1 / 9

Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan

GGF12 Workshop on Operational Security for the Grid Cross-site authentication and access control panel Experiences in Asia Pacific. Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan. Grids in Asia Pacific. Architecture, technology Based on GT2

ailish
Download Presentation

Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GGF12 Workshop on Operational Security for the GridCross-site authentication and access control panelExperiences in Asia Pacific Yoshio Tanaka (yoshio.tanaka@aist.go.jp) Grid Technology Research Center, AIST, Japan

  2. Grids in Asia Pacific • Architecture, technology • Based on GT2 • Allow multiple CAs • Build MDS Tree • Grid middleware/tools from Asia Pacific • Ninf-G (GridRPC programming) • Nimrod-G (parametric modeling system) • SCMSWeb (resource monitoring) • Grid Data Farm (Grid File System), etc. • Status • 22 organizations (10 countries) • 23 clusters (1688 CPUs)

  3. globus globus globus globus globus globus globus globus globus CA CA CA CA CA CA CA CA CA Grass-roots Approach (strategy) ApGrid GIIS • Assumption • Each institution has installed GT2 • Necessary steps • Gather and exchange trusted CA info. and trust with each other • Configure MDS to build an ApGrid MDS tree • For application use • Install additional software in project-basis

  4. Status and problems • Most participating organizations have less interests in Security • Many participants are application people • Not enough human resources working on security • Satisfy in using Globus Simple CA without providing CP/CPS • This would be acceptable inside AP for experimental use. • potential/ongoing collaboration with US and EUe.g.: • AIST/Japan – TeraGrid • KISTI/Korea – PPDG and iVDGL • ASCC/Taiwan – LCG • … • Need to launch production level CAs

  5. APGrid PMA: Asia Pacific Grid PMA • General Policy Management Authority in Asia Pacific • Launched on June 1st, 2004 • Defines minimum CA requirements • APGrid PMA approved that we accept two levels of CA: • Experimental-level CA • Alternative of the Globus CA • Can be trusted within A-P communities • Production-level CA • Strict management is necessary • Expected to be trusted by international communities • KISTI GRID CA has been approved as a production level CA • AIST GRID CA and ASGC CA are under reviewing their CP/CPS (expected to be approved shortly) • Will discuss on interoperability issues between AP, EU and the US

  6. user p user 1 user 3 user 2 service_b service_c service_a Organization A • Work in Japanese NAREGI (National Research Grid Initiative) Project • ISSUES: • How to identify and authenticate members inside VO • Design PKI architecture , trust relationship between end entity and CA • Implementation issue of Globus and Unicore Identification and Authentication of VO membership A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. service_x service_c service_a service_y VO Domain user 1 (VO Manager) user p Virtual Organization Services and Users are exposed in a Virtual Organization Contract A Contract B service_x service_z service_y user q PKI Domain user r Organization B slide by courtesy of Ayako Komatsu (NEC)

  7. ID & AUTH of VO membership (cont’d) Launch VO-CA that issues Public Key Certificates for end entities • EE has both home PKC and a PKC issued by • Compatible with Globus and Unicore • Need to consider relationship between VO-CA and home CA • Several implementation choices • parent CA, child CA, bridged-CA, etc. Use attributes • Manage membership information as an attribute of EE • Authentication using a PKC issued by a home CA, then refer membership information • Need to consider the scope of attributes slide by courtesy of Ayako Komatsu (NEC)

  8. Authorization Accounting NAREGI VO management architecture VO Management PKI Group Mgmt. Group Identity Federation Attribute Access Rights Monitoring Identifier Authentication Identifier Job Resource Human UNICORE User Proxy Globus Grid Computing slide by courtesy of Ayako Komatsu (NEC)

  9. More Information • ApGrid • http://www.apgrid.org/ • PRAGMA • http://www.pragma-grid.net/ • APGrid PMA • http://www.apgridpma.org/ • NAREGI • http://www.naregi.org/ • GTRC/AIST • http://www.gtrc.aist.go.jp/ • My email address • yoshio.tanaka@aist.go.jp

More Related