grid trust fabric tnc 2006, catania 16 may 2006 david kelsey cclrc/ral, uk [email protected]

Grid Trust FabricTNC 2006, Catania

16 May 2006

David KelseyCCLRC/RAL, UK

[email protected]

16-May-2006 David Kelsey, Grid Trust Fabric, TNC 2006

2

Outline

• Brief Introduction to the LCG and EGEE projects

• What is Grid Trust?• What is a Grid Virtual Organisation (VO)?• The Grid Security Model• Authentication (AuthN)

– The International Grid Trust Federation• Authorization (AuthZ)• Policy and Legal issues• NRENs, Grids and Federations• Future plans• Final words


3

The LHC Computing Grid Project (LCG)

& Enabling Grids for EsciencE (EGEE)

Les Les RobertsonLCG Project LeaderLCG Project Leader

High Energy Physicsusing a worldwidecomputing grid

CERNDecember 2005

les robertson - cern-it-5last update 04/19/23 11:43

LCG

The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors

The LHC Accelerator


LCG LHC DATA

This is reduced by online computers that filter out a few hundred “good” events per sec.

Which are recorded on disk and magnetic tapeat 100-1,000 MegaBytes/sec ~15 PetaBytes per year for all four experiments


LCG Resources for LHCData Handling

15 PetaBytes of new data each year

CMS

LHCb

ATLAS

ALICE1 Petabyte (1PB) = 1000TB = 10 times the text content of the World Wide Web**

** Urs Hölzle, VP Operations at Google

100,000 of today’s fastest processors

150 times the total content of the Web each year


LCGHigh Energy Physics: a

global community

1800 physicists (including 400 students)

150 universities/laboratories34 countries.

HEPiX Rome 05apr06

LCG

[email protected]

LCG depends on two major science grid infrastructures ….EGEE - Enabling Grids for E-ScienceOSG - US Open Science Grid

LCG

IN2P3

GridKa

TRIUMF

ASCC

Fermilab

Brookhaven

Nordic

CNAF

SARAPIC

RAL

T2

T2

T2

T2

T2

T2T2

T2

T2

T2

T2

T2s and T1s are inter-connectedby the general purpose research

networks

10 Gbit linksOptical Private Network

T2

Any Tier-2 mayaccess data atany Tier-1 T2

T2

T2

IN2P3

GridKa

TRIUMF

ASCC

Fermilab

Brookhaven

NordicNordic

CNAF

SARAPIC

RAL

T2

T2

T2T2

T2

T2

T2

T2

T2T2T2T2

T2T2

T2T2

T2

T2T2

T2s and T1s are inter-connectedby the general purpose research

networks

10 Gbit linksOptical Private Network

T2T2

Any Tier-2 mayaccess data atany Tier-1 T2T2T2

T2T2

T2T2

.. and an excellent Wide Area Network

David Kelsey, Grid Trust Fabric, TNC 2006Ian Bird, SA1, EGEE Final Review 23-24th May 2006

11

Enabling Grids for E-sciencE

INFSO-RI-508833

A global, federated e-Infrastructure

EGEE infrastructure~ 200 sites in 39 countries~ 20 000 CPUs> 5 PB storage> 20 000 concurrent jobs per day> 60 Virtual Organisations

EUIndiaGrid

EUMedGrid

SEE-GRID

EELA

BalticGrid

EUChinaGridOSGNAREGI

David Kelsey, Grid Trust Fabric, TNC 2006 12


INFSO-RI-508833

The EGEE project

• Objectives– consistent, robust and secure service

grid infrastructure for many applications

– improving and maintaining the middleware

– attracting new resources and users

• Structure

– 13 federations in 32 countries– leveraging national and regional grid

activities worldwide– Co-funded by the EU with ~32 M Euros

for first 2 years from 1st April 2004– EGEE-II started April 2006

David Kelsey, Grid Trust Fabric, TNC 2006 13


INFSO-RI-508833

EGEE Highlights - Applications

Support applications from– Astrophysics– Computational Chemistry– Earth Sciences – Finance– Fusion– Geophysics– High Energy Physics– Life Sciences– Material Sciences– Multimedia– etc.…

• See recent press release on search for drugs against Avian Fluhttp://www.eu-egee.org/news/egee-grid-attacks-avian-flu/

http://www.eu-egee.org/news/egee-grid-attacks-avian-flu/

http://www.eu-egee.org/news/egee-grid-attacks-avian-flu/


14

What is Grid Trust?


15

Grid Trust

• Many components (in ascending scale of difficulty)– Technical

• Interoperable security, standards-based

– Policy and Procedures• Ensure participants act in a predictable way

– Legal• International aspects particularly hard

– Social• Have spent last 6 years building “trust”• Many face to face meetings• Last 2 years, working towards a federated approach

• Sites need to trust VO’s (and vice versa)– To take care of Users, Data, Operations, …


16

What is a Grid Virtual Organisation (VO)?


