1 / 27

Credentials for Global High Performance/Grid Computing Research Community Scott Rea

Credentials for Global High Performance/Grid Computing Research Community Scott Rea. iTrust Forum, NIH, Bethesda, MD Dec 10, 2009. Global Research Community.

gaston
Download Presentation

Credentials for Global High Performance/Grid Computing Research Community Scott Rea

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Credentials for Global High Performance/Grid Computing Research Community Scott Rea iTrust Forum, NIH, Bethesda, MD Dec 10, 2009

  2. Global Research Community • The international research community is deploying large scale distributed computing grids on a production scale, across organizations, countries, and even continents, for the advancement of science and engineering etc. E.g. • The Large Hadron Collider near Geneva • Pittsburgh Supercomputing Center • Lawrence Berkeley National Laboratory • TeraGrid • Open Science Grid • UK eScience Grid • … • In shaping this common grid infrastructure, many of these grids are relying on common practices, policies and procedures to reliably identify grid subscribers and resources. • The International Grid Trust Federation was established to address this issue of common identity & authentication practices Scott Rea – scott.rea@dartmouth.edu

  3. International Grid Trust Federation • IGTF founded in Oct, 2005 at GGF 15 • IGTF Purpose: • Manage authentication services for global computational grids via policy and procedures • IGTF goal: • harmonize and synchronize member PMAs policies to establish and maintain global trust relationships • IGTF members: • 3 regional Policy Management Authorities • EUgridPMA • APgridPMA • TAGPMA • ~100 CAs, 75,000+ credentials Scott Rea – scott.rea@dartmouth.edu

  4. IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu

  5. Grid characteristics Some things that may make current edu-grids a bit ‘special’ compared to other distributed (computing) efforts inherently federated (multiple organisations involved) collaboration of individualsfrom different organisations most of the scientific grid communities today consist of people literally ‘scattered’ over many home organisations … internationally delegation – programs and services acting on your behalf – are an integral part of the architecture unattended operation resource brokering integrating compute, data access, databases in the same task ... resulted in early design choice for end-user PKI ... Scott Rea – scott.rea@dartmouth.edu

  6. Virtual vs. Organic structure Virtual communities (“virtual organizations”) are many An individual will typically be part of many communities has different roles in different VOs (distinct from organizational role) all at the same time, at the same set of resources but will require single sign-on across all these communities graphic: OGSA Architecture 1.0, OGF GFD-I.030 Scott Rea – scott.rea@dartmouth.edu

  7. Trust relationships For the VO model to work, parties need a trust relationship the alternative: every user needs to register at every resource need to provide a ‘sign-on’ for the user that works across VOs Org. Certification FederatedCertificationAuthorities Org. Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain A AuthZFederation Service Domain B Task Secure Connection Virtual Organization Domain Server X Server Y graphic from: Frank Siebenlist, Argonne Natl. Lab, Globus Alliance Scott Rea – scott.rea@dartmouth.edu

  8. Separating responsibilities Single Authentication token (“passport”) key issue: provide a persistent, trusted identifier issued by a party trusted by all, recognised by many resource providers, users, and VOs satisfy traceability and persistency requirement in itself does not grant any access, but provides a unique binding between an identifier and the subject Per-VO Authorisations (“visa”) granted to a person/service via a virtual organisation based on the identifier acknowledged by the resource owners today largely role-based access control but providers can also obtain lists of authorised users per VO, can still ban individual users most of the real liability and responsibility goes here Scott Rea – scott.rea@dartmouth.edu

  9. Authentication model Design and implementation choices made with the emergence of production-oriented grids in 2000:urgent need and focus was on providing cross-national trustinitially, in the context of the EU FP5 ‘DataGrid’ and ‘CrossGrid’ projects National PKI in general uptake of 1999/93/EC and e-Identification is slow where available a national PKI could be leveraged Various commercial providers Main commercial drive: secure web servers based on PKI Entrust, Global Sign, Thawte, Comodo, Verisign, SwissSign, QuoVadis, … primary market is server authentication, not end-user identities use of commercial CAs solves the ‘pop-up’ problem... so for (web) servers a pop-up free service is actually needed! Grass-roots CAs usually project specific, and without any documented policies unsuitable for the ‘production’ infrastructure envisioned in 2000 Scott Rea – scott.rea@dartmouth.edu

  10. A Federation Model for Grid Authentication A Federation of many independent CAs Policy coordination based on common minimum requirements(not ‘policy harmonisation’) Acceptable for major relying parties in Grid Infrastructures No strict hierarchy with a single top leverage of national efforts and subsidiarity Allow incorporation of many pre-existing CAs charter guidelines acceptance process CA 2 CA 1 relying party n CA n CA 3 relying party 1 Scott Rea – scott.rea@dartmouth.edu

  11. Building the CA federation Providers and Relying Parties together shapedthe common minimum requirements Authorities compliant with minimum requirements (profile) Peer-review process within the federation to (re) evaluate members on entry & periodically Reduce effort on the relying parties single document to review and assess for all Authorities collective acceptance of all accredited authorities Reduce cost on the authorities but participation in the federation comes with a price … the ultimate decision always remains with the RP Scott Rea – scott.rea@dartmouth.edu

