grid security: present and future
DESCRIPTION
Grid Security: Present and Future. Alan Robiette, JISC Development Group . Overview. Existing Grid security model The Grid Security Infrastructure (GSI) Web services and security models for web services (WS-Security) - PowerPoint PPT PresentationTRANSCRIPT
Supporting further and higher education
Grid Security: Present and Future
Alan Robiette, JISC Development Group
5 Dec 2002 Grid Security Workshop 2
Overview
• Existing Grid security model• The Grid Security Infrastructure (GSI)
• Web services and security models for web services (WS-Security)
• Security architecture for the Open Grid Services Architecture (OGSA)
• References for further reading
5 Dec 2002 Grid Security Workshop 3
The Grid today
• Globus Toolkit v2 – Grid Security Infrastructure (GSI)
• Two core concepts• X.509 digital certificates used as identity
credentials• Short-lived “proxy certificates” used to
delegate identity temporarily to other processes
• Standard tools (e.g. GridFTP) modified for authentication via certificates
5 Dec 2002 Grid Security Workshop 4
Authorisation
• Authentication (knowing who you are dealing with) is reasonably secure in Globus v2
• Authorisation (managing access to resources on the basis of an individual’s attributes or role) is a much more open question
• Available solutions are immature, or not well tested in practical circumstances
5 Dec 2002 Grid Security Workshop 5
Web services
• The concept of web services is a hot topic in commercial circles
• Web services are self-describing services which can interact in a machine-to-machine mode, with little or no human intervention
• Intended to improve the efficiency of business-to-business processes
• Common verbs: publish, locate, bind
5 Dec 2002 Grid Security Workshop 6
Web services diagram
5 Dec 2002 Grid Security Workshop 7
Implementation
• Most commonly implemented using XML
• Service descriptions written is WSDL (Web Services Description Language)
• Services communicate via messages expressed in SOAP (Simple Object Access Protocol)
• All over http and Port 80 …• Security for Web services is a question
of securing SOAP message exchanges
5 Dec 2002 Grid Security Workshop 8
WS-Security
• First roadmaps and draft specifications published April 2002 by IBM, Microsoft and Verisign
• Standardisation activity now transferred to the OASIS-Open consortium
• http://www.oasis-open.org/committees/wss/
• Very complex model (next slide)
5 Dec 2002 Grid Security Workshop 9
WS-Security model
5 Dec 2002 Grid Security Workshop 10
Open Grid services
• OGSA (Open Grid Services Architecture) is billed as the future of the Grid
• Builds on web services concept but extends it significantly
• E.g. Grid processes typically may need to invoke transient services
• Concept of “service factory”
5 Dec 2002 Grid Security Workshop 11
OGSA security
• Correspondingly builds on web services security
• But requires significant extensions to cope with the virtual organisation problem
• Unlike the relatively homogenous approach of GSI, OGSA security envisages translation and mapping of security parameters (e.g. credentials) between different domains
5 Dec 2002 Grid Security Workshop 12
OGSA security services
5 Dec 2002 Grid Security Workshop 13
Another view
5 Dec 2002 Grid Security Workshop 14
Conclusions
• Globus/GSI today is fairly stable, with authorisation the main outstanding problem
• WS-Security will get there in time• Though implementations may vary in
how complete they are
• OGSA Security (Globus v3) is an ambitious target
• And there is a good way still to go!
5 Dec 2002 Grid Security Workshop 15
References
• Globus version 2 and GSI– http://www.globus.org/security/– http://www.gridforum.org/2_SEC/GSI.htm
• Web services and WS-Security– http://www.w3.org/2002/ws/– http://www.oasis-open.org/committees/wss/
• OGSA security– http://www.globus.org/ogsa/security/– http://www.gridforum.org/2_SEC/ogsa-sec.htm
Supporting further and higher education
Questions?