virtual organisations in grids terena tf-emc2, barcelona 8 september 2005

Virtual Organisations in GridsTERENA TF-EMC2, Barcelona

8 September 2005

David KelseyCCLRC/RAL, UK

[email protected]

8-Sep-05 David Kelsey, VOs/Grids, TF-EMC2 2

Introduction• Who am I?

– Head of Particle Physics Computing at Rutherford Appleton Laboratory

– Member of 3 Grid projects• UK GridPP (Chair of Deployment Board)• EU EGEE (Chair of Joint Security Policy Group)• Global LCG (Chair of Security Group)

• Why am I here?– Pleasure to have been invited!– In Particle Physics, no desire to run networking

services that can be provided by others• Disclaimer

– These are my personal views– Not official views of the projects or RAL


Outline• The LCG and EGEE projects• What is a Grid VO?• The Security Model

– Authentication (AuthN)– Authorization (AuthZ)

• Policy issues• AuthZ Technology• Legal issues• NRENs and Grid VOs• Final words


The LHC Computing Grid Project (LCG)

& Enabling Grids for EsciencE (EGEE)

LCG LHC Computing Grid Project – LCG

LCG Project OverviewJune 2005

Les Robertson – CERN

LCG

les robertson - cern-it-6last update 22/04/23 08:49

LCG LHC DATAThis is reduced by online computers that filter out a few hundred “good” events per sec.

The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments’ detectors

The LHC accelerator – the largest superconducting installation in the world 27 kilometres of magnets cooled to – 300o C colliding proton beams at an energy of 14 TeV

The LHC Accelerator

Which are recorded on disk and magnetic tapeat 100-1,000 MegaBytes/sec ~15 PetaBytes per year


LCG


LCG

25 Universities4 National Labs2800 CPUs

Grid3

July 2005140 Grid sites34 countries12,000 CPUs

30 sites3200 cpus

Inter-operation EGEE, Open Science Grid in the US and NorduGrid: Very early days for standards – still getting basic experience Focus on baseline services to meet specific experiment requirements

INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

The EGEE Project Status

Ian BirdEGEE Operations ManagerCERNGeneva, Switzerland

ISGC, Taipei

27thApril 2005

David Kelsey, VOs/Grids, TF-EMC2 10


INFSO-RI-508833

EGEE goals

• Goal of EGEE: develop a service grid infrastructure which is available to scientists 24 hours-a-day

• The project concentrates on: – building a consistent, robust and secure Grid network that will

attract additional computing resources

– continuously improve and maintain the middleware in order to deliver a reliable service to users

– attracting new users from industry as well as science and ensure they receive the high standard of training and support they need



INFSO-RI-508833

EGEE EGEE is the largest Grid infrastructure project in Europe: • 70 leading institutions in 27 countries,

federated in regional Grids

• Leveraging national and regional grid activities

• ~32 M Euros EU funding for initially 2 years starting 1st April 2004

• EU review, February 2005 successful

• Preparing 2nd phase of the project – proposal to EU Grid call September 2005

• Promoting scientific partnership outside EU



INFSO-RI-508833

Deployment of applications• Pilot applications

– High Energy Physics– Biomed applications

http://egee-na4.ct.infn.it/biomed/applications.html• Generic applications –

Deployment under way– Computational Chemistry– Earth science research – EGEODE: first industrial application– Astrophysics

• With interest from – Hydrology– Seismology – Grid search engines – Stock market simulators– Digital video etc.– Industry (provider, user, supplier)

• Many users– broad range of needs– different communities with different background and internal organization

Pilot New


What are Grid VOs?


Grid VOs• Several different views!• The original Globus definition included resources

– A Virtual Organisation is a set of individuals and/or institutions that are defined according to a set of rules

• The EGEE View – just people– A grouping of individuals, often not bound to a single

institution or enterprise, who, by reason of their common member ship of the VO, and in sharing a common goal, are granted rights to use a set of resources on the Grid

• There are many Grids– Defined by shared services and common policy– Single Information System– Common operations (distributed)– Politics and/or Funding

Event - 15/totalSpeaker Name – [email protected]

Virtual vs. Organic structure

Organization A Organization B

Compute Server C1Compute Server C2

Compute Server C3

File server F1 (disks A and B)

Person C(Student)

Person A(Faculty)

Person B(Staff) Person D

(Staff)Person F(Faculty)

Person E(Faculty)

Virtual Community C

Person A(Principal Investigator)

Compute Server C1'Person B

(Administrator)File server F1

(disk A)Person E

(Researcher)

Person D(Researcher)

Graphic by Frank Siebenlist, ANL & Globus Alliance


The Security Model


Security Model• Users have single electronic identity• They register once per VO (and renew)

– Can belong to more than one VO• Users do not register at sites/resources• VOs register with Grid (again once per Grid)• Aim for single instance of VO membership

database– To be used across multiple Grids

• Sites/Resource decide which VOs to support– Grid Operations facilitates this support

• Configuration etc


The Security Model (2)• Authentication – proof of identity

– GSI: Globus Grid Security Infrastructure (interoperate)– Single sign-on via X.509 certificates (PKI)– Delegation (via short-lived proxy certs) to services

• Global Authorization – right to access resources– Virtual Organisation (VO) – e.g. a Biomed experiment

• Maintains list of registered users• Allocates users to groups and/or roles• Controls global policy and allocations

• Local Authorization – site access control– Via local (e.g. Unix) mechanisms or– Callouts to local AuthZ enforcement (Grid

developments)– Grid ACL’s - global identity or VO AuthZ attributes

• Policy– Grids (e.g. EGEE, OSG) define security policy– Many stakeholders also contribute to “policy”


Security Policy

Key Material

Group of unique names Organizational role

Server

UserAttributesVO

Policy

ResourceAttributesSite

Policy

Policy

Authorization PolicyArchitecture

Local SiteKerberosIdentity

PolicyEnforcement

Point

VOOther

Stakeholders

Site/Resource

OwnerAuthorization

Service/PDP

Policy andattributes.

