160 likes | 239 Views
Grid Security: Present and Future. Alan Robiette, JISC Development Group <a.robiette@jisc.ac.uk>. Overview. Existing Grid security model The Grid Security Infrastructure (GSI) Web services and security models for web services (WS-Security)
E N D
Grid Security: Present and Future Alan Robiette, JISC Development Group <a.robiette@jisc.ac.uk>
Overview • Existing Grid security model • The Grid Security Infrastructure (GSI) • Web services and security models for web services (WS-Security) • Security architecture for the Open Grid Services Architecture (OGSA) • References for further reading Grid Security Workshop
The Grid today • Globus Toolkit v2 – Grid Security Infrastructure (GSI) • Two core concepts • X.509 digital certificates used as identity credentials • Short-lived “proxy certificates” used to delegate identity temporarily to other processes • Standard tools (e.g. GridFTP) modified for authentication via certificates Grid Security Workshop
Authorisation • Authentication (knowing who you are dealing with) is reasonably secure in Globus v2 • Authorisation (managing access to resources on the basis of an individual’s attributes or role) is a much more open question • Available solutions are immature, or not well tested in practical circumstances Grid Security Workshop
Web services • The concept of web services is a hot topic in commercial circles • Web services are self-describing services which can interact in a machine-to-machine mode, with little or no human intervention • Intended to improve the efficiency of business-to-business processes • Common verbs: publish, locate, bind Grid Security Workshop
Web services diagram Grid Security Workshop
Implementation • Most commonly implemented using XML • Service descriptions written is WSDL (Web Services Description Language) • Services communicate via messages expressed in SOAP (Simple Object Access Protocol) • All over http and Port 80 … • Security for Web services is a question of securing SOAP message exchanges Grid Security Workshop
WS-Security • First roadmaps and draft specifications published April 2002 by IBM, Microsoft and Verisign • Standardisation activity now transferred to the OASIS-Open consortium • http://www.oasis-open.org/committees/wss/ • Very complex model (next slide) Grid Security Workshop
WS-Security model Grid Security Workshop
Open Grid services • OGSA (Open Grid Services Architecture) is billed as the future of the Grid • Builds on web services concept but extends it significantly • E.g. Grid processes typically may need to invoke transient services • Concept of “service factory” Grid Security Workshop
OGSA security • Correspondingly builds on web services security • But requires significant extensions to cope with the virtual organisation problem • Unlike the relatively homogenous approach of GSI, OGSA security envisages translation and mapping of security parameters (e.g. credentials) between different domains Grid Security Workshop
OGSA security services Grid Security Workshop
Another view Grid Security Workshop
Conclusions • Globus/GSI today is fairly stable, with authorisation the main outstanding problem • WS-Security will get there in time • Though implementations may vary in how complete they are • OGSA Security (Globus v3) is an ambitious target • And there is a good way still to go! Grid Security Workshop
References • Globus version 2 and GSI • http://www.globus.org/security/ • http://www.gridforum.org/2_SEC/GSI.htm • Web services and WS-Security • http://www.w3.org/2002/ws/ • http://www.oasis-open.org/committees/wss/ • OGSA security • http://www.globus.org/ogsa/security/ • http://www.gridforum.org/2_SEC/ogsa-sec.htm Grid Security Workshop