Enabling Grids for E-sciencE
EGEE security “pitch”
Olle Mulmo
EGEE Chief Security Architect
KTH, Sweden
www.eu-egee.org
INFSO-RI-508833
Enabling Grids for E-sciencE
Project PR
www.eu-egee.org
INFSO-RI-508833
EGEE
Enabling Grids for E-sciencE
EGEE is the largest Grid infrastructure
project in the World?:
•
70 leading institutions in 27 countries,
federated in regional Grids
•
Leveraging national and regional grid
activities
•
~32 M Euros EU funding for initially 2
years starting 1st April 2004
•
EU review, February 2005 successful
•
Preparing 2nd phase of the project –
proposal to 3rd EU Grid call September
2005
INFSO-RI-508833
EGEE Activities
Enabling Grids for E-sciencE
•
48 % service activities (Grid
Operations, Support and Management,
Network Resource Provision)
•
24 % middleware re-engineering
(Quality Assurance, Security, Network
Services Development)
•
28 % networking (Management,
Dissemination and Outreach, User
Training and Education, Application
Identification and Support, Policy and
International Cooperation)
INFSO-RI-508833
EGEE emphasis is on
production grid operations
and end-user support
gLite
Enabling Grids for E-sciencE
• First major release of gLite announced on April 5
– Focus on providing users early access to prototype
– Reusing existing components
– Addressing current shortcomings
• Interoperability & Co-existence with deployed infrastructure
• (Cautious) service oriented approach
– Follow WSRF standardisation
• Site autonomy
LCG-1
LCG-2
gLite-1
gLite-2
Globus 2 based Web services based
INFSO-RI-508833
Deployment of applications
Enabling Grids for E-sciencE
• Pilot applications
– High Energy Physics
– Biomed applications
• Generic applications –
Deployment under way
–
–
–
–
Computational Chemistry
Earth science research
EGEODE: first industrial application
Astrophysics
• With interest from
–
–
–
–
–
–
Hydrology
Seismology
Grid search engines
Stock market simulators
Digital video etc.
Industry (provider, user, supplier)
INFSO-RI-508833
Pilot
New
Computing Resources – Feb. 2005
Enabling Grids for E-sciencE
Country providing resources
Country anticipating joining EGEE/LCG
In EGEE-0 (LCG-2):
Ö >100 sites
Ö >10,000 CPUs
Ö >5 PB storage
INFSO-RI-508833
Enabling Grids for E-sciencE
What I came here for
The EGEE view on Security
- some philosophy and baseline assumptions
www.eu-egee.org
INFSO-RI-508833
Baseline assumptions
Enabling Grids for E-sciencE
• Be Modular and Agnostic
– Allow for new functionality to be included as an afterthought
– Don’t settle on particular technologies needlessly
• Be Standard
– Interoperate
– Don’t roll our own, to the extent possible
• Be Distributed and Scalable
– Avoid central services if possible
– Always retain local control
INFSO-RI-508833
Baseline assumptions
Enabling Grids for E-sciencE
• VOs self-govern the resources made available to them
– Yet try to minimize VO management!
– Use AuthN to tie policy to individuals/resources
• An open-ended system
– No central point of control
– Can’t tell where the Grid ends
INFSO-RI-508833
We can’t do anything too fancy
Enabling Grids for E-sciencE
Paradigm
Shift
(SOA)
Requirements on functionality
Authentication
Access control
Credential mgmt
Delegation
Privacy
…
Other work
already
underway
(LCG, OGSA,…)
INFSO-RI-508833
Existing capabilities
GridPMAs
WS-Security
MyProxy
Shibboleth
VOMS
Globus
…
Enabling Grids for E-sciencE
Architecture
Technologies and more details
www.eu-egee.org
INFSO-RI-508833
Authentication
Enabling Grids for E-sciencE
• IGF: Federation of PMAs
• Better revocation technologies
• Managed and Active credential storage
–
–
–
–
i.e., where access policy can be enforced
Smart cards, MyProxy, …
Organizationally rooted trust (KCA, SIPS)
User-held password-scrambled files
should go away
INFSO-RI-508833
Authorization
Enabling Grids for E-sciencE
• Flexible framework to support for multiple authorities
and mechanisms
• VOMS, banlist, grid-mapfile, SAML, …
• Frank covered this in detail
INFSO-RI-508833
Authorization model
Enabling Grids for E-sciencE
• Decentralized
– Predominantly role-based push model
– Out-of-the-box support for VOMS
– Semantic-free role and group attributes
• Pros
– Scalability
– Site autonomity
– Multi-scenario support, VO self-governance
• Cons
– Fine-grained access control (?)
– VO management still heavyweight
– VOMS is proprietary
INFSO-RI-508833
VO management
Enabling Grids for E-sciencE
• VOMS for now
– modularity keeps it open for others
• Allow for lightweight VO deployment
– Proposed solution: VO policy service
– Brainchild
INFSO-RI-508833
“Anonymity”
Enabling Grids for E-sciencE
• Pseudonymity as an selective additional step to the
SSO process
Credential
Storage
Obtain Grid creds
for Joe
1.
2.
3.
Joe
4.
“The
“TheGrid”
Grid”
INFSO-RI-508833
Pseudonymity
“Joe → Zyx”
Service
Attribute
Authority
“Issue Joe’s
privileges to Zyx”
“User=Zyx
Issuer=Pseudo CA”
Data “privacy”
Enabling Grids for E-sciencE
• Data always encrypted except in RAM
• Simple solution that ignores all the hard problems
– (we have to as the system is open-ended)
INFSO-RI-508833
Accounting
Enabling Grids for E-sciencE
• Several solutions
– and none of them are deployed at an EGEE level…
• Increasingly important
INFSO-RI-508833
Audit
Enabling Grids for E-sciencE
• Not solved at a Grid level
– Scalability and information release issues
• Good tracking at the individual resource level for now
INFSO-RI-508833
Integration and Development
Enabling Grids for E-sciencE
• Middleware Security Group
– Cross-activity group
– Operations, Applications, Developers, OSG
– Mailing list, phone conferences, face-to-face meetings
INFSO-RI-508833
Operational Management
Enabling Grids for E-sciencE
• Joint Security Policy Group
– OSG, LCG participation
• EUGridPMA
• TERENA TF-CSIRT (incident response)
– NREN CERTs start to show interest
INFSO-RI-508833
More information
Enabling Grids for E-sciencE
• EGEE Website
http://www.eu-egee.org
• DJRA3.1: Global Security Architecture (1st rev.)
– https://edms.cern.ch/document/487004/
• DJRA3.2: Site Access Control (1st rev.)
– https://edms.cern.ch/document/523948
INFSO-RI-508833