17

Grid VOs

• Several different views!• The original Globus definition included resources

– A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules

• The EGEE View – just people– A grouping of individuals, often not bound to a single

institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid

• There are many Grids– Defined by shared services and common policy– Single Information System– Common operations (distributed)– Politics and/or Funding


18

The Grid/VO/Site Model


19

Grid/VO/Site Model

• Users have a single electronic identity• They register once per VO (and renew)

– Can/do belong to more than one VO• Users do not register at sites or Grids• VOs register with Grid (again once per Grid)• Aim for single instance of VO membership

database– To be used across multiple Grids

• Sites can/do provide resources to multiple Grids

• Sites decide which VOs to support– Distributed Grid Operations facilitates this

• Deployment, configuration etc


20

Grid Security Model


21

The Grid Security Model• Authentication – proof of identity

– GSI: Globus Grid Security Infrastructure (interoperate)– Single sign-on via X.509 certificates (PKI)

• OpenSSL– Delegation (via short-lived proxy certs) to services

• Global Authorization – right to access resources– Virtual Organisation (VO) – e.g. a Biomed experiment

• Maintains list of registered users• Allocates users to groups and roles• Controls global policy and allocations

• Local Authorization – site access control– Via local (e.g. Unix) mechanisms or– Callouts to local AuthZ enforcement (Grid developments)– Grid ACL’s - global identity or VO AuthZ attributes

• Policy– Grids (e.g. EGEE, Open Science Grid) define security policy– Policies must be interoperable, e.g. common AUP


22

Security Policy

Key Material

Group of unique names Organizational role

Server

UserAttributesVO

Policy

ResourceAttributesSite

Policy

Policy

Authorization PolicyArchitecture

Local SiteKerberosIdentity

PolicyEnforcement

Point

VOOther

Stakeholders

Site/Resource

OwnerAuthorization

Service/PDP

Policy andattributes.

Allow orDeny

Resource

Standardize

Delegation

User

Process actingon user’s behalf

PKI/KerberosIdentity

TranslationService

PKIIdentity

Delegation Policy

Graphics fromGlobus Alliance& GGF OGSA-WG

Policy comes from many stakeholders


23

Authentication


24

Authentication

• Keep Authentication and Authorization separate– Authentication best done at Institute level– Authorization best done at VO level

• Provide the User with one (Grid) electronic identity– For use in many Grids or VOs– For user convenience

• Have successfully built a global PKI (X.509)– Mutual Authentication of people and services

• What is the most appropriate scale?– One CA per country/region (ideally for all eScience)

• EU Grid PMA has coordinated the (global) CA’s– “minimum requirements” for accredited CA’s

• Now IGTF takes over the global coordination


25

IGTF

• International Grid Trust Federation– Formed in October 2005– Federate to solve scaling problems

• Coordinates the three regional Policy Management Authorities (PMA)– EU Grid PMA– Asia/Pacific Grid PMA– The Americas Grid PMA

• Each PMA– Accredits Identity Providers for Grid Authentication– Owns and maintains various authentication profiles– Coordinates the X.509 namespace– Distributes roots of trust (globally)– Members are the CAs and major relying parties


26

IGTF (2)• Authentication Profiles

– Classic PKI• long-lived (12 months) certificates • held by the end entities• Medium assurance level

– Photo-ID and face-to-face User <-> RA• CRLs issued

– SLCS (recent addition)• short-lived certificate services• Certificates automatically generated• From local site authentication services (e.g. Kerberos)• No CRLs

– Experimental CAs• Working towards an OCSP definition and service

– With CAOPS-WG in GGF• TACAR is an important independent source of roots of

trust– TERENA Academic CA repository


27

IGTF(3)

• common, global best practices for trust establishment• better manageability and response of the PMAs

TAGPMA APGridPMA

Slide from David Groep


28

IGTF (4)

• More than 50 countries/regions worldwide are members

• Europe is well covered• “Catch-all” CA for gaps


29

AuthZ Technology


30

Authorization & VO Management

• In EGEE gLite middleware• Global AuthZ (VOMS)

– Virtual Organization Membership Service• VO members, their groups and roles• Provides digitally signed AuthZ attribute certificate

– Included in the grid proxy certificate

– A “PUSH” model (user can select roles and VOs)• Local AuthZ

– Local Centre Authorization Service (LCAS)• A framework to handle local policy (e.g. banned users)

– Local Credential Mapping (LCMAPS)• Provides local credentials (Kerberos/AFS, ldap nss…)

• Local policy decisions (Compute and Storage Elements)– Can decide and enforce policy on VOMS attributes


31

VO Groups and Roles

• Each VO assigns its members to groups and roles• Groups

– Collections of individuals with something in common• E.g. group of scientists working on a particular topic• Used for access control and quotas/priorities

• Roles– Capabilities/Privileges assigned to individuals or

groups• e.g. production processing manager, DBA, …

• We started to explore common role names– Some agreement possible but its close to impossible!

