1 / 39

Federating the Grid

Federating the Grid. David Kelsey TNC2010, Vilnius 2 Jun 2010. Introduction. “Real-life use cases in a cross-federated environment” What is happening in the production Grids in this area? Outline of talk The European Grid Infrastructure (EGI) The Grid Use Case(s)

kaiyo
Download Presentation

Federating the Grid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federating the Grid David Kelsey TNC2010, Vilnius2 Jun 2010

  2. Introduction “Real-life use cases in a cross-federated environment” • What is happening in the production Grids in this area? Outline of talk • The European Grid Infrastructure (EGI) • The Grid Use Case(s) • Federated Identity Management for the Grid (IGTF) • Federated Security Policies (JSPG) • Future directions • not addressed here: operations, security incident response, support, … Disclaimers and thanks: • My personal views • not the official views of any Grid project, IGTF etc. • Thanks to (for slides): Steven Newhouse, Bob Jones, Sergio Bertolucci and David Groep • With modifications by me • Thanks to all my numerous colleagues in the Grids and IGTF – credit all due to them! Kelsey, TNC2010

  3. The European Grid Infrastructure Kelsey, TNC2010

  4. European e-Infrastructure • European Data Grid (EDG) • Explore concepts in a testbed • Enabling Grid for E-sciencE (EGEE) • Moving from prototype to production • Federation started in 2004 (with development since 2001) • European Grid Infrastructure (EGI) • Routine usage of a sustainable e-infrastructure 4 EGI-InSPIRE - EGEE UF5

  5. EGI.eu A legal entity created in Feb 2010. Offices in Amsterdam. Operate a secure integrated production grid infrastructure that seamlessly federates resources from providers around Europe Coordinate the support of the research communities using the European infrastructure coordinated by EGI.eu Bob Jones - April 2010 5

  6. The EGI-InSPIRE Project Funded Un-Funded Project Partners (48) EGI.eu, 37 NGIs, 2 EIROs, 8 AP Integrated Sustainable Pan-European Infrastructure for Researchers in Europe • A 4 year project with €25M EC contribution • Project cost €69M • Total Effort ~€330M • Staff ~ 170FTE EGI-InSPIRE - EGEE UF5 6

  7. The Grid Use Case Kelsey, TNC2010

  8. Security model • Many 100s Resource Providers (Sites) • Many 10s countries (National Grids) • Many 10,000s of Users (Global Grids) • In 100s of VOs (each using many Grids) • Keep AuthN and AuthZ separate • User gets an electronic ID (X.509 cert) • User registers once with the VO • And does not register with Sites Kelsey, TNC2010

  9. Security model (2) • Single Sign-on per user session • Common AuthN and AuthZ middleware • Mutual authentication – client and server • Authorisation attributes per session from the VO (e.g. VOMS) • Groups, Roles and/or other attributes • Delegation is essential • Common security policies: AUP, Site & VO Kelsey, TNC2010

  10. CERN Large Hadron Collider: An example of a Global Scientific Community Sergio Bertolucci CERN 5th EGEE User Forum Uppsala, 14th April 2010

  11. Sergio Bertolucci, CERN 12 14th April 2010

  12. The LHC Computing Challenge • Signal/Noise: 10-13 (10-9 offline) • Data volume • High rate * large number of channels * 4 experiments • 15 PetaBytes of new data each year • Compute power • Event complexity * Nb. events * thousands users • 200 k of (today's) fastest CPUs • 45 PB of disk storage • Worldwide analysis & funding • Computing funding locally in major regions & countries • Efficient analysis everywhere •  GRID technology Sergio Bertolucci, CERN 13 14th April 2010

