Authorisation Developments in Grids (particularly EGEE) David - - PowerPoint PPT Presentation

authorisation developments in grids particularly egee
SMART_READER_LITE
LIVE PREVIEW

Authorisation Developments in Grids (particularly EGEE) David - - PowerPoint PPT Presentation

Jan 16, 2024 401 likes •701 views

Enabling Grids for E-sciencE Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS & Grids meeting, Dublin, 1st September 2008 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and

slide-1
SLIDE 1

EGEE-III INFSO-RI-222667

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered trademarks

David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS & Grids meeting, Dublin, 1st September 2008

Authorisation Developments in Grids (particularly EGEE)

slide-2
SLIDE 2

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Overview

  • Introduction to EGEE(-III)
  • Grid security model

– Requirements and aims

  • Authorisation (AuthZ)

– Use of Attributes

  • Developments in Grid AuthZ

– Middleware – VOMS – IGTF and JSPG policy

  • Final thoughts

Disclaimer: Not officially “EGEE approved” – some personal opinions!

Kelsey - AuthZ 2

slide-3
SLIDE 3

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Who am I?

  • David Kelsey
  • STFC – Rutherford Appleton Laboratory, UK
  • Head of Particle Physics Computing
  • Work on GridPP, EGEE and LCG (CERN LHC Grid)
  • Main interest: Grid Security (from policy side)

– Authentication, Authorisation, Operational Security, Policy…

  • I lead the Joint (EGEE/WLCG) Security Policy Group

– JSPG

  • Not an expert in all matters related to Authorisation!

– Not involved in middleware development – Christoph Witzig (EGEE Security Architect) is here

Kelsey - AuthZ 3

slide-4
SLIDE 4

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Thanks to

  • I used slides from several people (thanks!)
  • Bob Jones, EGEE Project Director
  • Erwin Laure, EGEE Technical Director
  • Vincenzo Ciaschini, VOMS lead developer (INFN)

Kelsey - AuthZ 4

slide-5
SLIDE 5

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

  • Archeology
  • Astronomy
  • Astrophysics
  • Civil Protection
  • Comp. Chemistry
  • Earth Sciences
  • Finance
  • Fusion
  • Geophysics
  • High Energy Physics
  • Life Sciences
  • Multimedia
  • Material Sciences
  • >250 sites
  • 48 countries
  • >50,000 CPUs
  • >20 PetaBytes
  • >10,000 users
  • >150 VOs
  • >150,000 jobs/day

5 Kelsey - AuthZ

slide-6
SLIDE 6

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Collaborating e-Infrastructures

6 Kelsey - AuthZ

slide-7
SLIDE 7

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

EGEE-III

  • EGEE-III

– Co-funded under European Commission call INFRA-2007-1.2.3 – 32M€ EC funds compared to ~37M € for EGEE-II – 9010 person months/375 FTEs (~20% less than EGEE-II) – 2 year period – 1 May 2008 to 30 April 2010

  • Key objectives

– Expand/optimise existing EGEE infrastructure, include more resources and user communities – Prepare migration from a project-based model to a sustainable federated infrastructure based on National Grid Initiatives

  • Consortium

– Structured on a national basis (National Grid Initiatives/Joint Research Units)

– From 91 partners in EGEE-II (+ further 48 JRU members) to 42 beneficiaries in EGEE-III (+ 100 JRU members)

7 Kelsey - AuthZ

slide-8
SLIDE 8

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667 8

The security model

  • AuthN: User obtains a long-lived X.509 certificate

– from their national CA

  • Renewed annually

  • r short-lived certificates from another IDP
  • e.g. Shibboleth AAI

– IGTF - a global trust federation – one electronic identity valid everywhere

  • Grid sites devolve all user registration to the VOs
  • VO registers with each Grid infrastructure

– EGEE, OSG (USA), NorduGrid, national Grids, …

  • VO and User behaviour controlled by policy documents

– Common policies across all Grids

  • User registers once with a VO

– Accepts Grid AUP during registration – Renewed annually

  • AuthZ: VO manager confirms membership request

– And assigns the user his/her groups and/or roles

  • The VO Membership Service (VOMS)

– Issues AuthZ attributes – Attribute Certificate in proxy

  • AuthZ attributes are used for access control, priorities, quotas, …

– Fine grained control (but typically uses mapping to UNIX uid/gid)

