INFSO-RI-508833 Enabling Grids for E-sciencE Dynamic Connectivity Service Oscar Koeroo JRA3.
INFSO-RI-508833 Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
-
date post
15-Jan-2016 -
Category
Documents
-
view
216 -
download
0
Transcript of INFSO-RI-508833 Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
JRA3 2nd EU Review Input
David Groep
NIKHEF
JRA3 EU Review Input DavidG December 7th 2005 2
Enabling Grids for E-sciencE
INFSO-RI-508833
EUGridPMA Authentication Federation
• Federation consists of many independent CAs– Common minimum requirements– Defined and ‘strong’ acceptance process– “reasonable” trust level, as required by relying parties– no ‘hierarchical top’ to make formal guarantees
• Membership– 34 Identity providers (national and regional CAs)– 6 Relying parties (large projects like EGEE, DEISA, SEE-GRID,
OSG, LCG) and TERENA
CA 1CA 1 CA 2CA 2
CA 3CA 3CA nCA n
chartercharter
guidelinesguidelines
acceptanceprocess
acceptanceprocess relying
party 1
relying party 1
relying party n
relying party n
JRA3 EU Review Input DavidG December 7th 2005 3
Enabling Grids for E-sciencE
INFSO-RI-508833
The EUGridPMA
• Virtually complete coverage of Europe, accreditation for EGEE, DEISA, SEE-GRID, LCG, OSG, ..
• Actively fostered and by supported by JRA3
Green: countries and regions covered by a national CA in the EUGridPMA
JRA3 EU Review Input DavidG December 7th 2005 4
Enabling Grids for E-sciencE
INFSO-RI-508833
Policy Evaluation Framework
• Policy evaluation based on Authentication Profiles– Authorities demonstrate compliance with these guidelines– Peer-review process within the federation
to (re-) evaluate members both on entry and periodically– Codified in the Accreditation Guidelines policy since 2004– Demonstrated in practice in ~10 new accreditations since
• Benefits– Reduces effort on the relying parties
single document to review and assess, applicable to all providers
– Reduce cost on the identity providers no audit statement needed by certified accountants but participation in the federation does come with a price
• Ultimate decision always remains with the administrative owners (relying parties)
JRA3 EU Review Input DavidG December 7th 2005 5
Enabling Grids for E-sciencE
INFSO-RI-508833
Authentication Profiles
Three main Authentication Profiles (the requirement sets)common not only for Europe, but also for the Asia Pacific & Americas
• Certification authorities with secured infrastructure– Highly trusted by all current grid projects– Leverages national structures effectively
• Short-lived credential services– Leverage existing local site mechanisms– New profile to be pioneered in the Americas, but far from stable
and has not yet been exposed to many relying parties
• Experimental Service– Jumpstart new national and regional CAs via a pilot service– Successful model in the Asia Pacific region
JRA3 EU Review Input DavidG December 7th 2005 6
Enabling Grids for E-sciencE
INFSO-RI-508833
Extending Trust: the IGTF
• common, global best practices for trust establishment• better manageability and response of the PMAs
TAGPMA APGridPMA
JRA3 EU Review Input DavidG December 7th 2005 7
Enabling Grids for E-sciencE
INFSO-RI-508833
IGTF Structure
• Each PMA can accredited authorities according to any of the valid authentication profiles (classic secured PKI, short-lived credential services, experimental)
• Common standards• Coordinated naming
(every name within the IGTF is unique)
• Common accreditation process
• Three chairs collectively represent the IGTF (formal IGTF chair rotates yearly)
• First IGTF Chair is from Europe …
JRA3 EU Review Input DavidG December 7th 2005 8
Enabling Grids for E-sciencE
INFSO-RI-508833
IGTF, GGF and TACAR
• The IGTF, GGF (the CAOPS-WG) and TERENA work together to establish the global trust fabric
JRA3 EU Review Input DavidG December 7th 2005 9
Enabling Grids for E-sciencE
INFSO-RI-508833
Towards common AAI in Europe
A Common Authentication and Authorization Infrastructure
• described in the e-IRG Authorization Roadmap section• collaboration with developments like eduroam™
via TERENA forae• the single sign-on vision
• the authentication bridges, the authorization framework, on-demand user attribute discovery, all work towards this goal
On a wireless mobile network while visiting abroad, then decide to lookup the data from the latest experiment your colleague in your Virtual Organization did,
and run a simulation to look alternate scenarios,all that with just using your credentials (password, smartcard) only once!
JRA3 EU Review Input DavidG December 7th 2005 10
Enabling Grids for E-sciencE
INFSO-RI-508833
SAC slides to follow
JRA3 EU Review Input DavidG December 7th 2005 11
Enabling Grids for E-sciencE
INFSO-RI-508833
Site Access Control ingredients
global issues
service business logic
site access control
User policies
VO policiesEstablishing
Trusted Third Parties
Key storage
MyProxy
System account creation
workernode to headnode communications
Access control to individual files Router port filtering
DDoS protection
Identities &Certificates
Identities &Certificates
Site policy actions& policy decisions
Site policy actions& policy decisions
virtualization &system accounts
virtualization &system accounts
connectivityprovisioning
connectivityprovisioning
loggingauditing
loggingauditing
JRA3 EU Review Input DavidG December 7th 2005 12
Enabling Grids for E-sciencE
INFSO-RI-508833
Virtualization and System Accounts
• JRA3 ingredients: LCAS, LCMAPS, glexec• Aim is the fully interoperable job submission chain:
GT4, CondorC/BLAHP, GT Work Space Service• Components part of the gLite 1.5 release