  13. US-BNL WLCG Today Tier 0; 11 Tier 1s; 61 Tier 2 federations (121 Tier 2 sites) CERN Bologna/CNAF Ca-TRIUMF • Today we have 49 MoU signatories, representing 34 countries: • Australia, Austria, Belgium, Brazil, Canada, China, Czech Rep, Denmark, Estonia, Finland, France, Germany, Hungary, Italy, India, Israel, Japan, Rep. Korea, Netherlands, Norway, Pakistan, Poland, Portugal, Romania, Russia, Slovenia, Spain, Sweden, Switzerland, Taipei, Turkey, UK, Ukraine, USA. Taipei/ASGC NDGF US-FNAL UK-RAL Amsterdam/NIKHEF-SARA De-FZK 14th April 2010 Sergio Bertolucci, CERN Lyon/CCIN2P3 14 Barcelona/PIC

  14. Running increasingly high workloads: Jobs in excess of 650k / day; Anticipate millions / day soon CPU equiv. ~100k cores Workloads are: Real data processing Simulations Analysis – more and more (new) users Data transfers at unprecedented rates Today WLCG is: e.g. CMS: no. users doing analysis Sergio Bertolucci, CERN 15

  15. Federated Identity Management for Grids: The International Grid Trust Federation (IGTF) Kelsey, TNC2010

  16. Grid Identity Management • International Grid Trust Federation (IGTF) • Formed in Oct 2005 • after 5 years of development in EU DataGrid, CrossGrid & EUGridPMA • 3 geographical Policy Management Authorities • EU (plus Middle East/Africa), The Americas, Asia Pacific • Coordinates a Global PKI (X.509) • Used by many different Grids • X.509 chosen because it was the best (only?) solution (in 2000) – we need delegation Kelsey, TNC2010

  17. Identity Management (2) • Keep Authentication and Authorisation separate • Authentication best done by employing institute • Authorisation attributes assigned by the Virtual Organisation (VO) • IGTF defines minimum requirements and best practices • Accredits CAs against • 3 different authentication profiles Kelsey, TNC2010

  18. Geographical coverage of the EUGridPMA • 25 of 27 EU member states (all except LU, MT) • + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CERN (int), DoEGrids(US)* Pending or in progress • SY, ZA, SN

  19. TAGPMA Membership • ANSP - Brazil • NRC – Canada • ESnet (DOEGrids) – USA • EELA – International • Fermi National Accelerator Laboratory - USA • HEBCA/USHER/Dartmouth College – USA • IBDS (ANSP) - Brazil • WLCG – International • NCSA – USA • NCSA CILogon • NERSC – USA • NICS UT/ORNL– USA • NIH Dorian - USA • Open Science Grid – International • Purdue University – USA • REUNA – Chile • San Diego Supercomputer Center – USA • SENAMHI – Peru • TACC – USA • TeraGrid (PSC) – USA • Texas High Energy Grid– USA • University of Virginia – USA • UFF – Brazil • ULA – Venezuela • UNAM – Mexico • UNIANDES - Colombia • UNLP – Argentina IGTF Accredited CA Operators CA Accreditation in progress Interested in accreditation Relying Party

  20. APGridPMA Members (15 + 1) • 15 Accredited CAs • AIST (JP) • APAC (AU) • ASGC (TW) • CNIC (CN), SDG • IGCA (IN) • IHEP (CN) • KEK (JP) • KISTI (KR) • NAREGI (JP) • NCHC (TW) • NECTEC (TH) • NGO/Netrust (SG) • PRAGMA-UCSD (US) • HKU (HK) • Mongolia - under accreditation • Coverage by RAs • Philippine, Vietnam, Malaysia, Indonesia, New Zealand & Sri Lanka (soon) CA: 9 Countries RA: + 6 Countries New: +1 Country

  21. Relying Parties and IGTF • Relying Party: a consumer of the certificates • Important aspect of IGTF success • The PMAs allow for membership by Relying Parties • Important for input of end user requirements, e.g. naming, LoA, etc. Kelsey, TNC2010

