Federating the Grid David Kelsey TNC 2010 Vilnius

Federating the Grid David Kelsey TNC 2010, Vilnius 2 Jun 2010

Introduction “Real-life use cases in a cross-federated environment” • What is happening in the production Grids in this area? Outline of talk • • • The European Grid Infrastructure (EGI) The Grid Use Case(s) Federated Identity Management for the Grid (IGTF) Federated Security Policies (JSPG) Future directions not addressed here: operations, security incident response, support, … Disclaimers and thanks: • My personal views – • Thanks to (for slides): Steven Newhouse, Bob Jones, Sergio Bertolucci and David Groep – • not the official views of any Grid project, IGTF etc. With modifications by me Thanks to all my numerous colleagues in the Grids and IGTF – credit all due to them! 2 Jun 10 Kelsey, TNC 2010 2

The European Grid Infrastructure 2 Jun 10 Kelsey, TNC 2010 3

European e-Infrastructure • European Data Grid (EDG) – Explore concepts in a testbed • Enabling Grid for E-scienc. E (EGEE) – Moving from prototype to production – Federation started in 2004 (with development since 2001) • European Grid Infrastructure (EGI) – Routine usage of a sustainable e-infrastructure 4 EGI-In. SPIRE - EGEE UF 5 4

EGI. eu • A legal entity created in Feb 2010. Offices in Amsterdam. • Operate a secure integrated production grid infrastructure that seamlessly federates resources from providers around Europe • Coordinate the support of the research communities using the European infrastructure coordinated by EGI. eu Bob Jones - April 2010 5

The EGI-In. SPIRE Project Integrated Sustainable Pan-European Infrastructure for Researchers in Europe • A 4 year project with € 25 M EC contribution – Project cost € 69 M – Total Effort ~€ 330 M – Staff ~ 170 FTE Funded Un-Funded Project Partners (48) EGI. eu, 37 NGIs, 2 EIROs, 8 AP EGI-In. SPIRE - EGEE UF 5 6

The Grid Use Case 2 Jun 10 Kelsey, TNC 2010 7

Security model • Many 100 s Resource Providers (Sites) • Many 10 s countries (National Grids) • Many 10, 000 s of Users (Global Grids) – In 100 s of VOs (each using many Grids) • Keep Auth. N and Auth. Z separate • User gets an electronic ID (X. 509 cert) • User registers once with the VO – And does not register with Sites 2 Jun 10 Kelsey, TNC 2010 9

Security model (2) • Single Sign-on per user session • Common Auth. N and Auth. Z middleware – Mutual authentication – client and server • Authorisation attributes per session from the VO (e. g. VOMS) – Groups, Roles and/or other attributes • Delegation is essential • Common security policies: AUP, Site & VO 2 Jun 10 Kelsey, TNC 2010 10

CERN Large Hadron Collider: An example of a Global Scientific Community Sergio Bertolucci CERN 5 th EGEE User Forum Uppsala, 14 th April 2010 11

14 th April 2010 Sergio Bertolucci, CERN 12

The LHC Computing Challenge Signal/Noise: 10 -13 (10 -9 offline) Data volume High rate * large number of channels * 4 experiments 15 Peta. Bytes of new data each year Compute power Event complexity * Nb. events * thousands users 200 k of (today's) fastest CPUs 45 PB of disk storage Worldwide analysis & funding Computing funding locally in major regions & countries Efficient analysis everywhere GRID technology 14 th April 2010 Sergio Bertolucci, CERN 13

