1 / 11

GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC

GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. £17M PPARC project to Build Grid for UK PP Sep 01 – Aug 04. GridPP. Provide architecture and middleware. Future LHC Experiments. Running US Experiments.

david-rowland
Download Presentation

GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridPP SecurityUK Security Workshop5-6 Dec 2002, NeSC David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, GridPP Security

  2. £17M PPARC project toBuild Grid for UK PPSep 01 – Aug 04 GridPP Provide architecture and middleware Future LHC Experiments Running US Experiments Use the Grid with simulated data Use the Grid with real data D.P.Kelsey, GridPP Security

  3. GridPP Security • Same as EU DataGrid (see tomorrow) • But also US PPDG, GriPhyN, iVDGL • CERN LHC Computing Grid • Based on Globus GSI • But adding our own developments and functionality D.P.Kelsey, GridPP Security

  4. Security Requirements • 112 documented in D7.5 document • 72 essential, 37 desirable aims, 3 long-term aim • Authentication (17), Authorisation (32), Auditing(5), Non-repudiation (3), Delegation (8), Confidentiality (18), Integrity (4), Networking (2), Manageability (4), Usability (8), Interoperability (5), Scalability (1), Performance (5) • Includes • Virtual Organisations (VO’s) – Role based authorisation • Authorise resources as well as users • Local Authorisation • Decisions and keep ACL’s local to data • Confidentiality • Encrypted medical data • Don’t know who is in a VO • International Collaboration – must inter-operate! D.P.Kelsey, GridPP Security

  5. Authentication • More details tomorrow • International Collaboration very important • Building “Trust” between national CA’s • EDG defines list of “trusted” CA’s • Currently 13 national CA’s • Will grow to ~20 D.P.Kelsey, GridPP Security

  6. Security Developments • Security components developed (see EDG web) • CA Trust Matrix tools • VO/LDAP & VOMS – Authorisation • LCAS, LCMAPS – local authorisation and mapping • Gridmapdir – dynamic leased accounts • Gridsite – certificate-based web management • SlashGrid - dn-based grid homefile system • GACL – Library to parse ACL’s (XML) • edg-java-security (for Data Management) • More details in tomorrow’s talk D.P.Kelsey, GridPP Security

  7. Grid Deployment - issues • Legal, political, site security policies, etc. • The user does not (need to) know where the jobs will run • Cannot sign registration forms everywhere • Acceptable Use policies (Rules) • What is needed for User Registration? • We have a solution for EDG testbed • But not yet for full production (LCG considering this) • What is acceptable to Site Security Officers? • GGF Site-AAA research group • An extremely important area – could kill the Grid! D.P.Kelsey, GridPP Security

  8. Issues – Deployment (2)Virtual Organisation Management • VO’s need to manage their members and sites/resource providers negotiate with VO’s • Only system which will scale • Sites cannot manage large number of Grid users • Not just a technical problem! • Must develop procedures to allow this to happen • VO’s not used to managing resources • Will Computer Centres give up (full) control? D.P.Kelsey, GridPP Security

  9. Summary • Authentication • Cross-Domain Trust is the big problem • will it continue to scale? • Authorisation • The most IMPORTANT area • This is where the identity and rights need to be checked • Technology is immature • Need VO management procedures/tools • Many operational, legal, deployment issues • To establish “Trust” between Sites/VO’s/users • Do/will sites trust each other? • EDG has several solutions – see tomorrow’s talk D.P.Kelsey, GridPP Security

  10. Web links • GridPP http://www.gridpp.ac.uk • DataGrid http://www.eu-datagrid.org • LCG http://lcg.web.cern.ch/LCG/ • GGF Security Area http://www.globalgridforum.org/2_SEC/SEC.htm • DataGrid Security Requirements documenthttp://hepwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf D.P.Kelsey, GridPP Security

More Related