  22. Growth issues A few statistics: 86 trust anchors 3 operational authentication profiles 71 distinct authorities Mid-size CA: 500 active users Large CA: 5000- 20000 users Small CA: 1-10 users Research and educational community in a small country: ~ 1 000 000 people Number of end-users that understand PKI: << 1 % How can we maintain both trust and scalability? But not disenfranchise small communities And with a focus on end-to-end security risks

  23. Federated CAs - To make use of other IdM systems Kelsey, TNC2010

  24. Grid Certificates from other IdPs • Two IGTF profiles • Short Lived Credential Service (SLCS) • Certificate lifetime <1M seconds • Certificates linked to another authentication system – large site or federation • Member Integrated Credential Service (MICS) • Longer-lived certificates (<13 months) Kelsey, TNC2010

  25. Grid & IGTF requirements on federations • LoA requirements on identity proofing • Persistent and unique naming • Used for Authorisation and traceability • Reasonable representation of names • Given name and surname • privacy issues • Revocation needs to be handled Kelsey, TNC2010

  26. Federation-based SLCS-only countries

  27. TERENA Certificate Service • A very important recent development • https://www.terena.org/activities/tcs/ • Use national AAI federations • And the already existing IdPs • Issue certificates quickly and easily to end users – eScience Personal TCS • Certs issued by a commercial CA • TCS also issues eScience Server certs Kelsey, TNC2010

  28. TERENA eScience Personal eligible

  29. Federated IGTF CAs elsewhere • USA - CIlogon • Leverage InCommon Silver for a SLCS certificate • http://www.cilogon.org/ • Australia - ARCS SLCS CA • National federation backed (AAF) • Shibboleth based • http://wiki.arcs.org.au/bin/view/Main/SLCS Kelsey, TNC2010

  30. Federated Security Policies Kelsey, TNC2010

  31. Policy Interoperability The Joint (EGEE/WLCG) Security Policy Group aimed to prepare simple and general policies applicable to the primary stakeholders, but also of use to other Grid infrastructures (NGI's etc) common policies eases the problems of interoperability (and scaling) Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) Other participants then know that their actions are already bound by the policies No need for additional negotiation, registration or agreement Kelsey, TNC2010

  32. JSPG Security Policies Security Incident Response Certification Authorities Traceability and Logging Site & VO Policies Security Policy Grid & VO AUPs Pilot Jobs and VO Portals Accounting DataPrivacy Kelsey, TNC2010

  33. Security Policies: from EGEE to EGI Kelsey, TNC2010

  34. EGI Security Policy Group • Primary stakeholders: NGIs, Sites, Application communities • Starting with the current set of JSPG policies • SPG will build on this to develop a policy framework • And produce template policies • And to address issues not yet fully covered • More formal responsibilities, privacy Kelsey, TNC2010

  35. NRENs and Grids Advertise the upcoming “NRENs and Grids” workshop at EGI Technical Forum • Jointly organised by TERENA and EGI • 15 Sep 2010 - Amsterdam • http://www.terena.org/activities/nrens-n-grids/ • Indeed the whole Tech Forum (14-17 Sep) Kelsey, TNC2010

  36. director@egi.eu

  37. Future Directions • Production Grids already “federated” • AuthN scalability being actively addressed • Will be more use of AAI federations • Number of Grid-specific CAs will decrease • Privacy will become more of an issue • Will Grids start to use other AuthN middleware? • Control of Authorisation will grow in importance • Need to define best practice for VO attribute services • work has started in IGTF • Policy development will continue • e.g. Liabilities, responsibilities and data privacy Kelsey, TNC2010

  38. Links • EGI http://www.egi.eu/ • IGTF http://www.igtf.net/ • EUGridPMA http://www.eugridpma.org/ • JSPG: http://www.jspg.org • EGEE http://www.eu-egee.org/ • WLCG http://lcg.web.cern.ch/LCG/ Kelsey, TNC2010

  39. Questions? Kelsey, TNC2010

More Related