WP4 Security and AAA issues - PowerPoint PPT Presentation

About This Presentation
Title:

WP4 Security and AAA issues

Description:

What should a system look like, what is installed. Systems Installation ... using the LCA root cert on the boot disk. 10: https requests to CFG. authenticated with new ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 14
Provided by: david2676
Category:
Tags: aaa | bootdisk | issues | security | wp4

less

Transcript and Presenter's Notes

Title: WP4 Security and AAA issues


1
WP4 Security and AA(A) issues
  • For WP4 David Groep
  • hep-proj-grid-fabric_at_cern.ch

2
WP4 self-organization (1)
  • Configuration management
  • What should a system look like, what is installed
  • Systems Installation
  • Bootstrapping and installing software packages on
    10.000 nodes
  • Resource Management
  • Queuing system, task scheduling, quotas n budget

3
WP4 self-organization (2)
  • Monitoring
  • Performance and functional monitoring
  • Fault Tolerance Exception Recovery
  • Detect exceptions using monitoring information
    and schedule recovery actions, make self-healing
    nodes
  • Gridification
  • Job authorization, credential mapping,
    information abstraction and network accessibility

4
Internal and external AAA
  • External AAA
  • interaction of a compute centre with global
    grid ? through WP1 (ComputeElement) and WP2
    (StorageElement)
  • Internal AAA
  • recognizing trusted components and operators
  • authorization for jobs and files
  • access to information services
  • Protecting jobs and files whilst in the fabric
    (uid issues)

5
A use case for job submission
  • Accept a job from ComputeElement (the Grid)
  • Check authorization w.r.t. extra local policies
  • Assign necessary local credentials
  • Have the job run on the local fabric

6
Gridification of a Compute Centre
Externally visible
Job Rep.
Local to the fabric
GridJobMediating Serv
7
Job life cycle in a fabric
  • GjMS Grid-job Mediating Service
  • Accept jobs from ComputeElement and shuffle them
    through the AAA chain
  • LCAS Local Community Authorization Service
  • Authorize a job or store request to run on this
    fabric
  • Based on community-wide CAS (VOs) add extra
    constrains like budgets, ban lists, wall clock
    limitations
  • LCMAPS Local Credential Mapping Service
  • Obtain the usual credentials for running
    (uid/gid)
  • Issues additional credentials for AFS, K5, .

8
Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck
9
FLIDS (Fabric-local ID service)
  • within a fabric only a local certifying entity
    will be sufficiently trusted
  • Signing authority for LCAS accepted (job)
    requests
  • Identify trusted operators for installation of
    new systems
  • Identify and certify hosts within a fabric
  • FLIDS is (a tree of) certification authorities
  • Some of those automated CAs
  • Sign certificates when request is singed by
    trusted operator

10
Information and Configuration
  • A configuration database existscontaining the
    desired state of the local fabric
  • Contains sensitive information
  • Prevent unauthorized read access
  • Prevent snooping information sent to other hosts
  • PM9 (and possibly beyond?)web-server XML over
    HTTPS
  • Write access limited to special operator
    interface only

11
Another FLIDS application
  • Adding a new host to a fabric
  • Possibly in a hostile environment
  • We have a trusted operator with an install disk
  • Need to get initial configuration information
  • Which includes,e.g., a ssh host key

Next slide is for your reference only (dont be
baffled by it)
12
(No Transcript)
13
Issues not (yet) addressed
  • Information services
  • Use whatever security framework WP3 chooses
  • Will likely not publish list of authorized users
  • Networking issues
  • WP4 does not envision using network-layer
    security
  • IPv6 is being studied, but only for address space
    issues
  • GridGATE is not a VPN router and is not doing
    IPsec

14
Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck
Write a Comment
User Comments (0)
About PowerShow.com