  12. ‘Reasonable procedure … acceptable methods’ Defined assurance level based on minimum requirements CP/CPS for “acceptable and trustworthy” Grid CAs Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ... History Scott Rea – scott.rea@dartmouth.edu

  13. March 2003: The Tokyo Accord Coordination with similar efforts in the rest of the world … meet at GGF conferences. … … work on … Grid Policy Management Authority: GRIDPMA.org develop Minimum requirements – based on EDG work develop a Grid Policy Management Authority Charter [with] representatives from major Grid PMAs: European Data Grid and Cross Grid PMA: 16 countries, 19 organizations NCSA Alliance Grid Canada DOEGrids PMA NASA Information Power Grid TERENA Asian Pacific PMA:AIST, Japan; SDSC, USA; KISTI, Korea; Bll, Singapore; Kasetsart Univ., Thailand; CAS, China History Scott Rea – scott.rea@dartmouth.edu

  14. 2005 IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu

  15. New CAs: the Accreditation Process Accreditation Guidelines for IGTF PMAs Basic elements: Codification of procedures in a CP(S) for each CA de facto lots of copy/paste, except for vetting sections Peer-review process for evaluation comments welcomed from all PMA members two assigned referees In-person appearance during a review meeting Accreditation after remaining issues are addressed (by e-mail) Discussions remain important, as not all details are codified! Accreditation model for each PMA typically embedded in their charter … Periodic re-appearance and re-discussion are needed Scott Rea – scott.rea@dartmouth.edu

  16. Geographical coverage of the EUGridPMA • 23 of 25 EU member states (all except LU, MT) • + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CA, CERN (int), DoEGrids(US)* Pending or in progress • BY, MD, SY, LV, ZA, SN Scott Rea – scott.rea@dartmouth.edu

  17. History Scott Rea – scott.rea@dartmouth.edu

  18. Scott Rea – scott.rea@dartmouth.edu

  19. TAGPMA • Covers Grid based operations in North, Central, and South America • Officers • Chair: Scott Rea (Dartmouth) • Vice Chair: Roger Impey (CANARIE) • Secretary: Doug Olson (OSG) Scott Rea – scott.rea@dartmouth.edu

  20. Current TAGPMA Membership Scott Rea – scott.rea@dartmouth.edu

  21. Current TAGPMA Membership • 23 Members from North, Central and South America • Covering Canada, US, Mexico, Venezuela, Chile, Peru Argentina, Brazil, and Colombia. Two Catchall CAs cover the remaining countries. • 15 IGTF Accredited CAs • 9 Classic • TACC - US, UFF BrGrid & UFF LACGrid - Brazil, UNLPGrid - Argentina, REUNA – Chile, ULAGrid – Venezuela, GridCanada, UNAM - Mexico. • NOTE: DOE Grid accredited by EUGridPMA • 4 SLCS (NCSA x 2, FermiLabs, and NERSC - US) • 2 MICS (NCSA and TACC - US) • 2 CAs pending accreditation, 2 more proposed & active • 2 Classic pending (SENAMHI – Peru, UNIANDES - Colombia) • 1 Classic proposed (ANSP – Br), 1 MICS proposed (SDSC – US) • 5 Relying Parties • (OSG, TeraGrid, THEgrid, LCG, Dartmouth/HEBCA) • Associate Member (due to inactivity) • UVA (Jim Jokl) Scott Rea – scott.rea@dartmouth.edu

  22. Communication Infrastructure • IGTF Website http://www.igtf.net • TAGPMA Website http://www.tagpma.org • Hosts static, public information • Still undergoing updates • TAGPMA twiki http(s)://tagpma.es.net/wiki • hosts TAGPMA documents, tutorials etc. • Mailing list tagpma-general and other IGTF aliases managed by ESnet. • Email any issues direct to the Chair (Scott.Rea@Dartmouth.EDU) Scott Rea – scott.rea@dartmouth.edu

  23. Next TAGPMA F2F Meetings • 11th TAGPMA F2F planned for Lima, Peru • 1st week, May, 2010 • 12th TAGPMA F2F planned for Lubbock, TX • 3-4 October, 2010 • Bi-weekly video conference calls (Wednesdays) to conduct business in the interim Scott Rea – scott.rea@dartmouth.edu

  24. 2005 IGTF – the International Grid Trust Federation • common, global best practices for trust establishment • better manageability and coordination of the PMAs The Americas Grid PMA European Grid PMA Asia Pacific Grid PMA Scott Rea – scott.rea@dartmouth.edu

  25. Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n NIH HE JP FBCA Cross-cert Cross-certs C-4 DST ACES Texas Dartmouth HEBCA Cross-certs IGTF Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 Other Bridges CA-1 CA-2 CA-3 Scott Rea – scott.rea@dartmouth.edu

  26. Mapping Credentials E-AUTH FPKI E-Auth Level 4 High HEBCA/USHER High Medium Hardware CBP Medium E-Auth Level 3 Medium Software CBP Classic Strong Basic Basic Rudimentary Rudimentary E-Auth Level 2 C-4 IGTF Classic Ca Foundation E-Auth Level 1 SLCS MICS Scott Rea – scott.rea@dartmouth.edu

  27. Questions? • Thanks Scott Rea – scott.rea@dartmouth.edu

More Related