…)• Local policy decisions (CE and SE)
– Can decide and enforce policy on VOMS attributes• n.b. LCAS/LCMAPS is just one local AuthZ service
![Page 27: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/27.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 27
AuthZ – VOMS & LCAS
VO-VOMS
user service
authentication & authorization info
user cert(long life)
VO-VOMS
VO-VOMS
VO-VOMS
CA CA CAlow frequencyhigh
frequencyhost cert(long life)
authz cert(short life)
service cert(short life)
authz cert(short life)
proxy cert(short life)
voms-proxy-init
crl update
registration
registration
LCAS
PUSH Model
![Page 28: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/28.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 28
Legal issues
![Page 29: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/29.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 29
(some) Legal issues• Sites/Resources require
– Auditing at individual user level– Read access to User registration data in VO
• VOs require– Accounting (usage) data from resources– At individual user level
• Privacy & data protection laws forbid sites publicly identifying individual users– No solution to this conflict yet!
• VOs are not (in general) legal entities– Makes life interesting!
![Page 30: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/30.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 30
NRENs and Grids?
![Page 31: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/31.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 31
NRENs and Grids?• No desire to run net services that can be provided by
others• AuthN/Identity services
– Currently constrained to be X.509 PKI– Several NRENs run Certification Authorities
• For Grids today, e.g. CESNET– AuthN best done by home institute– We should continue to work together here
• For large/long-lived VOs– Global AuthZ must be managed by the VO– Role/Group names must be defined by VO and
understood by Sites/Resources (across all Grids)• Dynamic/Short-lived VOs
– Small groups of collaborating scientists• “Laymen rather than experts”
– VO cannot register with Grid Infrastructure– Interesting to explore possibilities for NRENs here
![Page 32: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/32.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 32
References• LCG/EGEE Joint Security Policy Group
http://proj-lcg-security.web.cern.ch/• EGEE JRA3 (Security)
http://egee-jra3.web.cern.ch/• Open Science Grid Security
http://www.opensciencegrid.org/techgroups/security/• EU DataGrid Security
http://hep-project-grid-scg.web.cern.ch/• LCG Guide to Application, Middleware and Network
Securityhttps://edms.cern.ch/document/452128
• EU Grid PMA (CA coordination)http://www.eugridpma.org/
• TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/
![Page 33: Virtual Organisations in Grids TERENA TF-EMC2, Barcelona 8 September 2005](https://reader034.fdocuments.in/reader034/viewer/2022051518/56815dc7550346895dcbf582/html5/thumbnails/33.jpg)
8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 33
Final Words• Grids require robust AuthN
– Government issued photo-ID• There are technology constraints
– Today’s Grid middleware (e.g. X.509)• Standards are essential
– For interoperability between Grids– GGF is important body– Grid Security will implement new standards
• WS-Security, SAML, XACML, etc• People aspects even more important
– Building International Trust takes time– Between Grids, Sites and VOs
• We (Grids and NRENs) must keep talking to each other