390 likes | 534 Views
Federating the Grid. David Kelsey TNC2010, Vilnius 2 Jun 2010. Introduction. “Real-life use cases in a cross-federated environment” What is happening in the production Grids in this area? Outline of talk The European Grid Infrastructure (EGI) The Grid Use Case(s)
E N D
Federating the Grid David Kelsey TNC2010, Vilnius2 Jun 2010
Introduction “Real-life use cases in a cross-federated environment” • What is happening in the production Grids in this area? Outline of talk • The European Grid Infrastructure (EGI) • The Grid Use Case(s) • Federated Identity Management for the Grid (IGTF) • Federated Security Policies (JSPG) • Future directions • not addressed here: operations, security incident response, support, … Disclaimers and thanks: • My personal views • not the official views of any Grid project, IGTF etc. • Thanks to (for slides): Steven Newhouse, Bob Jones, Sergio Bertolucci and David Groep • With modifications by me • Thanks to all my numerous colleagues in the Grids and IGTF – credit all due to them! Kelsey, TNC2010
The European Grid Infrastructure Kelsey, TNC2010
European e-Infrastructure • European Data Grid (EDG) • Explore concepts in a testbed • Enabling Grid for E-sciencE (EGEE) • Moving from prototype to production • Federation started in 2004 (with development since 2001) • European Grid Infrastructure (EGI) • Routine usage of a sustainable e-infrastructure 4 EGI-InSPIRE - EGEE UF5
EGI.eu A legal entity created in Feb 2010. Offices in Amsterdam. Operate a secure integrated production grid infrastructure that seamlessly federates resources from providers around Europe Coordinate the support of the research communities using the European infrastructure coordinated by EGI.eu Bob Jones - April 2010 5
The EGI-InSPIRE Project Funded Un-Funded Project Partners (48) EGI.eu, 37 NGIs, 2 EIROs, 8 AP Integrated Sustainable Pan-European Infrastructure for Researchers in Europe • A 4 year project with €25M EC contribution • Project cost €69M • Total Effort ~€330M • Staff ~ 170FTE EGI-InSPIRE - EGEE UF5 6
The Grid Use Case Kelsey, TNC2010
Security model • Many 100s Resource Providers (Sites) • Many 10s countries (National Grids) • Many 10,000s of Users (Global Grids) • In 100s of VOs (each using many Grids) • Keep AuthN and AuthZ separate • User gets an electronic ID (X.509 cert) • User registers once with the VO • And does not register with Sites Kelsey, TNC2010
Security model (2) • Single Sign-on per user session • Common AuthN and AuthZ middleware • Mutual authentication – client and server • Authorisation attributes per session from the VO (e.g. VOMS) • Groups, Roles and/or other attributes • Delegation is essential • Common security policies: AUP, Site & VO Kelsey, TNC2010
CERN Large Hadron Collider: An example of a Global Scientific Community Sergio Bertolucci CERN 5th EGEE User Forum Uppsala, 14th April 2010
Sergio Bertolucci, CERN 12 14th April 2010
The LHC Computing Challenge • Signal/Noise: 10-13 (10-9 offline) • Data volume • High rate * large number of channels * 4 experiments • 15 PetaBytes of new data each year • Compute power • Event complexity * Nb. events * thousands users • 200 k of (today's) fastest CPUs • 45 PB of disk storage • Worldwide analysis & funding • Computing funding locally in major regions & countries • Efficient analysis everywhere • GRID technology Sergio Bertolucci, CERN 13 14th April 2010
US-BNL WLCG Today Tier 0; 11 Tier 1s; 61 Tier 2 federations (121 Tier 2 sites) CERN Bologna/CNAF Ca-TRIUMF • Today we have 49 MoU signatories, representing 34 countries: • Australia, Austria, Belgium, Brazil, Canada, China, Czech Rep, Denmark, Estonia, Finland, France, Germany, Hungary, Italy, India, Israel, Japan, Rep. Korea, Netherlands, Norway, Pakistan, Poland, Portugal, Romania, Russia, Slovenia, Spain, Sweden, Switzerland, Taipei, Turkey, UK, Ukraine, USA. Taipei/ASGC NDGF US-FNAL UK-RAL Amsterdam/NIKHEF-SARA De-FZK 14th April 2010 Sergio Bertolucci, CERN Lyon/CCIN2P3 14 Barcelona/PIC
Running increasingly high workloads: Jobs in excess of 650k / day; Anticipate millions / day soon CPU equiv. ~100k cores Workloads are: Real data processing Simulations Analysis – more and more (new) users Data transfers at unprecedented rates Today WLCG is: e.g. CMS: no. users doing analysis Sergio Bertolucci, CERN 15
Federated Identity Management for Grids: The International Grid Trust Federation (IGTF) Kelsey, TNC2010
Grid Identity Management • International Grid Trust Federation (IGTF) • Formed in Oct 2005 • after 5 years of development in EU DataGrid, CrossGrid & EUGridPMA • 3 geographical Policy Management Authorities • EU (plus Middle East/Africa), The Americas, Asia Pacific • Coordinates a Global PKI (X.509) • Used by many different Grids • X.509 chosen because it was the best (only?) solution (in 2000) – we need delegation Kelsey, TNC2010
Identity Management (2) • Keep Authentication and Authorisation separate • Authentication best done by employing institute • Authorisation attributes assigned by the Virtual Organisation (VO) • IGTF defines minimum requirements and best practices • Accredits CAs against • 3 different authentication profiles Kelsey, TNC2010
Geographical coverage of the EUGridPMA • 25 of 27 EU member states (all except LU, MT) • + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CERN (int), DoEGrids(US)* Pending or in progress • SY, ZA, SN