Allow orDeny

Resource

Standardize

Delegation

User

Process actingon user’s behalf

PKI/KerberosIdentity

TranslationService

PKIIdentity

Delegation Policy

Graphics fromGlobus Alliance& GGF OGSA-WG

Policy comes from many stakeholders


Authentication


Authentication

• Keep Authentication and Authorization separate– Authentication best done at Institute level– Authorization best done at VO level

• Provide the User with one (Grid) electronic identity– For use in many Grids or VOs– For user convenience

• Have successfully built a global PKI (X.509)– Mutual Authentication of people and services

• What is the most appropriate scale?– One CA per country/region (ideally for all eScience)

• EU Grid PMA has coordinated the (global) CA’s– “minimum requirements” for accredited CA’s

• Now three worldwide PMA’s for Authentication– Asia/Pacific, The Americas and EU– International Grid Trust Federation coordinates these

• Using TACAR for roots of trust


Policy issues


EGEE/LCG Security Policy

Security & Availability Policy

UserAUP

Certification Authorities

AuditRequirements

Incident Response

User Registration & VO Management

http://cern.ch/proj-lcg-security/documents.html

Application Development& Network Admin Guide

picture from Ian Neilson

VOAUP

Under Revision

http://cern.ch/proj-lcg-security/documents.html


Policy• Acceptable Use Policy

– One simple common User AUP• for EGEE and OSG• And other national Grids• Applies to all registered VOs• Binds user to VO AUP

– Each VO defines its own aims and AUP• Sites can then decide to support or not

– User accepts these during registration• And regular renewal (every 12 months)

• Robust User Registration procedures are required– Sites have delegated user registration to VOs


AuthZ Technology


Authorization & VO Management

• In EGEE gLite and LCG middleware• Global AuthZ (VOMS)

– Virtual Organization Membership Service• VO members, their groups and roles• Provides digitally signed AuthZ attribute certificate

– Included in the grid proxy certificate– A “PUSH” model (user can select roles and VOs)

• Local AuthZ– Local Centre Authorization Service (LCAS)

• A framework to handle local policy (e.g. banned users)– Local Credential Mapping (LCMAPS)

• Provides local credentials (Kerberos/AFS, ldap nss…)• Local policy decisions (CE and SE)

– Can decide and enforce policy on VOMS attributes• n.b. LCAS/LCMAPS is just one local AuthZ service


AuthZ – VOMS & LCAS

VO-VOMS

user service

authentication & authorization info

user cert(long life)

VO-VOMS

VO-VOMS

VO-VOMS

CA CA CAlow frequencyhigh

frequencyhost cert(long life)

authz cert(short life)

service cert(short life)

authz cert(short life)

proxy cert(short life)

voms-proxy-init

crl update

registration

registration

LCAS

PUSH Model


Legal issues


(some) Legal issues• Sites/Resources require

– Auditing at individual user level– Read access to User registration data in VO

• VOs require– Accounting (usage) data from resources– At individual user level

• Privacy & data protection laws forbid sites publicly identifying individual users– No solution to this conflict yet!

• VOs are not (in general) legal entities– Makes life interesting!


NRENs and Grids?


NRENs and Grids?• No desire to run net services that can be provided by

others• AuthN/Identity services

– Currently constrained to be X.509 PKI– Several NRENs run Certification Authorities

• For Grids today, e.g. CESNET– AuthN best done by home institute– We should continue to work together here

• For large/long-lived VOs– Global AuthZ must be managed by the VO– Role/Group names must be defined by VO and

understood by Sites/Resources (across all Grids)• Dynamic/Short-lived VOs

– Small groups of collaborating scientists• “Laymen rather than experts”

– VO cannot register with Grid Infrastructure– Interesting to explore possibilities for NRENs here


References• LCG/EGEE Joint Security Policy Group

http://proj-lcg-security.web.cern.ch/• EGEE JRA3 (Security)

http://egee-jra3.web.cern.ch/• Open Science Grid Security

http://www.opensciencegrid.org/techgroups/security/• EU DataGrid Security

http://hep-project-grid-scg.web.cern.ch/• LCG Guide to Application, Middleware and Network

Securityhttps://edms.cern.ch/document/452128

• EU Grid PMA (CA coordination)http://www.eugridpma.org/

• TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/


Final Words• Grids require robust AuthN

– Government issued photo-ID• There are technology constraints

– Today’s Grid middleware (e.g. X.509)• Standards are essential

– For interoperability between Grids– GGF is important body– Grid Security will implement new standards

• WS-Security, SAML, XACML, etc• People aspects even more important

– Building International Trust takes time– Between Grids, Sites and VOs

• We (Grids and NRENs) must keep talking to each other

virtual organisations in grids terena tf-emc2, barcelona 8 september 2005

Documents

egee egee

eu grid

egee goalsgoal of egee

raldavid kelsey

eudavid kelsey

david kelsey cclrcral

tfemc2last update

egee projectswhat