Title: WP4 Security and AAA issues
1WP4 Security and AA(A) issues
- For WP4 David Groep
- hep-proj-grid-fabric_at_cern.ch
2WP4 self-organization (1)
- Configuration management
- What should a system look like, what is installed
- Systems Installation
- Bootstrapping and installing software packages on
10.000 nodes - Resource Management
- Queuing system, task scheduling, quotas n budget
3WP4 self-organization (2)
- Monitoring
- Performance and functional monitoring
- Fault Tolerance Exception Recovery
- Detect exceptions using monitoring information
and schedule recovery actions, make self-healing
nodes - Gridification
- Job authorization, credential mapping,
information abstraction and network accessibility
4Internal and external AAA
- External AAA
- interaction of a compute centre with global
grid ? through WP1 (ComputeElement) and WP2
(StorageElement) - Internal AAA
- recognizing trusted components and operators
- authorization for jobs and files
- access to information services
- Protecting jobs and files whilst in the fabric
(uid issues)
5A use case for job submission
- Accept a job from ComputeElement (the Grid)
- Check authorization w.r.t. extra local policies
- Assign necessary local credentials
- Have the job run on the local fabric
6Gridification of a Compute Centre
Externally visible
Job Rep.
Local to the fabric
GridJobMediating Serv
7Job life cycle in a fabric
- GjMS Grid-job Mediating Service
- Accept jobs from ComputeElement and shuffle them
through the AAA chain - LCAS Local Community Authorization Service
- Authorize a job or store request to run on this
fabric - Based on community-wide CAS (VOs) add extra
constrains like budgets, ban lists, wall clock
limitations - LCMAPS Local Credential Mapping Service
- Obtain the usual credentials for running
(uid/gid) - Issues additional credentials for AFS, K5, .
8Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck
9FLIDS (Fabric-local ID service)
- within a fabric only a local certifying entity
will be sufficiently trusted - Signing authority for LCAS accepted (job)
requests - Identify trusted operators for installation of
new systems - Identify and certify hosts within a fabric
- FLIDS is (a tree of) certification authorities
- Some of those automated CAs
- Sign certificates when request is singed by
trusted operator
10Information and Configuration
- A configuration database existscontaining the
desired state of the local fabric - Contains sensitive information
- Prevent unauthorized read access
- Prevent snooping information sent to other hosts
- PM9 (and possibly beyond?)web-server XML over
HTTPS - Write access limited to special operator
interface only
11Another FLIDS application
- Adding a new host to a fabric
- Possibly in a hostile environment
- We have a trusted operator with an install disk
- Need to get initial configuration information
- Which includes,e.g., a ssh host key
Next slide is for your reference only (dont be
baffled by it)
12(No Transcript)
13Issues not (yet) addressed
- Information services
- Use whatever security framework WP3 chooses
- Will likely not publish list of authorized users
- Networking issues
- WP4 does not envision using network-layer
security - IPv6 is being studied, but only for address space
issues - GridGATE is not a VPN router and is not doing
IPsec
14Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck