1 / 10

Enhancing Security Middleware in High Energy Physics: Insights from GridPP8

This document discusses the current state and future requirements of security middleware within the GridPP framework, highlighting contributions made towards the European DataGrid (EDG) and GridPP-2 initiatives. It addresses the evolution of security measures from basic authentication to sophisticated authorization mechanisms, showcasing ongoing integration efforts and practical requirements identified for production systems. The proposal includes enhancements for virtual organization services, usage management, and collaboration with GGF standards to improve security protocols and system functionality.

zorana
Download Presentation

Enhancing Security Middleware in High Energy Physics: Insights from GridPP8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Middleware Andrew McNab High Energy Physics University of Manchester Security Middleware, GridPP8, 23 Sept 2003

  2. Overview • Security in EDG/GridPP-1 • Currently deployed (EDG 2.0) • Being integrated (EDG 2.1) • GridPP-2 requirements • GridPP-2 proposal • GGF Involvement • Research Areas Security Middleware, GridPP8, 23 Sept 2003

  3. Security in EDG / GridPP-1 • When proposals were written, Security mostly just seen as Authentication (CAs etc) • From Globus, we inherited the static, manually edited /etc/grid-security/grid-mapfile • Better Authorization mechanisms were needed to make the Testbed actually work. • In EDG, security effort split between WP7 (networking) and WP6 (“getting things to work”), but also components inside WP1-5. • In GridPP, security middleware effort from WP6. Security Middleware, GridPP8, 23 Sept 2003

  4. Currently deployed middleware • Pool accounts (from GridPP) • an short term measure that’s become long term and ubiquitous. • XML Grid Access Control Lists (from GridPP) • used by Storage Element, but grew out of GridPP GridSite work. • Other components: • INFN’s VO-LDAP server (GridSite implementation of this used for GridPP+BaBar) • WP2 Java Security packages. • Specific security pieces inside each WP. Security Middleware, GridPP8, 23 Sept 2003

  5. Middleware being integrated • INFN-WP6/WP2 Virtual Organisation Membership Service is major component • (GACL support for VOMS attribute certs already present in EDG 1.x/2.0) • GACL support in WP4 LCAS/EDG Gatekeeper • so can write XML site access policies, rather than use grid-mapfile • VOMS, and new GSI + X509v3 support added to GridSite and mod_ssl-gridsite • HTTPS servers controlled by VOMS+GACL • WP1 Logging and Bookkeeping using GACL Security Middleware, GridPP8, 23 Sept 2003

  6. GridPP2 Security Middleware • GridPP2 focuses on practical requirements of production systems (LCG + EGEE) • Many gaps in functionality of security systems • eg accounting / usage control • Based on WP6 + WP8 + LCG requirements documents, identified 8 tasks • extend GridPP 1 work to address urgent gaps • Research rather than implementation areas left out of this • aim to get funding for these elsewhere Security Middleware, GridPP8, 23 Sept 2003

  7. GridPP2 Proposal • GridPP2 Security Middleware Proposal • Java and C++ APIs for GACL library • Add Usage Control (quotas etc) handling • Improve/generalise GridSite user interface • VO access and usage management service(s) • Support for other systems: CAS, VOM etc • Grid level Auditing/Intrusion Detection • Porting to other Unix/Windows flavours • This was estimated at 4 FTE, but with 2.5 FTE in GridPP2 proposal as submitted. Security Middleware, GridPP8, 23 Sept 2003

  8. GGF Involvement • Participating / influencing / following GGF standards clearly helps our work: • less effort supporting multiple protocols • our implementation attractive to more projects • I’m co-chair of Authz WG and now the OGSA-Authz WG • aim to standardise policy language (cf GACL) • assertion protocol (eg SAML, LCAS callout) • attribute formats (eg VOMS) • Also contacts with Accounting GGF groups, via Manchester Computing / eSNW. Security Middleware, GridPP8, 23 Sept 2003

  9. Research areas • PPARC-funded e-Science Studentship • Starting now, on Authorization/Accounting. • Aim to get involved in GGF WGs’ protocols and models work, and apply to HEP contexts. • This may feed into GridPP2 implementations. • Other research proposals underway: • How to support ad-hoc, short term VOs • Using SlashGrid to create on-demand security contexts and sandboxes for native binaries • Medical Applications, including extensions of PPARC/MRC project at Manchester Security Middleware, GridPP8, 23 Sept 2003

  10. Summary • GridPP has made significant security middleware contributions to EDG • More will be deployed when EDG 2.1 released • For GridPP-2, we identified key practical requirements • wait to see how many can be addressed • Direct involvement in GGF standards process • Other funding obtained (studentship) or being sought (EU and MRC/DoH) for further research rather than implementation Security Middleware, GridPP8, 23 Sept 2003

More Related