European Grid Policy Management Authority
Download
Report
Transcript European Grid Policy Management Authority
EUGridPMA
and the e-IRG security roadmap
towards interoperable policies in identity management
GGF16 Production Grids Enterprise and Research
Workshop
David L. Groep, EUGridPMA, 2006-02-15
Outline
A few words on the Grid Security Model
Towards inter-working identity management
Policies for Authentication Federation
EUGridPMA
IGTF
e-IRG roadmap
Towards integrated Authentication and
Authorization
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Essentials on Grid Security
Access to shared services
cross-domain authentication, authorization, accounting,
billing
common generic protocols for collective services
Support multi-user collaboration
may contain individuals acting alone – their home
organization administration need not necessarily know
about all activities
organized in ‘Virtual Organisations’
Enable ‘easy’ single sign-on for the user
the best security is hidden from the user as much as
possible
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Virtual vs. Organic structure
Virtual communities (“virtual organisations”) are
many
An individual will typically be part of many
communities
Virtual Community C
but will require single sign-on across all these
communities
Person B
(Administrator)
Compute Server C1'
Person A
(Principal Investigator)
Person E
(Researcher)
Person D
(Researcher)
Person B
(Staff)
Compute Server C2
File server F1
(disk A)
Compute Server C1
Person A
(Faculty)
Person C
(Student)
Organization A
Person D File server F1
(Staff) (disks A and B)
Person E
(Faculty)
Person F
(Faculty)
Compute Server C3
Organization B
Graphic: GGF OGSA Working Group
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Stakeholders in Grid Security
Current grid security is largely user centric
different roles for the same person
in the organic unit and in the VO
There is no a priori trust relationship between
members
or member organisations
Virtual Organisation lifetime can vary from hours to
decades
VO not necessarily persistent (both long- and short-lived)
people and resources are members of many VOs
… but a relationship is required
as a basis for authorising access
for traceability and liability, incident handling, and
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Separating Authentication and Authorization
Single Authentication token (“passport”)
issued by a party trusted by all (“CA”),
recognised by many resource providers, users, and VOs
satisfy traceability and persistency requirement
in itself does not grant any access, but provides
a unique binding between an identifier and the subject
Per-VO Authorisations (“visa”)
granted to a person/service via a virtual organisation
based on the ‘passport’ name
acknowledged by the resource owners
providers can obtain lists of authorised users per VO,
but can still ban individual users
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Authentication … academia, industry, and …
Possible sources of authentication and identity
National PKI
in general uptake of 1999/93/EC and e-Identification is slow
where available, a national PKI can be leveraged
Several commercial providers
main commercial drive today: secure e-commerce based on SSL
thus primary market is server authentication, not end-user
identities
are implicitly trusted by many
because web browsers pre-install the roots of trust
WebTrust “seal of approval” scope limited to a single Authority
Academic Grid PKI today
Provide end-user identities for secure mail and grid use
generally provided by the NREN or national e-science project
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
A Federation Model for Grid
Authentication
CA 1
CA 2
charter
CA n
CA 3
guidelines
acceptance
process
relying
party n
relying
party 1
A Federation of many independent CAs
Policy coordination based on common minimum requirements
(not ‘policy harmonisation’)
Acceptable for major relying parties in Grid Infrastructures
No strict hierarchy with a single top
spread liability and enable failure containment (better
resilience)
maximum leverage of national
efforts and subsidiarity
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Building the federation
Providers and Relying Parties together shape
the common minimum requirements
Several profiles for different identity management models
different technologies
Authorities testify to compliance with profile guidelines
Peer-review process within the federation
to (re) evaluate members on entry & periodically
Reduce effort on the relying parties
single document to review and assess for all Authorities
collective acceptance of all accredited authorities
Reduce cost on the authorities
but participation in the federation comes with a price
… the ultimate decision always remains with the
David
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
RP Groep – [email protected]
EUGridPMA: the Federation in Europe
EUGridPMA founded April 2004, as a successor to the CACG
The European Policy Management Authority for Grid Authentication
in e-Science (EUGridPMA) is a body
• to establish requirements and best practices for grid identity
providers
• to enable a common trust domain applicable to authentication of
end-entities in inter-organisational access to distributed
resources.
As its main activity the EUGridPMA
• coordinates a Public Key Infrastructure (PKI)
for use with Grid authentication middleware.
The EUGridPMA itself does not provide identity assertions, but
instead asserts that - within the scope of this charter – the
certificates issued by the Accredited Authorities meet or exceed the
David Groep
– [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
relevant
guidelines.
