authorisation developments in grids particularly egee
play

Authorisation Developments in Grids (particularly EGEE) David - PowerPoint PPT Presentation

Jan 16, 2024 •401 likes •701 views

Enabling Grids for E-sciencE Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS & Grids meeting, Dublin, 1st September 2008 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and

  1. Enabling Grids for E-sciencE Authorisation Developments in Grids (particularly EGEE) David Kelsey RAL/STFC, d.p.kelsey@rl.ac.uk TERENA NRENS & Grids meeting, Dublin, 1st September 2008 www.eu-egee.org EGEE-III INFSO-RI-222667 EGEE and gLite are registered trademarks

  2. Overview Enabling Grids for E-sciencE • Introduction to EGEE(-III) • Grid security model – Requirements and aims • Authorisation (AuthZ) – Use of Attributes • Developments in Grid AuthZ – Middleware – VOMS – IGTF and JSPG policy • Final thoughts Disclaimer: Not officially “EGEE approved” – some personal opinions! Kelsey - AuthZ EGEE-III INFSO-RI-222667 2

  3. Who am I? Enabling Grids for E-sciencE • David Kelsey • STFC – Rutherford Appleton Laboratory, UK • Head of Particle Physics Computing • Work on GridPP, EGEE and LCG (CERN LHC Grid) • Main interest: Grid Security (from policy side) – Authentication, Authorisation, Operational Security, Policy… • I lead the Joint (EGEE/WLCG) Security Policy Group – JSPG • Not an expert in all matters related to Authorisation! – Not involved in middleware development – Christoph Witzig (EGEE Security Architect) is here Kelsey - AuthZ EGEE-III INFSO-RI-222667 3

  4. Thanks to Enabling Grids for E-sciencE • I used slides from several people (thanks!) • Bob Jones, EGEE Project Director • Erwin Laure, EGEE Technical Director • Vincenzo Ciaschini, VOMS lead developer (INFN) Kelsey - AuthZ EGEE-III INFSO-RI-222667 4

  5. Enabling Grids for E-sciencE • Archeology • Astronomy • Astrophysics • Civil Protection • Comp. Chemistry • Earth Sciences • Finance • >250 sites • Fusion • 48 countries • Geophysics • >50,000 CPUs • High Energy Physics • >20 PetaBytes • Life Sciences • >10,000 users • Multimedia • >150 VOs • Material Sciences • >150,000 jobs/day • … Kelsey - AuthZ EGEE-III INFSO-RI-222667 5

  6. Collaborating e-Infrastructures Enabling Grids for E-sciencE Kelsey - AuthZ EGEE-III INFSO-RI-222667 6

  7. EGEE-III Enabling Grids for E-sciencE EGEE-III • – Co-funded under European Commission call INFRA-2007-1.2.3 – 32M€ EC funds compared to ~37M € for EGEE-II – 9010 person months/375 FTEs (~20% less than EGEE-II) – 2 year period – 1 May 2008 to 30 April 2010 • Key objectives – Expand/optimise existing EGEE infrastructure, include more resources and user communities – Prepare migration from a project-based model to a sustainable federated infrastructure based on National Grid Initiatives • Consortium – Structured on a national basis (National Grid Initiatives/Joint Research Units) – From 91 partners in EGEE-II (+ further 48 JRU members) to 42 beneficiaries in EGEE-III (+ 100 JRU members) Kelsey - AuthZ EGEE-III INFSO-RI-222667 7

  8. The security model Enabling Grids for E-sciencE AuthN : User obtains a long-lived X.509 certificate • – from their national CA � Renewed annually – or short-lived certificates from another IDP � e.g. Shibboleth AAI – IGTF - a global trust federation – one electronic identity valid everywhere • Grid sites devolve all user registration to the VOs VO registers with each Grid infrastructure • – EGEE, OSG (USA), NorduGrid, national Grids, … • VO and User behaviour controlled by policy documents – Common policies across all Grids • User registers once with a VO – Accepts Grid AUP during registration – Renewed annually • AuthZ : VO manager confirms membership request – And assigns the user his/her groups and/or roles • The VO Membership Service (VOMS) – Issues AuthZ attributes – Attribute Certificate in proxy • AuthZ attributes are used for access control, priorities, quotas, … – Fine grained control (but typically uses mapping to UNIX uid/gid) Kelsey - AuthZ 8 EGEE-III INFSO-RI-222667

  9. Requirements for managing users and VOs Enabling Grids for E-sciencE • User only registers once (per year) with the VO – This gives access to EGEE resources (and indeed other Grids) • The Grid Sites have to trust the VO to – Operate according to agreed procedures and policies – Do proper checks during user registration – Allocate user attributes (roles/groups) correctly – Define a VO AUP describing the aims � Users accept a Grid AUP during registration • They will only perform work consistent with the VO AUP • Sites require full traceability and audit logs down to individual user – who did what, when and where? – Security incident response is very important • VOs require fine-grained authorisation and accounting at the individual user-level (data privacy issues!) Kelsey - AuthZ EGEE-III INFSO-RI-222667 9

