Computing Services & the Grid
David Baker
Oz Parchment
Introduction
• Context
• Security
• Network Issues
• Accounting
• Personnel
• User Support
Computing Services at Southampton University
• Mission statement - To provide support and
manage computing, data communications and telephony
services within available resources so as to enable the
University to deliver excellence in teaching, learning and
research
• What do we do;
–
–
–
–
–
–
–
Customer Base: ~30,000 Students & Staff
E-Mails: 2,000,000+ emails per month
Web-Serving: 6,000,000 page requests per month
1000+ Public workstations.
Computational services
700,000+ phone-calls per month
Infrastructure for the above
Computing Services & the Grid
• Computing Services has taken on the
challenge of the Grid!
– The Grid facilitates collaborative opportunities in
research
– Host University Grid infrastructure
– Staff to manage & support Grid
Where do you fit into the picture?
•
Centres who host Grid
Services
•
Grid Services hosted by
academic departments.
•
Only client users at your
institute
Security Issues
List of Issues
• User Authentication
• User Authorisation
• Security
• Firewalls
• Network Security
• Data Security
• Service Access Controls
User Authentication
• Assigning trustable digital identity to user
– Passport Agency!!!
• Certificate Authority (CA) – issue X.509 digital cert.
to e-Science programme participants
– e-Science CA at RAL
• Applicants validated by nominated rep. of project or
regional centre – Registration Authority (RA)
– Issues of Scalability
User Authorisation
• Managing access by authenticated users to grid
resources
• Revocation Policy
– Who and How?
• Account application form signed by local
authorisation agent
• Need to build trust relationships between agents?
– Users only need to make one application?
– Only sign one set of terms & conditions?
Site Security Policies
• Globus includes provisions for
– Secure communications (via SSL)
– Strict authentication (via certs.)
• Certificates on users file-store?
– But what can the user run whilst on your machine?
• Must ensure Grid machines are secured against
non-Globus attacks
– Piggy Backing
– Security by obscurity not possible any longer
Firewalls: Sysadmins ONLY friend
• Internet firewalls considered a key component of network
security
• Network traffic generated by Globus
–
–
–
–
Gatekeeper – 2119
GRIS/GIIS – 2135
GridFTP – 2811
GSI-Enabled ssh – 22
• Globus uses a random non-privilege port range for dataretrieval
– GLOBUS_TCP_PORT_RANGE
Firewalls (2)
• Individual ports not that difficult to manage
– Not much extra work
• Globus requires ~100+ non-privilege ports
– Maybe more required for production grid?
• Access Control
– Limit access to services that run on your Grid
• GridFTP to certain sites; GASS to others
Firewalls (3)
• Globus packaging techniques makes security
management more interesting
– GridFTP
• Based on wu-ftp; Numerous CERT advisories
– GSI-SSH
• Based on OpenSSH; Some CERT advisories
• Service Termination policies
– How should a vulnerable service be terminated.
Data Security
• Globus does not prevent your from running a
specific command.
• Can Grid users be confident that their data is secure
on your system?
• Can any user be confident their data is secure?
• System security
– Restricted paths?
– Restricted shells?
Access to non-grid systems & services
• Need to limit Grid users access rights
• No access to non-grid machines/equipment?
• No access to non-grid services – e.g. email?
• Maybe:
– Take special measures re: account setup?
– Don’t supply account password?
Infrastructure Requirements
Infrastructure Requirements
• Choice of middleware – currently GT 2.0
• Keep in step with other centres
– Upgrades to major system components needs to be
synchronised across service providers.
• Report resources to UK GIIS
• Protect licensed software
– Don’t invalidate site licenses
Infrastructure Requirements
Network Issues
•
Network Bandwidth
– Internally
– Externally
•
Firewall throughput
•
Web Caches
– Web Service thru port 80
•
Network QoS
– Real time data capture
– AccessGrid
Network Issues
•
Network connectivity & bandwidth
•
Where are the resources located:
– Between your institute and remote institutes
– Within your institute
LeNSE (2.4Gbps)
155Mbps
2 Mbps
Rc
1 Gbps
1Gbps
<100 Mbps
10 Mbps
Rb
1 Gbps
Ra
Firewalls
(will ‘throttle’ traffic)
Rd
Accounting
Accounting
•
•
Account for resource usage:
–
Long term planning
–
Accountability
–
Recovering costs
Fair sharing policies.
–
Are you getting what you’ve bought?
Personnel
Personnel
There are manpower issues
• Depends on level of involvement:
– May need to recruit additional staff
– Additional training for existing staff
– At the very least someone needs to know
User Support
User Support
• Depends on centre’s involvement with grid.
– How deeply involved are you?
– How deeply involved do you want to get?
• Think about how information is disseminated
– Who needs to know?
• Internally
• Externally
– What do they need to know?
• Pass unresolved issues to Grid Support Centre
Service Level Agreement
What can grid users expect from your centre?
• Hardware availability
• Software availability
• Data Storage
• Backup policies
• Help desk priorities
Useful links
• The Globus Project
– www.globus.org
• UK Grid Support Centre
– www.grid-support.ac.uk
• Global Grid Forum
– www.gridforum.org
• National e-Science Centre
– www.nesc.ac.uk
Conclusion
• Many issues need to be resolved
• Your input is important
– Grid is still developing
– This meeting is only be the beginning
• Great opportunities for researchers at your
Institutions