Kelsey - AuthZ

slide-9
SLIDE 9

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Requirements for managing users and VOs

  • User only registers once (per year) with the VO

– This gives access to EGEE resources (and indeed other Grids)

  • The Grid Sites have to trust the VO to

– Operate according to agreed procedures and policies – Do proper checks during user registration – Allocate user attributes (roles/groups) correctly – Define a VO AUP describing the aims

Users accept a Grid AUP during registration

  • They will only perform work consistent with the VO AUP
  • Sites require full traceability and audit logs down to

individual user – who did what, when and where?

– Security incident response is very important

  • VOs require fine-grained authorisation and accounting

at the individual user-level (data privacy issues!)

Kelsey - AuthZ 9

slide-10
SLIDE 10

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Requirements(2)

  • All of the above makes the support of short-lived

dynamic VOs rather difficult!

  • EGEE addresses this by trying to make the process for

creating a VO easy (-ier!) and well supported

– But we still need to build trust between VO and Sites

  • Groups within a VO are more dynamic

– But trust is still built at the VO level

  • Scaling problems re VOs

– If a VO uses resources in many Sites (and even Grids) – Will be impossible to build trust between the VO and Site – The Grid has to establish Trust with the VO (on behalf of sites)

Kelsey - AuthZ 10

slide-11
SLIDE 11

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Requirements (3)

  • Interoperability is needed

– Several large VOs use resources from many Grids – JSPG aims to achieve common policies – i.e. not just a question of standards based protocols/services

  • VO Naming: DNS-style name for a VO
  • Today we have little technical control (other than via

written policies) as to what work a user does

– Hence all the heavy needs for audit logs and incident response

  • We are working on policies for Grid portals

– In some cases the work submitted can then be more tightly controlled – May be possible to relax some of the policy constraints

Identity is less important when actions are controlled

Kelsey - AuthZ 11

slide-12
SLIDE 12

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Authorization in EGEE

  • Gaining access to EGEE resources is governed by VO

membership

  • EGEE does not own or manage resources

– Resource centers are independent and allow certain VOs to access their resources – Resource centers govern the usage policy

Set quotas, priorities, shares etc. for VO members

– EGEE provides mechanisms for VOs and resource centers to negotiate usage (out of band)

  • Users are identified via X.509 proxies

– VO membership via VOMS – VO information can be passed inside proxy or is used implicit when generating gridmap files

12 Kelsey - AuthZ

slide-13
SLIDE 13

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667 13

Use of VO Attributes

  • Each VO defines and implements its attributes

– Groups – Roles – Generic attributes

  • Standardisation between VOs

– has been found to be impossible

  • Some other attributes are kept in the VO database

– Employing institute, Email address, telephone number, … – Not contained in VOMS AC

Site has access to the data

  • Via the VO manager
  • to contact the user

Kelsey - AuthZ

slide-14
SLIDE 14

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Separation of Concerns

  • VOs manage their membership and associated

information (groups, roles, etc.)

  • Resource Centers ensure fulfillment of their

commitments to VOs using their own policies

– E.g. fair share, fixed quota etc.

  • Problem:

– VOs want to have ways to control how their allocation at a resource center is being shared among the VO members

14 Kelsey - AuthZ

slide-15
SLIDE 15

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

AuthZ Developments

  • Technology

– gLite middleware – VOMS developments

  • Policy

– JSPG: New policies for trust between VO, Grid and Sites

VO Registration VO Membership Management Grid Portals and Pilot Jobs

– IGTF: New minimum standards for running a VO Attribute Authority

15 Kelsey - AuthZ

slide-16
SLIDE 16

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

AuthZ in gLite

  • EGEE is revising its authorization framework

– Requirements:

Uniform authorization and policy management in gLite Compatible with SAML and XACML standards Built on the experience of previous systems

  • LCAS/LCMAPS, SCAS, G-PBox, gJAF

Usable with different authentication mechanisms

  • X.509 proxies, uid/password, shibboleth, kerberos tokens …

– Preserve separation of concerns

But provide hooks in policy decision point together with flexible ways of specifying the execution environment (virtual machine, uid/gid, …)

  • Provide a generic VO scheduler framework with

reference scheduler?

