5-dec-02d.p.kelsey, gridpp security1 gridpp security uk security workshop 5-6 dec 2002, nesc david...
TRANSCRIPT
5-Dec-02 D.P.Kelsey, GridPP Security 1
GridPP SecurityUK Security Workshop
5-6 Dec 2002, NeSC
David KelseyCLRC/RAL, UK
5-Dec-02 D.P.Kelsey, GridPP Security 3
GridPPProvide architecture and middleware
Use the Grid with simulated data
Use the Grid with real data
Future LHC Experiments
Running US Experiments
£17M PPARC project toBuild Grid for UK PP
Sep 01 – Aug 04
5-Dec-02 D.P.Kelsey, GridPP Security 4
GridPP Security
• Same as EU DataGrid (see tomorrow)– But also US PPDG, GriPhyN, iVDGL– CERN LHC Computing Grid
• Based on Globus GSI– But adding our own developments and
functionality
5-Dec-02 D.P.Kelsey, GridPP Security 5
Security Requirements• 112 documented in D7.5 document
– 72 essential, 37 desirable aims, 3 long-term aim– Authentication (17), Authorisation (32), Auditing(5), Non-
repudiation (3), Delegation (8), Confidentiality (18), Integrity (4), Networking (2), Manageability (4), Usability (8), Interoperability (5), Scalability (1), Performance (5)
• Includes– Virtual Organisations (VO’s) – Role based authorisation
• Authorise resources as well as users– Local Authorisation
• Decisions and keep ACL’s local to data– Confidentiality
• Encrypted medical data• Don’t know who is in a VO
– International Collaboration – must inter-operate!
5-Dec-02 D.P.Kelsey, GridPP Security 6
Authentication
• More details tomorrow• International Collaboration very important• Building “Trust” between national CA’s• EDG defines list of “trusted” CA’s
– Currently 13 national CA’s– Will grow to ~20
5-Dec-02 D.P.Kelsey, GridPP Security 7
Security Developments
• Security components developed (see EDG web)– CA Trust Matrix tools– VO/LDAP & VOMS – Authorisation– LCAS, LCMAPS – local authorisation and mapping– Gridmapdir – dynamic leased accounts– Gridsite – certificate-based web management– SlashGrid - dn-based grid homefile system– GACL – Library to parse ACL’s (XML)– edg-java-security (for Data Management)
• More details in tomorrow’s talk
5-Dec-02 D.P.Kelsey, GridPP Security 8
Grid Deployment - issues
• Legal, political, site security policies, etc.– The user does not (need to) know where the
jobs will run• Cannot sign registration forms everywhere
– Acceptable Use policies (Rules)• What is needed for User Registration?
– We have a solution for EDG testbed• But not yet for full production (LCG considering this)
– What is acceptable to Site Security Officers?• GGF Site-AAA research group
– An extremely important area – could kill the Grid!
5-Dec-02 D.P.Kelsey, GridPP Security 9
Issues – Deployment (2)Virtual Organisation
Management• VO’s need to manage their members and
sites/resource providers negotiate with VO’s– Only system which will scale
• Sites cannot manage large number of Grid users
– Not just a technical problem!– Must develop procedures to allow this to
happen– VO’s not used to managing resources– Will Computer Centres give up (full) control?
5-Dec-02 D.P.Kelsey, GridPP Security 10
Summary• Authentication
– Cross-Domain Trust is the big problem• will it continue to scale?
• Authorisation– The most IMPORTANT area
• This is where the identity and rights need to be checked
– Technology is immature– Need VO management procedures/tools
• Many operational, legal, deployment issues– To establish “Trust” between Sites/VO’s/users
• Do/will sites trust each other?
• EDG has several solutions – see tomorrow’s talk
5-Dec-02 D.P.Kelsey, GridPP Security 11
Web links
• GridPP http://www.gridpp.ac.uk• DataGrid http://www.eu-datagrid.org• LCG http://lcg.web.cern.ch/LCG/• GGF Security Area
http://www.globalgridforum.org/2_SEC/SEC.htm
• DataGrid Security Requirements document
http://hepwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf