270 likes | 395 Views
Credentials for Global High Performance/Grid Computing Research Community Scott Rea. iTrust Forum, NIH, Bethesda, MD Dec 10, 2009. Global Research Community.
E N D
Credentials for Global High Performance/Grid Computing Research Community Scott Rea iTrust Forum, NIH, Bethesda, MD Dec 10, 2009
Global Research Community • The international research community is deploying large scale distributed computing grids on a production scale, across organizations, countries, and even continents, for the advancement of science and engineering etc. E.g. • The Large Hadron Collider near Geneva • Pittsburgh Supercomputing Center • Lawrence Berkeley National Laboratory • TeraGrid • Open Science Grid • UK eScience Grid • … • In shaping this common grid infrastructure, many of these grids are relying on common practices, policies and procedures to reliably identify grid subscribers and resources. • The International Grid Trust Federation was established to address this issue of common identity & authentication practices Scott Rea – scott.rea@dartmouth.edu
International Grid Trust Federation • IGTF founded in Oct, 2005 at GGF 15 • IGTF Purpose: • Manage authentication services for global computational grids via policy and procedures • IGTF goal: • harmonize and synchronize member PMAs policies to establish and maintain global trust relationships • IGTF members: • 3 regional Policy Management Authorities • EUgridPMA • APgridPMA • TAGPMA • ~100 CAs, 75,000+ credentials Scott Rea – scott.rea@dartmouth.edu
IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu
Grid characteristics Some things that may make current edu-grids a bit ‘special’ compared to other distributed (computing) efforts inherently federated (multiple organisations involved) collaboration of individualsfrom different organisations most of the scientific grid communities today consist of people literally ‘scattered’ over many home organisations … internationally delegation – programs and services acting on your behalf – are an integral part of the architecture unattended operation resource brokering integrating compute, data access, databases in the same task ... resulted in early design choice for end-user PKI ... Scott Rea – scott.rea@dartmouth.edu
Virtual vs. Organic structure Virtual communities (“virtual organizations”) are many An individual will typically be part of many communities has different roles in different VOs (distinct from organizational role) all at the same time, at the same set of resources but will require single sign-on across all these communities graphic: OGSA Architecture 1.0, OGF GFD-I.030 Scott Rea – scott.rea@dartmouth.edu
Trust relationships For the VO model to work, parties need a trust relationship the alternative: every user needs to register at every resource need to provide a ‘sign-on’ for the user that works across VOs Org. Certification FederatedCertificationAuthorities Org. Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain A AuthZFederation Service Domain B Task Secure Connection Virtual Organization Domain Server X Server Y graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance Scott Rea – scott.rea@dartmouth.edu
Separating responsibilities Single Authentication token (“passport”) key issue: provide a persistent, trusted identifier issued by a party trusted by all, recognised by many resource providers, users, and VOs satisfy traceability and persistency requirement in itself does not grant any access, but provides a unique binding between an identifier and the subject Per-VO Authorisations (“visa”) granted to a person/service via a virtual organisation based on the identifier acknowledged by the resource owners today largely role-based access control but providers can also obtain lists of authorised users per VO, can still ban individual users most of the real liability and responsibility goes here Scott Rea – scott.rea@dartmouth.edu
Authentication model Design and implementation choices made with the emergence of production-oriented grids in 2000:urgent need and focus was on providing cross-national trustinitially, in the context of the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects National PKI in general uptake of 1999/93/EC and e-Identification is slow where available a national PKI could be leveraged Various commercial providers Main commercial drive: secure web servers based on PKI Entrust, Global Sign, Thawte, Comodo, Verisign, SwissSign, QuoVadis, … primary market is server authentication, not end-user identities use of commercial CAs solves the ‘pop-up’ problem... so for (web) servers a pop-up free service is actually needed! Grass-roots CAs usually project specific, and without any documented policies unsuitable for the ‘production’ infrastructure envisioned in 2000 Scott Rea – scott.rea@dartmouth.edu
A Federation Model for Grid Authentication A Federation of many independent CAs Policy coordination based on common minimum requirements(not ‘policy harmonisation’) Acceptable for major relying parties in Grid Infrastructures No strict hierarchy with a single top leverage of national efforts and subsidiarity Allow incorporation of many pre-existing CAs charter guidelines acceptance process CA 2 CA 1 relying party n CA n CA 3 relying party 1 Scott Rea – scott.rea@dartmouth.edu