16 Kelsey - AuthZ

slide-17
SLIDE 17

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

What is VOMS?, in short

  • VOMS is a X.509 compliant Attribute Authority

– See RFC 3281 – with special support for Grids and VOs

  • VOMS is a SAML Attribute Authority

– See SAML V2.0 Deployment Profile for X.509 Subjects

And an OGF document

  • VOMS is a Membership management tool
  • VOMS integrates with Shibboleth

– In the sense that VOMS makes Shibboleth attributes available to Grid services

Or to X509 based services in general

17 Kelsey - AuthZ

slide-18
SLIDE 18

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Usage of attributes

  • Attributes are useless if resources and applications

could not access them.

  • Both push and pull are supported:

– Pull:

Resources and applications can directly contact VOMS on behalf of users to obtain their attributes.

– Push:

A voms-proxy-init command is provided to contact VOMS and put the attributes in the user’s proxy, which is subsequently delegated to applications.

  • Grid software almost completely uses push.
  • The protocol to contact the server is proprietary but

documented.

– No update will ever break forward and backward compatibility

18 Kelsey - AuthZ

slide-19
SLIDE 19

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

VOMS Interaction

Kelsey - AuthZ 19

slide-20
SLIDE 20

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

VOMS & SAML

  • Outside from hardcore grid applications, many

services rely on a SAML AttributeAssertion

  • VOMS can generate an AttributeAssertion containing

the exact same data as the AC.

  • VOMS exposes an interface compliant to the SAML

Query/Request Profile and the SAML SOAP Binding

– Temporary independent package

From the same developers Integration in the main packages ongoing

20 Kelsey - AuthZ

slide-21
SLIDE 21

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

How SAML Credentials work

21 Kelsey - AuthZ

slide-22
SLIDE 22

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

SLCS (Certificates from Shibboleth)

22 Kelsey - AuthZ

slide-23
SLIDE 23

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

VASH

  • VOMS Attributes from Shibboleth (VASH)

– Collaboration between SWITCH and INFN

23 Kelsey - AuthZ

slide-24
SLIDE 24

Evolution

  • Testbed

s

  • Utility Service
  • Routine

Usage

  • National
  • Global
  • European

e-Infrastructure

slide-25
SLIDE 25

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

IGTF

  • International Grid Trust Federation

– Builds trust for Global CAs (authentication) – Has three regional PMAs (Europe, America, Asia-Pacific)

  • We have lots of policies and standards for operating a

trustworthy Identity service for Grids

  • BUT … nothing equivalent exists for VOMS services!
  • In future EGI world:

– we will have ~40 Grids in Europe alone

  • Building trust between VOs and Grids is a challenge!

Kelsey - AuthZ 25

slide-26
SLIDE 26

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

IGTF & JSPG Developments

  • IGTF is therefore investigating minimum standards and

best practice for the operation of VO attribute authorities

  • The EGEE/LCG Joint Security Policy Group is working
  • n standards for VO procedures

– VO Registration Policy – VO Membership Management Policy

  • Assuming we can jointly agree an accreditation

process that works

– VOs will be able to get IGTF accreditation – To ease trust building (between VO and Sites)

Kelsey - AuthZ 26

slide-27
SLIDE 27

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667 27

Final Thoughts

  • My personal views – not official EGEE statements
  • Grids should use NREN services whenever possible
  • As we move forward to a sustainable European Grid infrastructure, we

MUST scale to much larger and less expert user communities

– The only way to ensure sustainability

  • Collaboration on Identity federations must continue

– SWITCH is showing EGEE how this can be done (SLCS, VASH)

  • The VO must remain in control of its attributes

– Many VOs are global and span multiple countries, federations, Grids, …

  • I see an important role for a central Grid body

– to act as global broker between national Grids, Sites and VOs

  • The big challenge is how to merge attributes from multiple AAs

– In a way where the semantics is understood and attributes are trusted

  • In my view the technical side of this problem is the easiest

– But is of course very interesting and fun!

  • We need to continue working jointly on interoperable common policies

and building international trust

Kelsey - AuthZ

slide-28
SLIDE 28

Enabling Grids for E-sciencE

EGEE-III INFSO-RI-222667

Questions?

Kelsey - AuthZ 28