TAGPMA Membership • ANSP - Brazil • NRC – Canada • ESnet (DOEGrids) – USA • EELA – International • Fermi National Accelerator Laboratory - USA • HEBCA/USHER/Dartmouth College – USA • IBDS (ANSP) - Brazil • WLCG – International • NCSA – USA • NCSA CILogon • NERSC – USA • NICS UT/ORNL– USA • NIH Dorian - USA • Open Science Grid – International • Purdue University – USA • REUNA – Chile • San Diego Supercomputer Center – USA • SENAMHI – Peru • TACC – USA • TeraGrid (PSC) – USA • Texas High Energy Grid– USA • University of Virginia – USA • UFF – Brazil • ULA – Venezuela • UNAM – Mexico • UNIANDES - Colombia • UNLP – Argentina IGTF Accredited CA Operators CA Accreditation in progress Interested in accreditation Relying Party
APGridPMA Members (15 + 1) • 15 Accredited CAs • AIST (JP) • APAC (AU) • ASGC (TW) • CNIC (CN), SDG • IGCA (IN) • IHEP (CN) • KEK (JP) • KISTI (KR) • NAREGI (JP) • NCHC (TW) • NECTEC (TH) • NGO/Netrust (SG) • PRAGMA-UCSD (US) • HKU (HK) • Mongolia - under accreditation • Coverage by RAs • Philippine, Vietnam, Malaysia, Indonesia, New Zealand & Sri Lanka (soon) CA: 9 Countries RA: + 6 Countries New: +1 Country
Relying Parties and IGTF • Relying Party: a consumer of the certificates • Important aspect of IGTF success • The PMAs allow for membership by Relying Parties • Important for input of end user requirements, e.g. naming, LoA, etc. Kelsey, TNC2010
Growth issues A few statistics: 86 trust anchors 3 operational authentication profiles 71 distinct authorities Mid-size CA: 500 active users Large CA: 5000- 20000 users Small CA: 1-10 users Research and educational community in a small country: ~ 1 000 000 people Number of end-users that understand PKI: << 1 % How can we maintain both trust and scalability? But not disenfranchise small communities And with a focus on end-to-end security risks
Federated CAs - To make use of other IdM systems Kelsey, TNC2010
Grid Certificates from other IdPs • Two IGTF profiles • Short Lived Credential Service (SLCS) • Certificate lifetime <1M seconds • Certificates linked to another authentication system – large site or federation • Member Integrated Credential Service (MICS) • Longer-lived certificates (<13 months) Kelsey, TNC2010
Grid & IGTF requirements on federations • LoA requirements on identity proofing • Persistent and unique naming • Used for Authorisation and traceability • Reasonable representation of names • Given name and surname • privacy issues • Revocation needs to be handled Kelsey, TNC2010
TERENA Certificate Service • A very important recent development • https://www.terena.org/activities/tcs/ • Use national AAI federations • And the already existing IdPs • Issue certificates quickly and easily to end users – eScience Personal TCS • Certs issued by a commercial CA • TCS also issues eScience Server certs Kelsey, TNC2010
Federated IGTF CAs elsewhere • USA - CIlogon • Leverage InCommon Silver for a SLCS certificate • http://www.cilogon.org/ • Australia - ARCS SLCS CA • National federation backed (AAF) • Shibboleth based • http://wiki.arcs.org.au/bin/view/Main/SLCS Kelsey, TNC2010
Federated Security Policies Kelsey, TNC2010
Policy Interoperability The Joint (EGEE/WLCG) Security Policy Group aimed to prepare simple and general policies applicable to the primary stakeholders, but also of use to other Grid infrastructures (NGI's etc) common policies eases the problems of interoperability (and scaling) Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) Other participants then know that their actions are already bound by the policies No need for additional negotiation, registration or agreement Kelsey, TNC2010
JSPG Security Policies Security Incident Response Certification Authorities Traceability and Logging Site & VO Policies Security Policy Grid & VO AUPs Pilot Jobs and VO Portals Accounting DataPrivacy Kelsey, TNC2010
Security Policies: from EGEE to EGI Kelsey, TNC2010
EGI Security Policy Group • Primary stakeholders: NGIs, Sites, Application communities • Starting with the current set of JSPG policies • SPG will build on this to develop a policy framework • And produce template policies • And to address issues not yet fully covered • More formal responsibilities, privacy Kelsey, TNC2010
NRENs and Grids Advertise the upcoming “NRENs and Grids” workshop at EGI Technical Forum • Jointly organised by TERENA and EGI • 15 Sep 2010 - Amsterdam • http://www.terena.org/activities/nrens-n-grids/ • Indeed the whole Tech Forum (14-17 Sep) Kelsey, TNC2010
Future Directions • Production Grids already “federated” • AuthN scalability being actively addressed • Will be more use of AAI federations • Number of Grid-specific CAs will decrease • Privacy will become more of an issue • Will Grids start to use other AuthN middleware? • Control of Authorisation will grow in importance • Need to define best practice for VO attribute services • work has started in IGTF • Policy development will continue • e.g. Liabilities, responsibilities and data privacy Kelsey, TNC2010
Links • EGI http://www.egi.eu/ • IGTF http://www.igtf.net/ • EUGridPMA http://www.eugridpma.org/ • JSPG: http://www.jspg.org • EGEE http://www.eu-egee.org/ • WLCG http://lcg.web.cern.ch/LCG/ Kelsey, TNC2010
Questions? Kelsey, TNC2010