EUGridPMA Membership
EUGridPMA membership for Authorities
a single Authority per
country, large region or international treaty organization
‘serve the largest possible community
with a small number of stable CAs’
‘operated as a long-term commitment’
Relying Parties: major e-Infrastructures or partner organisations
DEISA, EGEE, SEE-GRID, TERENA, …
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Coverage of the EUGridPMA
Green: Countries with an accredited CA
The EU member states (except LU, MT)
+ AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all”
Other Accredited CAs:
DoEGrids (.us)
GridCanada (.ca)
CERN
ASGCC (.tw)*
IHEP (.cn)*
* Migrated to APGridPMA per Oct 5th, 2005
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Growth of the EDG CACG and
EUGridPMA
40
accredited CAs
30
20
David Groep – [email protected]
5
p0
Se
-0
5
M
ar
4
p0
Se
-0
4
M
ar
3
p0
Se
-0
3
M
ar
2
p0
Se
-0
2
M
ar
1
p0
Se
ar
-0
1
0
M
History
10
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Five years of growth
December 2000:
First CA coordination meeting for the FP5 DataGrid project
March 2003:
Tokyo Accord (GGF7)
April 2004:
Foundation of the EUGridPMA
June 2004:
Foundation of the APGridPMA
June 2005:
Foundation of TAGPMA (GGF14)
5 October 2005:
Establishment of the
International Grid
Trust Federation
IGTF
…
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
2005: Extending Trust –
the International Grid Trust Federation
common, global best practices for trust establishment
better manageability of the PMAs
APGridPMA
TAGPMA
The Americas
Grid PMA
David Groep – [email protected]
European
Grid PMA
Asia Pacific
Grid PMA
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
APGridPMA
13 members from the
Asia-Pacific Region,
•AIST (.jp)
•NPACI (.us)
See
subsequent
presentation
•APAC
(.au)
•Osaka U. (.jp) by
•BMG (.sg)Yoshio Tanaka
•SDG (.cn)
•CMSD (.in)
•USM (.my)
and
•HKU APGridPMA
CS SRG (.hk)
•IHEPAIST
Beijing (.cn)
•KISTI (.kr)
•ASGCC (.tw)
•NCHC (.tw)
Launched June 1st, 2004, chaired by Yoshio
Tanaka
Minimum Requirements taken from EUGridPMA
First face-to-face meeting on Nov 29th, 2005
David
Today
‘production-quality’
authorities
Groep – 6
[email protected]
GGF16 Workshop
on Productionin
Grids– Feb 2006 - ‹#›
TAGPMA
To cover all of the Americas
8 members to date
• SDSC (.us)
• Canarie (.ca)
• FNAL (.us)
•See
OSG (.us)
subsequent presentation
• Dartmouth (.us)
• TERAGRID (.us)
Darcy
• Texas H.E. Grid
(.us) Quesnel
Brazil (pending)
• DOEGrids
(.us)
TAGPMA
and•CANARIE
by
Launched June 28th, 2005
chaired by
Darcy Quesnel, CANARIE
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
IGTF Federation Common Policy
IGTF Federation Document
APGridPMA
• CA A1
•…
EUGridPMA
trust
relations
• CA E1
• CA E2
TAGPMA
•…
Subject
Namespace
Assignment
• CA T1
•…
Common Authentication Profiles
Classic
(EUGridPMA)
SLCS
(TAGPMA)
Distribution
Naming
Conventions
worldwide relying parties see a uniform IGTF “mesh”
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
e-Infrastructure Reflection Group
e-IRG (www.e-irg.org)
Recommends best practices for European grid
efforts
Policy coordination for the European Research
Area
Resource sharing policies
Registry of resources (economy of scale advantages)
Synergies between Europe and other regions
e-Infrastructure Roadmap and FP7+
Support and encourage pan-European
interoperability
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Such as EUGridPMA, TACAR
Along the e-IRG Roadmap
e-Infrastructure Reflection Group White Paper on
Authentication and Authorization
commitment to the federated approach
vision of an integrated AA infrastructure for eEurope
Towards an integrated AAI for academia in Europe and beyond
The e-IRG notes the timely operation of the EUGridPMA in
conjunction with the TACAR CA Repository and it expresses its
satisfaction for a European initiative that serves e-Science Grid
projects. […] The e-IRG strongly encourages the EUGridPMA /
TACAR to continue their valuable work […]
(Dublin, 2004)
The e-IRG encourages work towards a common federation for
academia and research institutes that ensures mutual recognition
of the strength and validity of their authorization assertions.
(The Hague, 2005)
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Grid Authorization today
Leverages authentication provided by the PKI
Identity management decoupled from access control
Creation of short-lived ‘tokens’ (‘proxy’ certificates)
for single sign-on based on these identities
Status today
Variety of mechanisms
Variety of sources of authority
Integration and interoperability needs significant
effort …
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
Convergence initiatives in AAI
from the PMA side
Extending PMA and the IGTF to more countries and regions,
and to more mechanisms and audiences
from TERENA
NRENs-GRID workshop series
TF-EMC2 / TF-Mobility
REFEDS – Research and Education Federations
broad AAI scope: IGTF, eduroam, A-Select, PAPI,
SWITCH-AAI, InCommon, HAKA, FEIDE/Moria
See http://www.terena.nl/tech/refeds/
in GGF
…
With the current technical and policy momentum,
a coordinated AAI is now both timely and within reach!
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›
EUGridPMA – http://www.eugridpma.org/
IGTF – http://www.gridpma.org/
e-IRG – http://www.e-irg.org/
David Groep – [email protected]
GGF16 Workshop on Production Grids– Feb 2006 - ‹#›