Building the CA federation Providers and Relying Parties together shapedthe common minimum requirements Authorities compliant with minimum requirements (profile) Peer-review process within the federation to (re) evaluate members on entry & periodically Reduce effort on the relying parties single document to review and assess for all Authorities collective acceptance of all accredited authorities Reduce cost on the authorities but participation in the federation comes with a price … the ultimate decision always remains with the RP Scott Rea – scott.rea@dartmouth.edu
‘Reasonable procedure … acceptable methods’ Defined assurance level based on minimum requirements CP/CPS for “acceptable and trustworthy” Grid CAs Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ... History Scott Rea – scott.rea@dartmouth.edu
March 2003: The Tokyo Accord Coordination with similar efforts in the rest of the world … meet at GGF conferences. … … work on … Grid Policy Management Authority: GRIDPMA.org develop Minimum requirements – based on EDG work develop a Grid Policy Management Authority Charter [with] representatives from major Grid PMAs: European Data Grid and Cross Grid PMA: 16 countries, 19 organizations NCSA Alliance Grid Canada DOEGrids PMA NASA Information Power Grid TERENA Asian Pacific PMA:AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, China History Scott Rea – scott.rea@dartmouth.edu
2005 IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu
New CAs: the Accreditation Process Accreditation Guidelines for IGTF PMAs Basic elements: Codification of procedures in a CP(S) for each CA de facto lots of copy/paste, except for vetting sections Peer-review process for evaluation comments welcomed from all PMA members two assigned referees In-person appearance during a review meeting Accreditation after remaining issues are addressed (by e-mail) Discussions remain important, as not all details are codified! Accreditation model for each PMA typically embedded in their charter … Periodic re-appearance and re-discussion are needed Scott Rea – scott.rea@dartmouth.edu
Geographical coverage of the EUGridPMA • 23 of 25 EU member states (all except LU, MT) • + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CA, CERN (int), DoEGrids(US)* Pending or in progress • BY, MD, SY, LV, ZA, SN Scott Rea – scott.rea@dartmouth.edu
History Scott Rea – scott.rea@dartmouth.edu
TAGPMA • Covers Grid based operations in North, Central, and South America • Officers • Chair: Scott Rea (Dartmouth) • Vice Chair: Roger Impey (CANARIE) • Secretary: Doug Olson (OSG) Scott Rea – scott.rea@dartmouth.edu
Current TAGPMA Membership Scott Rea – scott.rea@dartmouth.edu
Current TAGPMA Membership • 23 Members from North, Central and South America • Covering Canada, US, Mexico, Venezuela, Chile, Peru Argentina, Brazil, and Colombia. Two Catchall CAs cover the remaining countries. • 15 IGTF Accredited CAs • 9 Classic • TACC - US, UFF BrGrid & UFF LACGrid - Brazil, UNLPGrid - Argentina, REUNA – Chile, ULAGrid – Venezuela, GridCanada, UNAM - Mexico. • NOTE: DOE Grid accredited by EUGridPMA • 4 SLCS (NCSA x 2, FermiLabs, and NERSC - US) • 2 MICS (NCSA and TACC - US) • 2 CAs pending accreditation, 2 more proposed & active • 2 Classic pending (SENAMHI – Peru, UNIANDES - Colombia) • 1 Classic proposed (ANSP – Br), 1 MICS proposed (SDSC – US) • 5 Relying Parties • (OSG, TeraGrid, THEgrid, LCG, Dartmouth/HEBCA) • Associate Member (due to inactivity) • UVA (Jim Jokl) Scott Rea – scott.rea@dartmouth.edu
Communication Infrastructure • IGTF Website http://www.igtf.net • TAGPMA Website http://www.tagpma.org • Hosts static, public information • Still undergoing updates • TAGPMA twiki http(s)://tagpma.es.net/wiki • hosts TAGPMA documents, tutorials etc. • Mailing list tagpma-general and other IGTF aliases managed by ESnet. • Email any issues direct to the Chair (Scott.Rea@Dartmouth.EDU) Scott Rea – scott.rea@dartmouth.edu
Next TAGPMA F2F Meetings • 11th TAGPMA F2F planned for Lima, Peru • 1st week, May, 2010 • 12th TAGPMA F2F planned for Lubbock, TX • 3-4 October, 2010 • Bi-weekly video conference calls (Wednesdays) to conduct business in the interim Scott Rea – scott.rea@dartmouth.edu
2005 IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu
Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n NIH HE JP FBCA Cross-cert Cross-certs C-4 DST ACES Texas Dartmouth HEBCA Cross-certs IGTF Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3 Scott Rea – scott.rea@dartmouth.edu
Mapping Credentials E-AUTH FPKI E-Auth Level 4 High HEBCA/USHER High Medium Hardware CBP Medium E-Auth Level 3 Medium Software CBP Classic Strong Basic Basic Rudimentary Rudimentary E-Auth Level 2 C-4 IGTF Classic Ca Foundation E-Auth Level 1 SLCS MICS Scott Rea – scott.rea@dartmouth.edu
Questions? • Thanks Scott Rea – scott.rea@dartmouth.edu