Enabling Grids for E-sciencE
EGEE security “pitch”
Olle Mulmo
EGEE Chief Security Architect
KTH, Sweden
www.eu-egee.org
INFSO-RI-508833
Enabling Grids for E-sciencE
Project PR
www.eu-egee.org
INFSO-RI-508833
EGEE
Enabling Grids for E-sciencE
EGEE is the largest Grid infrastructure
project in the World?:
•
70 leading institutions in 27 countries,
federated in regional Grids
•
Leveraging national and regional grid
activities
•
~32 M Euros EU funding for initially 2
years starting 1st April 2004
•
EU review, February 2005 successful
•
Preparing 2nd phase of the project –
proposal to 3rd EU Grid call September
2005
INFSO-RI-508833
EGEE Activities
Enabling Grids for E-sciencE
• 48 % service activities (Grid
Operations, Support and Management,
Network Resource Provision)
• 24 % middleware re-engineering
(Quality Assurance, Security, Network
Services Development)
• 28 % networking (Management,
Dissemination and Outreach, User
Training and Education, Application
Identification and Support, Policy and
International Cooperation)
INFSO-RI-508833
EGEE emphasis is on
production grid operations
and end-user support
gLite
Enabling Grids for E-sciencE
• First major release of gLite announced on April 5
– Focus on providing users early access to prototype
– Reusing existing components
– Addressing current shortcomings
• Interoperability & Co-existence with deployed infrastructure
• (Cautious) service oriented approach
– Follow WSRF standardisation
• Site autonomy
LCG-1
LCG-2
gLite-1
gLite-2
Globus 2 based Web services based
INFSO-RI-508833
Deployment of applications
Enabling Grids for E-sciencE
• Pilot applications
– High Energy Physics
– Biomed applications
• Generic applications –
Deployment under way
–
–
–
–
Computational Chemistry
Earth science research
EGEODE: first industrial application
Astrophysics
• With interest from
–
–
–
–
–
–
Hydrology
Seismology
Grid search engines
Stock market simulators
Digital video etc.
Industry (provider, user, supplier)
INFSO-RI-508833
Pilot
New
Computing Resources – Feb. 2005
Enabling Grids for E-sciencE
Country providing resources
Country anticipating joining EGEE/LCG
In EGEE-0 (LCG-2):
 >100 sites
 >10,000 CPUs
 >5 PB storage
INFSO-RI-508833
Enabling Grids for E-sciencE
What I came here for
The EGEE view on Security
- some philosophy and baseline assumptions
www.eu-egee.org
INFSO-RI-508833
Baseline assumptions
Enabling Grids for E-sciencE
• Be Modular and Agnostic
– Allow for new functionality to be included as an afterthought
– Don’t settle on particular technologies needlessly
• Be Standard
– Interoperate
– Don’t roll our own, to the extent possible
• Be Distributed and Scalable
– Avoid central services if possible
– Always retain local control
INFSO-RI-508833
Baseline assumptions
Enabling Grids for E-sciencE
• VOs self-govern the resources made available to them
– Yet try to minimize VO management!
– Use AuthN to tie policy to individuals/resources
• An open-ended system
– No central point of control
– Can’t tell where the Grid ends
INFSO-RI-508833
We can’t do anything too fancy
Enabling Grids for E-sciencE
Paradigm
Shift
(SOA)
Requirements on functionality
Authentication
Access control
Credential mgmt
Delegation
Privacy
…
Other work
already
underway
(LCG, OGSA,…)
INFSO-RI-508833
Existing capabilities
GridPMAs
WS-Security
MyProxy
Shibboleth
VOMS
Globus
…
Enabling Grids for E-sciencE
Architecture
Technologies and more details
www.eu-egee.org
INFSO-RI-508833
Authentication
Enabling Grids for E-sciencE
• IGF: Federation of PMAs
• Better revocation technologies
• Managed and Active credential storage
–
–
–
–
i.e., where access policy can be enforced
Smart cards, MyProxy, …
Organizationally rooted trust (KCA, SIPS)
User-held password-scrambled files
should go away
INFSO-RI-508833
Authorization
Enabling Grids for E-sciencE
• Flexible framework to support for multiple authorities
and mechanisms
• VOMS, banlist, grid-mapfile, SAML, …
• Frank covered this in detail
INFSO-RI-508833
Authorization model
Enabling Grids for E-sciencE
• Decentralized
– Predominantly role-based push model
– Out-of-the-box support for VOMS
– Semantic-free role and group attributes
• Pros
– Scalability
– Site autonomity
– Multi-scenario support, VO self-governance
• Cons
– Fine-grained access control (?)
– VO management still heavyweight
– VOMS is proprietary
INFSO-RI-508833
VO management
Enabling Grids for E-sciencE
• VOMS for now
– modularity keeps it open for others
• Allow for lightweight VO deployment
– Proposed solution: VO policy service
– Brainchild
INFSO-RI-508833
“Anonymity”
Enabling Grids for E-sciencE
• Pseudonymity as an selective additional step to the
SSO process
Credential
Storage
Obtain Grid creds
for Joe
1.
2.
3.
Joe
Attribute
Authority
“Issue Joe’s
privileges to Zyx”
4.
“The Grid”
INFSO-RI-508833
Pseudonymity
“Joe → Zyx”
Service
“User=Zyx
Issuer=Pseudo CA”
Data “privacy”
Enabling Grids for E-sciencE
• Data always encrypted except in RAM
• Simple solution that ignores all the hard problems
– (we have to as the system is open-ended)
INFSO-RI-508833
Accounting
Enabling Grids for E-sciencE
• Several solutions
– and none of them are deployed at an EGEE level…
• Increasingly important
INFSO-RI-508833
Audit
Enabling Grids for E-sciencE
• Not solved at a Grid level
– Scalability and information release issues
• Good tracking at the individual resource level for now
INFSO-RI-508833
Integration and Development
Enabling Grids for E-sciencE
• Middleware Security Group
– Cross-activity group
– Operations, Applications, Developers, OSG
– Mailing list, phone conferences, face-to-face meetings
INFSO-RI-508833
Operational Management
Enabling Grids for E-sciencE
• Joint Security Policy Group
– OSG, LCG participation
• EUGridPMA
• TERENA TF-CSIRT (incident response)
– NREN CERTs start to show interest
INFSO-RI-508833
More information
Enabling Grids for E-sciencE
• EGEE Website
http://www.eu-egee.org
• DJRA3.1: Global Security Architecture (1st rev.)
– https://edms.cern.ch/document/487004/
• DJRA3.2: Site Access Control (1st rev.)
– https://edms.cern.ch/document/523948
INFSO-RI-508833