1 / 12

Security Middleware and VOMS service status

Security Middleware and VOMS service status. Andrew McNab Grid Security Research Fellow University of Manchester. Outline. GridSiteWiki Shibboleth Delegation GridHTTP SiteCast VOMS middleware VOMS service. 11 January 2006. A.McNab – Grid Security. GridSiteWiki.

livia
Download Presentation

Security Middleware and VOMS service status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Middleware andVOMS service status Andrew McNab Grid Security Research Fellow University of Manchester

  2. Outline • GridSiteWiki • Shibboleth • Delegation • GridHTTP • SiteCast • VOMS middleware • VOMS service 11 January 2006 A.McNab – Grid Security

  3. GridSiteWiki • Uses software developed for the collaborative “Wikipedia” encyclopedia • Added support for certificates that grid users have for authentication • So no need to remember passwords • Raises the question of what other “legacy” web systems can be gridified • But there's Shibboleth going live soon too... 11 January 2006 A.McNab – Grid Security

  4. Shibboleth • Shibboleth is being adopted by JISC to replace ATHENS for library / database services • For all UK University / NHS staff & students • As part of FAME-PERMIS, we've implemented a stopgap Shibboleth Identity Provider • Leverages X.509 Certs/DNs by allowing user to choose a username / password to use. • Adding support to GridSite for Shibboleth attributes, to turn GridSites into Service Providers 11 January 2006 A.McNab – Grid Security

  5. Delegation • GSI proxy delegation was part of Globus 2 binary protocols • For Web Service / SOAP grids, need a new way to do this • We proposed a set of HTTP delegation methods during EDG • For EGEE, we wrote the WSDL / SOAP delegation portType now used by EGEE (Manchester-UK & KTH-SE) implementations, and by WLMS and Data Management • There are ongoing discussions with OSG and Globus about merging the EGEE portType with Globus's new delegation service. • During January, we (Manchester-UK & KTH-SE) are producing C and Java for revised EGEE portType 11 January 2006 A.McNab – Grid Security

  6. GridHTTP • htcp and GridSite make it easy to use HTTP(S) for reading and writing files on remote servers • One advantage of GridFTP was support for 3rd party transfers between remote sites • GridSite now supports this using WebDAV COPY method and onetime passcodes • Authentication / authorization / obtain passcode via HTTPS • File transfer via HTTP using onetime passcode • Currently adding multistream remote transfers • managing remotely passcodes is the issue... 11 January 2006 A.McNab – Grid Security

  7. SiteCast • Using HTTP(S) for file transfers has also been taken up by EGEE WLMS • We're now looking at how to locate local replicas of files on GridSite HTTP(S) servers • Have designed a simple replica location system for farms with many disks/hosts • Now implemented in server-side and htcp • Uses UDP multicast to find lists of replicas of a given file: looks at filesystem rather than database • Intend to do test deployments on some of the Tier-2 equipment (pre-production farm first) 11 January 2006 A.McNab – Grid Security

  8. VOMS middleware • GridSite parses VOMS attribute certificates from LCG / EGEE VOMS servers • As VOMS is deployed, scaling problems are emerging • Need to distribute certificate of each VOMS to each host (WN?) which will check them • N(hosts) x N(VOs) ?!?!? • One solution is to include VOMS cert along with attribute certificate • Being implemented by INFN-IT (server), Manchester-UK (client C) and KTH-SE (client Java) this month 11 January 2006 A.McNab – Grid Security

  9. GridPP VOMS • GridPP national VOMS to support: • Smaller VOs as phenogrid, t2k • Local VOs • Agreement with NGS for mutual support • Common infrastructure to maintain the VOMS servers • Common VOs support • Common distribution of information • Enable each other VOs on each other systems

  10. What is happening • ½ FTE for VO management support: • Sergey Dolgodobrov • Support part of the Tier2 infrastructure • 3 servers for GridPP: 1 Test, 1 production, 1 backup • 2 servers for NGS: 1 production, 1 backup • Sergey will be the VOMS administrator and will do VOs support • Production VOMS servers (voms.gridpp.ac.uk) has been installed and is ready to be used • 2 VOs have been already enabled • Gridpp for testing • T2k

  11. How to enable a VO • A formal request has to be made to the ROC • ask Jeremy Coles • Information about the VO has to be supplied in the request • Name, description, Vo manager, VO security contact • The request has to be approved by the PMB • PMB meets every week so it won’t take long • After approval the VO gets created on the VOMS • VO manager will be than able to add users • The information to enable the VO at sites will be then downloadable from the gridpp WEB site. • This might change in the future if CIC portal will be used instead. • VOs will be responsible to maintain the information up-to-date • More details on the procedure can be found at http://www.gridpp.ac.uk/deployment/users/newvo.html

  12. Summary • Through JISC funding, we're doing some work on Shibboleth support • We continue to work with EGEE JRA3 to provide tools for other parts of EGEE / LCG. • Delegation and VOMS support are being reworked currently. • “GridHTTP” extended to support 3rd party transfers • SiteCast offers lightweight replica location. • Joseph, Yibiao and Sergey are making a big contribution to all these ongoing subprojects 11 January 2006 A.McNab – Grid Security

More Related