1 / 17

The Community Authorisation Service – CAS

The Community Authorisation Service – CAS. Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London. The Grid. Administrative Issues Security Multiple Organisations Coordinated Problem Solving. Diverse Resources Dynamic Unreliable

asasia
Download Presentation

The Community Authorisation Service – CAS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Community AuthorisationService – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London

  2. The Grid • Administrative Issues • Security • Multiple Organisations • Coordinated Problem Solving • Diverse Resources • Dynamic • Unreliable • Shared

  3. A Quick Refresher Grid Security Infrastructure (GSI) = X.509 (PKI certificate format)* + proxy certificates (single sign-on & delegation) + TLS/SSL (authentication & msg protection)* + delegation protocol (remote delegation) * = Existing IETF standards • Others are GGF & IETF drafts

  4. How to define access to these resources? • Current policy is through the ‘GridMap’ file “/C=UK/O=eScience/OU=Imperial/L=LeSC/CN=steven newhouse” sjn5 “/C=US/O=Globus/CN=ian foster” ifoster • Advantages: • Resource owner has clear policy control • Disadvantage: • Scalability: M users on N resources need co-ordination • Expressiblity: Policy is implemented locally

  5. Solutions to scalability • Group Accounts • Adopted by EUDG • X.509 DN is mapped to a set of local accounts • Policy Server • Central server that issues ‘policy tokens’ • Tokens define access to resources

  6. Example Collective Service:Community Authorization 1. CAS request, with user/group CAS resource names membership Does the and operations collective policy resource/collective authorize this 2. CAS reply, with membership request for this capability and resource CA info user? collective policy information Resource 3. Resource request, authenticated with Is this request capability authorized by the local policy capability? information 4. Resource reply Is this request authorized for the CAS? User Laura Pearlman, Steve Tuecke, Von Welch, others

  7. CAS Testbed • Funded JISC Project (Due to start Jan ‘03) • Evaluate and contribute to CAS • Investigators • Steven Newhouse (LeSC) • David Colling (IC-HEP) • Rob Allan (GSC-DL) • Stephen Pickles (MC)

  8. Project Goals • Deploy and evaluate current CAS release • CAS server at IC • CAS enabled gatekeepers & GridFTP servers • CAS enabled web server • Integrate CAS policy with web access control • CAS management portal • Secure web-based interface to CAS • Definition of CAS policy language

  9. CAS enabled GridFTP • Provides community access to data retrieval • Specify access to files & directories • read • lookup • write • create • chdir • Apply actions to a user or a group of users • Extend (& restrict) model to web server

  10. CAS enabled Gatekeeper • Prototyped within US Fusion Colaboratory project • Introduction of ‘Policy Enforcement Points’ • Has the user permission to submit to this queue? • Can they request 128 processors? • Focus on RSL restrictions during job initiation • Rights embedded in the user’s restricted proxy issued by CAS

  11. CAS enabled Job Control • Once a job is running we might want to: • Halt/restart the job • Raise/lower job priority • Provide policy driven job control • Supervisor/PI may have rights over user’s job • Project/user may have higher priority • Define usage scenarios & requirements

  12. Virtual Organisation Management Portal (VOM) • Tackle the VO Authorisation problem • Use role based authorisation model • Management of distributed ‘gridmap’ files • Web based for distributed management • Part of Centre’s OSCAR-G project • Use GSC’s X.509 certificates for identification • GSI enabled web services

  13. VO Portal: Enrollment

  14. VO Portal: Management • As VO Manager: • Approve pending user requests • Assign users to roles (and therefore resources) • As Resource Manager: • Define mapping between VO user and local UNIX account • Download and combine gridmap files from multiple VOM portals

  15. GridMap Client • Resource Manager defines configuration file • Identity for GSI operations • VOM portals to retrieve data • Local gridmap entries • Gridmap Client invoked from cron job • Use GSI enabled web service to validate client identity • Iff all lookups successful write out new gridmap file • Iff new non-zero length file replace existing gridmap file

  16. Accounting • Use a wrapper script to around job execution: • Extract DN from environment • Log start & end events • Attempt immediate update to database • Need to map DN to VO but a DN may be in several VO’s (!!!) • If update fails dump to local file for later action • Usage info can be browsed at a later date.

  17. Summary • CAS project will provide UK/US engagement • Deployment experience • Feedback to Globus team • Look at policy specification for e-science resources • Definition through VOM • Implementation within CAS • Contribute experience to Grid building efforts • UK Level 2 Grid • Global Grid Forum

More Related