  10. Requirements(2) Enabling Grids for E-sciencE • All of the above makes the support of short-lived dynamic VOs rather difficult! • EGEE addresses this by trying to make the process for creating a VO easy (-ier!) and well supported – But we still need to build trust between VO and Sites • Groups within a VO are more dynamic – But trust is still built at the VO level • Scaling problems re VOs – If a VO uses resources in many Sites (and even Grids) – Will be impossible to build trust between the VO and Site – The Grid has to establish Trust with the VO (on behalf of sites) Kelsey - AuthZ EGEE-III INFSO-RI-222667 10

  11. Requirements (3) Enabling Grids for E-sciencE • Interoperability is needed – Several large VOs use resources from many Grids – JSPG aims to achieve common policies – i.e. not just a question of standards based protocols/services • VO Naming: DNS-style name for a VO • Today we have little technical control (other than via written policies) as to what work a user does – Hence all the heavy needs for audit logs and incident response • We are working on policies for Grid portals – In some cases the work submitted can then be more tightly controlled – May be possible to relax some of the policy constraints � Identity is less important when actions are controlled Kelsey - AuthZ EGEE-III INFSO-RI-222667 11

  12. Authorization in EGEE Enabling Grids for E-sciencE • Gaining access to EGEE resources is governed by VO membership • EGEE does not own or manage resources – Resource centers are independent and allow certain VOs to access their resources – Resource centers govern the usage policy � Set quotas, priorities, shares etc. for VO members – EGEE provides mechanisms for VOs and resource centers to negotiate usage (out of band) • Users are identified via X.509 proxies – VO membership via VOMS – VO information can be passed inside proxy or is used implicit when generating gridmap files Kelsey - AuthZ EGEE-III INFSO-RI-222667 12

  13. Use of VO Attributes Enabling Grids for E-sciencE • Each VO defines and implements its attributes – Groups – Roles – Generic attributes • Standardisation between VOs – has been found to be impossible • Some other attributes are kept in the VO database – Employing institute, Email address, telephone number, … – Not contained in VOMS AC � Site has access to the data • Via the VO manager • to contact the user Kelsey - AuthZ 13 EGEE-III INFSO-RI-222667

  14. Separation of Concerns Enabling Grids for E-sciencE • VOs manage their membership and associated information (groups, roles, etc.) • Resource Centers ensure fulfillment of their commitments to VOs using their own policies – E.g. fair share, fixed quota etc. • Problem: – VOs want to have ways to control how their allocation at a resource center is being shared among the VO members Kelsey - AuthZ EGEE-III INFSO-RI-222667 14

  15. AuthZ Developments Enabling Grids for E-sciencE • Technology – gLite middleware – VOMS developments • Policy – JSPG: New policies for trust between VO, Grid and Sites � VO Registration � VO Membership Management � Grid Portals and Pilot Jobs – IGTF: New minimum standards for running a VO Attribute Authority Kelsey - AuthZ EGEE-III INFSO-RI-222667 15

  16. AuthZ in gLite Enabling Grids for E-sciencE • EGEE is revising its authorization framework – Requirements : � Uniform authorization and policy management in gLite � Compatible with SAML and XACML standards � Built on the experience of previous systems • LCAS/LCMAPS, SCAS, G-PBox, gJAF � Usable with different authentication mechanisms • X.509 proxies, uid/password, shibboleth, kerberos tokens … – Preserve separation of concerns � But provide hooks in policy decision point together with flexible ways of specifying the execution environment (virtual machine, uid/gid, …) • Provide a generic VO scheduler framework with reference scheduler? Kelsey - AuthZ EGEE-III INFSO-RI-222667 16

  17. What is VOMS?, in short Enabling Grids for E-sciencE • VOMS is a X.509 compliant Attribute Authority – See RFC 3281 – with special support for Grids and VOs • VOMS is a SAML Attribute Authority – See SAML V2.0 Deployment Profile for X.509 Subjects � And an OGF document • VOMS is a Membership management tool • VOMS integrates with Shibboleth – In the sense that VOMS makes Shibboleth attributes available to Grid services � Or to X509 based services in general Kelsey - AuthZ EGEE-III INFSO-RI-222667 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EGEE and Interoperation Laurence Field CERN-IT-GD ISGC 2008 www.eu-egee.org EGEE and gLite are

EGEE and Interoperation Laurence Field CERN-IT-GD ISGC 2008 www.eu-egee.org EGEE and gLite are