• Too many VO’s and differences

– At very least, names and semantics must be well understood within a VO context


32

Policy and Legal issues


33

EGEE/LCG Security Policy

Security & Availability Policy

GridAUP

Certification Authorities

AuditRequirements

Incident Response

User Registration & VO Management

http://cern.ch/proj-lcg-security/documents.html

Application Development& Network Admin Guide

picture from Ian Neilson

VOAUP

http://cern.ch/proj-lcg-security/documents.html

http://proj-lcg-security.web.cern.ch/proj-lcg-security/docs/LCG_Security_Guide.asp


34

Policy

• Acceptable Use Policy– One general/simple/short common Grid AUP

• for EGEE and Open Science Grid (USA)• And EU national Grids• For all registered VOs and binds user to VO AUP

– Each VO defines its own aims and AUP• Sites can then decide to support or not

– User accepts these during registration• And regular renewal (every 12 months)

• Robust User Registration procedures are required– Sites have delegated user registration to VOs

• Agreed operational security procedures important– Security incident response


35

Federation legal issues

• Sites/Resources require– Auditing at individual user level– Read access to User registration data in VO

• VOs require– Accounting (usage) data from resources– At individual user level

• EU Privacy & Data Protection laws control sites publicly identifying individual users– Working on a solution for this

• VOs are not (in general) legal entities– Makes life interesting!


36

NRENs, Grids & Federations?


37

eIRG Roadmap

e-IRG: e-Infrastructure Reflection Group Roadmap for i2010:

• commitment to the federated approach• vision of an integrated AA infrastructure for eEurope

Towards an integrated AAI for academia in Europe and beyond

• The e-IRG notes the timely operation of the EUGridPMA in conjunction with the TACAR CA Repository and it expresses its satisfaction for a European initiative that serves e-Science Grid projects. […] The e-IRG strongly encourages the EUGridPMA / TACAR to continue their valuable work […] (Dublin, 2004)

• The e-IRG encourages work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. (The Hague, 2005)


38

NRENs, Grids & Federations?

• No desire to run net services if can be provided by NRENs

• AuthN/Identity services– Many NRENs run Certification Authorities

• ~ 10 for Grids today and growing

– AuthN best done by home institute– NRENs/Grids should continue to work together here

• Federated Identity services

• For large/long-lived VOs– Global AuthZ must be managed by the VO– Role/Group names must be defined by VO and

understood by Sites/Resources (across all Grids)• The TERENA series of workshops on “NRENs and Grids”

is one way of exchanging information & collaborating


39

Federations (2)

• Dynamic/Short-lived VOs– Small groups of collaborating scientists

• “Laymen rather than experts”

– VO cannot register with Grid Infrastructure– Interesting to explore possibilities for NRENs

here• With move to short-lived certificates (SLCS)

– Linked to a site authentication infrastructure– Scaling problems for IGTF accreditation– IGTF needs the country to present a single

coordinated identity federation• a role for NRENs?


40

Some future plans

• Interoperability – ongoing work– GGF “Grid Interoperability Now” (GIN) project– AuthN and AuthZ recognised as very important– IGTF for AuthN– EGEE active in GIN AuthZ

• Running VOMS service for GIN

• New developments on policy expression/evaluation• We have a requirement from some VO’s to be able

to register and use only those services they trust– Mutual AuthZ

• EGEE-II working on Shibboleth/gLite


41

References

• LCG/EGEE Joint Security Policy Grouphttp://proj-lcg-security.web.cern.ch/

• EGEE Securityhttp://egee-jra3.web.cern.ch/

• Open Science Gridhttp://www.opensciencegrid.org

• IGTFhttp://www.gridpma.org/

• EU Grid PMAhttp://www.eugridpma.org/

• TERENA Tacarhttp://www.tacar.org/

• Grid AUPhttps://edms.cern.ch/document/428036

http://proj-lcg-security.web.cern.ch/

http://proj-lcg-security.web.cern.ch/

http://egee-jra3.web.cern.ch/

http://www.opensciencegrid.org/

http://www.opensciencegrid.org/

http://www.gridpma.org/



http://www.eugridpma.org/



http://www.tacar.org/



https://edms.cern.ch/document/428036


42

Final Words• International federated identity for Grids is working

– Many CA’s already run for us by NRENs– Must work towards integration of other federated

IDPs• AuthZ is more difficult – but making good progress

– attributes must be managed by the VO• Standards are essential – for interoperability

– GGF is important body– Grid Security will implement new standards

• People/Social aspects even more important– Building international trust takes time– Between Grids, Sites and VOs

• NRENs and Grids have been tackling different aspects of the federation problem space

• We (Grids and NRENs) must collaborate and work towards common solutions wherever possible

grid trust fabric tnc 2006, catania 16 may 2006 david kelsey cclrc/ral, uk [email protected]

Documents

grid trust fabric tnc

year slide

escience egee slide

lhc computing grid project

worldwide computing

regional grid activities

lhc accelerator slide

enabling grids