130 likes | 147 Views
Detailed overview of GridPP2 security, deliverables, local access control, usage control, VO tools, security coordination, Tier 2 VO operations, future LCG/EGEE work, and dissemination plans. Includes tasks, timelines, and FTE allocations.
E N D
Security Area in GridPP2 • “Proforma-2 posts” overview • Deliverables • Local Access • Local Usage • VO Tools • Security co-ordination • Tier 2 VO and Security posts • Future LCG/EGEE Security Work • Dissemination
GridPP 2 Posts • 1.0 for Local Access Control (Manchester) • GACL and GridSite Library extensions • 1.0 for Local Usage Control (Manchester) • For sites to control disk use etc • 0.5 for VO Tools (Manchester) • GridSite • 1.0 for Security co-ordination (RAL) • Mostly LCG follow-on from EDG Security Group • 0.5 for Tier-2 VO Operations (Manchester) • 1.0 for Tier-2 Security Officer (RAL)
Deliverables: Task 1 • Task 1 Local Access Control (1.0 FTE) • Month 6 Hardening of GridSite and SlashGrid for bulk file handling • Month 12 Profile for use of XACML policy language • Month 18 XACML and C/C++/Java support via GACL API • Month 24 Updates integrated into SlashGrid and GridSite releases • Month 30 Further performance and robustness requirements/improvements • Month 36 Final release of standards-based GridSite/GACL library
Deliverables: Task 2 • Task 2 Local Usage Control (1.0 FTE) • Month 6 Requirements gathering for Usage Control • Month 12 Prototype application of Usage Control to services • Month 18 Prototype XML representation of Usage Control • Month 24 SlashGrid and GridSite releases with support for Usage Control • Month 30 Co-ordination of standards with GGF etc accounting groups • Month 36 Final release, including reporting usage to Virtual Organization
Deliverables: Task 3 • Task 3 Virtual Organization Tools (0.5 FTE) • Month 6 Integration of VOMS interface to GridSite lightweight groups • Month 12 Improvements to GridSite user interface after users survey • Month 18 Ad-hoc group creation and user tools • Month 24 Prototype usage control/reporting in GridSite • Month 30 Implementation of further requirements after initial deployment • Month 36 Final release of standards-based VO usage administration
Deliverables: Task 4 • Task 4 Security coordination, policies, quality assurance and documentation (1.0 FTE) • M6 Define the relationship of LCG security coordination to JRA3 and SA1 activities in EGEE • M6 Define and agree QA procedures with tasks 1 to 3. • M9 Contribute to the Security Coordination and Policy issues for the LCG TDR • M12 Complete evaluation of the Security Middleware documentation and propose and implement improvements • M24 Produce a Quality Assurance report on all security middleware developments • M30 Coordinate the implementation of LCG security policy and procedures for LCG Phase-2
Deliverables: VO Operations • 0.5 FTE • Quaterly reports to GridPP • Status of services, account of support undertaken and plans for next quarter • Three annual reports • At M12, M24 and M36 • Assessing the virtual organization middleware deployed • Feedback to developers within GridPP and other projects, in light of operational experience
Deliverables: Security Officer • 1.0 FTE • M3 Produce and negotiate Incident Response Procedure • M6 Perform a Security Risk Analysis in collaboration with the Tier 2 • M6 Produce and negotiate a GridPP Security Policy and other rules • M9 Produce an agreed firewall guide for GridPP • M12 Prepare annual summary of security incidents, issues and policy • M15 Investigate the feasibility of a Grid Intrusion Monitoring and Detection service and implement if appropriate • M18 Organise a GridPP security operations workshop • M24 Prepare the second annual summary of GridPP security incidents, issues and policy • M36 Prepare the final summary of GridPP security incidents, issues and policy
Future LCG/EGEE work (1)(slides from David Kelsey) • Authentication • Continue and expand the EDG PKI • Secure credential management: online services, SmartCards • Faster and more robust certificate revocation, e.g. OCSP • Restricted delegation • Confidentiality • Integrate and deploy the proposed solution for the old WP10's applications
Future LCG/EGEE work (2) • Authorization • Fuller use of VOMS AuthZ credentials • Mutual AuthZ: VOs should approve resources and services • Convergence with GGF standards (XACML, SAML, …) • Build on DataGrid design and components for industrial strength • PKI/SSL authentication, standards-based authorization, WS-security,…
GridPP Security dissemination • GridSite and Security Middleware are readily applicable to other projects • All projects need a website • All projects need security • (write access control if nothing else) • We're talking to other projects which are interested in using GridPP security middleware • In particular, MRC projects (HIC, CLEF, PsyGrid) • We intend to submit GridSite to OMII repository • Other possibilities in the pipeline...
“gridsite.org” • Shorthand for making GridSite an Open Source project, with external involvement • We noticed that most of the users installed the software without first asking for help/support • We're trying to encourage this: • Source and binary distributions • User, Admin, Install guides, man pages etc • Publically available CVS + Bugtrack (thanks to EDG and now LCG Savannah) • Public announcement and discussion mailing lists • Pointers to free/cheap/lightweight X.509 CAs
Summary • Middleware concentrates on local access/usage • Some work also on lightweight VO support • Migrating to standards (eg XACML) • Funding to support continued [EDG|LCG] Security Group leadership by David Kelsey • Tier-2 VO and Security Officer posts involved in the programme as on site “customers” • But we need to make more links to other LCG, EGEE, ARDA etc middleware projects