Enabling Grids for E-sciencE EGEE and Interoperation Laurence Field CERN-IT-GD ISGC 2008 www.eu-egee.org EGEE and gLite are registered trademarks EGEE-II INFSO-RI-031688 Overview Enabling Grids for E-sciencE The grid problem definition

912 views • 29 slides
EGEE II - Network Service Level Agreement (SLA) Implementation 4th TERENA NRENs and Grids

EGEE II - Network Service Level Agreement (SLA) Implementation 4th TERENA NRENs and Grids

Enabling Grids for E-sciencE EGEE II - Network Service Level Agreement (SLA) Implementation 4th TERENA NRENs and Grids Workshop - AMSTERDAM, 2006-12-06 Vassiliki Pouli (GRNET/NTUA) www.eu-egee.org EGEE-II INFSO-RI-031688 Outline Enabling

407 views • 14 slides
GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu

GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu

Enabling Grids for E sciencE Enabling Grids for E-sciencE GSI with OpenSSL Vincenzo Ciaschini EGEE-3 All-Hands EGEE-3 All-Hands Prague, 4-7/11/08 www eu egee org www.eu-egee.org EGEE and gLite are registered trademarks EGEE-II

295 views • 12 slides
EGEE-II Status Bob Jones Project Director - CERN EGEE-II final EU Review (CERN) 8-9 July

EGEE-II Status Bob Jones Project Director - CERN EGEE-II final EU Review (CERN) 8-9 July

Enabling Grids for E sciencE Enabling Grids for E-sciencE EGEE-II Status Bob Jones Project Director - CERN EGEE-II final EU Review (CERN) 8-9 July 2008 www eu egee org www.eu-egee.org EGEE and gLite are registered trademarks EGEE-II

411 views • 18 slides
Status and Future of the EGEE project Dr. Bob Jones EGEE Technical Director CERN Geneva,

Status and Future of the EGEE project Dr. Bob Jones EGEE Technical Director CERN Geneva,

Enabling Grids for E-sciencE Status and Future of the EGEE project Dr. Bob Jones EGEE Technical Director CERN Geneva, Switzerland OpenLab workshop, CERN 13 th June 2005 www.eu-egee.org INFSO-RI-508833 The EGEE project Enabling Grids for

237 views • 10 slides
EGEE-II Status Bob Jones Project Director - CERN EGEE-II 1 st EU Review (CERN) 15-16 May 2007

EGEE-II Status Bob Jones Project Director - CERN EGEE-II 1 st EU Review (CERN) 15-16 May 2007

Enabling Grids for E sciencE Enabling Grids for E-sciencE EGEE-II Status Bob Jones Project Director - CERN EGEE-II 1 st EU Review (CERN) 15-16 May 2007 www eu egee org www.eu-egee.org EGEE and gLite are registered trademarks EGEE-II

322 views • 20 slides
Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and

Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and

Enabling Grids for E-sciencE Network activity in EGEE-III SA2 Xavier Jeannin (CNRS/UREC) SA2 Activity Manager 7th NRENs and Grids Workshop (Dublin) 1/2 September 2008 www.eu-egee.org EGEE and gLite are registered trademarks EGEE-III

959 views • 29 slides
I nterOperability am ong Grids: A Case Study w ith GARUDA & EGEE Grids Sham jith K. V.

I nterOperability am ong Grids: A Case Study w ith GARUDA & EGEE Grids Sham jith K. V.

I nterOperability am ong Grids: A Case Study w ith GARUDA & EGEE Grids Sham jith K. V. shamjithkv@cdacb.ernet.in Asvija B., Sridharan R., Prahlada Rao BB., Mohanram N. System Software Development Group (SSDG) Centre for Development of

490 views • 33 slides
Challenges for Grids Challenges for Grids Markus Schulz CERN IT GD LCG/EGEE Disclaimer

Challenges for Grids Challenges for Grids Markus Schulz CERN IT GD LCG/EGEE Disclaimer

Challenges for Grids Challenges for Grids Markus Schulz CERN IT GD LCG/EGEE Disclaimer Disclaimer All views expressed are mine and are not necessarily shared by the projects or organization that I am associated with Dont blame:

398 views • 22 slides
A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

488 views • 25 slides
Experiences integrating new applications in EGEE Roberto Barbera University of Catania and INFN

Experiences integrating new applications in EGEE Roberto Barbera University of Catania and INFN

Enabling Grids for E-sciencE Experiences integrating new applications in EGEE Roberto Barbera University of Catania and INFN First EGEE User Forum CERN, 01-03.03.2006 www.eu-egee.org INFSO-RI-508833 Outline Enabling Grids for E-sciencE

856 views • 60 slides
Grids and EGEE are not just for High Energy Physicists Richard Hopkins, National e-Science Centre

