1 / 10

Grid Security Research

Grid Security Research. Olle Mulmo <mulmo@pdc.kth.se>. No Cross- Domain Trust. Trust Mismatch. Cross “Certification” Issue. Certification. Certification. Authority. Authority. Domain B. Domain A. Policy. Policy. Authority. Authority. Task. Server Y. Server X. Sub-Domain A1.

emile
Download Presentation

Grid Security Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security Research Olle Mulmo <mulmo@pdc.kth.se>

  2. No Cross- Domain Trust Trust Mismatch Cross “Certification” Issue Certification Certification Authority Authority Domain B Domain A Policy Policy Authority Authority Task Server Y Server X Sub-Domain A1 Sub-Domain B1

  3. Certification Authority Authority Policy Policy Authority Authority Sub-Domain B1 Sub-Domain A1 Domain B Task Server X Server Y Grid Solution: Virtual Organizations No Cross- Domain Trust Certification Domain A Federation Service common mechanism Virtual Organization Domain

  4. VO management • VOs today = 100s of users • DOE Science Grid, European Data Grid • Centrally kept, highly secure, repository • Databases, LDAP directories, additional software, … • Research groups today = 10s of users • Administration = pain • Current VO software too heavy-weight • Mismatch

  5. Different trust models for dynamic VOs • Look at peer-to-peer models • Sociological web-of-trust models • “Simple secret” based security model • Group creation based on invitation (One-time passwd) • Common problem: traceability • Who invited whom? • Can models above be extended? • Grid & P2P is a “hot topic”

  6. Account management • AAAccounting == accountability • Who did what at what time? • Accounting == billing • Who consumed what resources, for how long, at what price? • Distributed quota problem • 6000 CPUh == 1*6000 CPUh or 6*1000 CPUh • (Swegrid needs at least a short-term solution)

  7. Account management (cont.) • Mapping each individual into unique user account… • Doesn’t scale • Need dynamics • Existing quotas and scheduler limits must apply • Other initiatives to watch/interact with • Slashgrid (UK E-Science) • Large-site AAA (GGF) • EGEE proposal

  8. Authorization Policy • Tightly related to quota management • The “You have access” part of the“You have access to this piece of the pie” problem • Same software, different authority • Current implementations are based on group membership • Either you’re in, or you’re out • Support for expressiveness is missing • “access between 8am and 5pm” • “only if CPU load is less than 50%” • Large portion of a policy needs dynamic information from runtime context

  9. Authorization Policy (cont.) • Another Grid and OGSA “hot topic” • But emphasis on integration of old software • Opportunity to ignore and do real and relevant work • Does not need to start from scratch – may reuse an existing framework

  10. Proposed VR-IT research • Authentication and distributed file system technologies • Credential translation / mapping • Privilege inflation • Prototype implementation (AFS) • Authorization, Accounting and Policy • Develop dynamic trust models • Develop scalable models for user account mgmt • Develop expressiveness of authorization policy

More Related