Grids and EGEE are not just for High Energy Physicists Richard Hopkins, National e-Science Centre

Enabling Grids for E-sciencE Grids and EGEE are not just for High Energy Physicists Richard Hopkins, National e-Science Centre June 29, 2005 www.eu-egee.org Overview Enabling Grids for E-sciencE

520 views • 50 slides
EGEE SA2 / TERENA NRENs & Grids joint workshop EGEE09, 2009-09-22, Barcelona X. Jeannin,

EGEE SA2 / TERENA NRENs & Grids joint workshop EGEE09, 2009-09-22, Barcelona X. Jeannin,

Enabling Grids for E-sciencE EGEE SA2 / TERENA NRENs & Grids joint workshop EGEE09, 2009-09-22, Barcelona X. Jeannin, SA2 manager www.eu-egee.org

533 views • 6 slides
Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite

Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite

Enabling Grids for E-sciencE Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite Middleware Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 2 Uses of the Information System Enabling Grids for

440 views • 15 slides
EGEE Asia Pacific Regional Operation Center Min-Hong Tsai ASGC ISGC 2007 March 29, Taipei

EGEE Asia Pacific Regional Operation Center Min-Hong Tsai ASGC ISGC 2007 March 29, Taipei

Enabling Grids for E-sciencE EGEE Asia Pacific Regional Operation Center Min-Hong Tsai ASGC ISGC 2007 March 29, Taipei http://www.eu-egee.org/ http://www.twgrid.org/aproc/ www.eu-egee.org EGEE-II INFSO-RI-031688 Agenda Enabling Grids for

764 views • 14 slides
The End-to-End Coordination Unit (E2ECU) and EGEE Network Operations Centre (ENOC) Toby Rodwell

The End-to-End Coordination Unit (E2ECU) and EGEE Network Operations Centre (ENOC) Toby Rodwell

Enabling Grids for E-sciencE The End-to-End Coordination Unit (E2ECU) and EGEE Network Operations Centre (ENOC) Toby Rodwell (DANTE) toby.rodwell@dante.org.uk TERENA NRENs & Grids Workshop, 6 th Dec 06 www.eu-egee.org EGEE and gLite are

691 views • 34 slides
Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger

Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger

Wine Development Updates, Performance and the D3D9 State Tracker Stefan Dsinger stefandoesinger@gmail.com Outline P r o g r e s s r e p o r t Why we think the d3d9 state tracker is a bad idea Wishlist / Interface ideas Wine

419 views • 38 slides
Theory for representation learning Sanjeev Arora Princeton University and Institute for Advanced

Theory for representation learning Sanjeev Arora Princeton University and Institute for Advanced

http://www.cs.princeton.edu/~arora/ Support: NSF, ONR, Simons Foundation, Group website: unsupervised.cs.princeton.edu Schmidt Foundation, Amazon Resarch, Blog: www.offconvex.org Mozilla Research. DARPA/SRC Twitter: @prfsanjeevarora Theory

326 views • 18 slides
Simulation methods for lower previsions Matthias C. M. Troffaes work partially supported by H2020

Simulation methods for lower previsions Matthias C. M. Troffaes work partially supported by H2020

Simulation methods for lower previsions Matthias C. M. Troffaes work partially supported by H2020 Marie Curie ITN, UTOPIAE, Grant Agreement No. 722734 Durham University, United Kingdom July, 2018 1 Outline Problem Description Imprecise

650 views • 38 slides
Pseudo-likelihood estimation for non hereditary Gibbs point processes Frdric Lavancier ,

Pseudo-likelihood estimation for non hereditary Gibbs point processes Frdric Lavancier ,

Introduction Definitions Campbell Estimation Simulations Pseudo-likelihood estimation for non hereditary Gibbs point processes Frdric Lavancier , Laboratoire Jean Leray, Nantes, France. Joint work with David Dereudre , LAMAV,

554 views • 42 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

Overview of Sofware Architecture Sofware Architecture VO (706.706) Roman Kern 2020-10-04

# These slides should give an overview of the sofware architecture, and what its role is. # Why and when is sofware architecture important. # In other words: sofware architecture in a nutshell ! Overview of Sofware Architecture Sofware

207 views • 7 slides
Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner,

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge Iftach Haitner, Tel Aviv University Tel Aviv University. April 1, 2014 Iftach Haitner (TAU) Foundation of Cryptography April 1, 2014 1 / 33 Part I

1.79k views • 152 slides
Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1

Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1

Simulation Engines TDA571|DIT030 Miscellaneous, input, collision detection ... Tommaso Piazza 1 Administrative stuff Tech Demo presentation A few slides presenting the overall concept 1-2 slides for each extension Screen shots

565 views • 45 slides

More recommend