CERN Ca. TRIUMF US-BNL Amsterdam/NIKHEF-SARA Bologna/CNAF WLCG Today Tier 0; 11 Tier 1 s; 61 Tier 2 federations (121 Tier 2 sites) Taipei/ASGC Today we have 49 Mo. U signatories, representing 34 countries: Australia, Austria, Belgium, Brazil, Canada, China, Czech Rep, Denmark, Estonia, Finland, France, Germany, Hungary, Italy, India, Israel, Japan, Rep. Korea, Netherlands, Norway, Pakistan, Poland, Portugal, Romania, Russia, Slovenia, Spain, Sweden, Switzerland, Taipei, Turkey, UK, Ukraine, USA. NDGF US-FNAL 14 th April 2010 De-FZK Sergio Bertolucci, CERN Barcelona/PIC Lyon/CCIN 2 P 3 UK-RAL 14

Today WLCG is: • Running increasingly high workloads: – Jobs in excess of 650 k / day; Anticipate millions / day soon – CPU equiv. ~100 k cores • Workloads are: – Real data processing – Simulations – Analysis – more and more (new) users • Data transfers at unprecedented rates Sergio Bertolucci, CERN e. g. CMS: no. users doing analysis 15

Federated Identity Management for Grids: The International Grid Trust Federation (IGTF) 2 Jun 10 Kelsey, TNC 2010 16

Grid Identity Management • International Grid Trust Federation (IGTF) – Formed in Oct 2005 • after 5 years of development in EU Data. Grid, Cross. Grid & EUGrid. PMA – 3 geographical Policy Management Authorities • EU (plus Middle East/Africa), The Americas, Asia Pacific • Coordinates a Global PKI (X. 509) – Used by many different Grids • X. 509 chosen because it was the best (only? ) solution (in 2000) – we need delegation 2 Jun 10 Kelsey, TNC 2010 17

Identity Management (2) • Keep Authentication and Authorisation separate – Authentication best done by employing institute – Authorisation attributes assigned by the Virtual Organisation (VO) • IGTF defines minimum requirements and best practices – Accredits CAs against – 3 different authentication profiles 2 Jun 10 Kelsey, TNC 2010 18

Geographical coverage of the EUGrid. PMA · 25 of 27 EU member states (all except LU, MT) · + AM, CH, HR, IL, IR, IS, MA, ME, MK, NO, PK, RO, RS, RU, TR, UA, SEE-GRID + CERN (int), Do. EGrids(US)* Pending or in progress · David Groep – davidg@eugridpma. org SY, ZA, SN OGF 28 CAOPS/IGTF – Mar 2010 - 19

TAGPMA Membership ANSP - Brazil NRC – Canada ESnet (DOEGrids) – USA EELA – International Fermi National Accelerator Laboratory - USA HEBCA/USHER/Dartmouth College – USA IBDS (ANSP) - Brazil WLCG – International NCSA – USA NCSA CILogon NERSC – USA NICS UT/ORNL– USA NIH Dorian - USA Open Science Grid – International Purdue University – USA REUNA – Chile San Diego Supercomputer Center – USA SENAMHI – Peru TACC – USA Tera. Grid (PSC) – USA Texas High Energy Grid – USA University of Virginia – USA UFF – Brazil ULA – Venezuela UNAM – Mexico IGTF Accredited CA Operators UNIANDES - Colombia CA Accreditation in progress UNLP – Argentina Interested in accreditation 20 Relying Party

APGrid. PMA Members (15 + 1) 15 Accredited CAs AIST (JP) APAC (AU) ASGC (TW) CNIC (CN), SDG IGCA (IN) IHEP (CN) KEK (JP) KISTI (KR) NAREGI (JP) NCHC (TW) NECTEC (TH) NGO/Netrust (SG) PRAGMA-UCSD (US) HKU (HK) Mongolia - under accreditation Coverage by RAs Philippine, Vietnam, Malaysia, Indonesia, New Zealand & Sri Lanka (soon) CA: 9 Countries RA: + 6 Countries New: +1 Country

Relying Parties and IGTF • Relying Party: a consumer of the certificates • Important aspect of IGTF success • The PMAs allow for membership by Relying Parties – Important for input of end user requirements, e. g. naming, Lo. A, etc. 2 Jun 10 Kelsey, TNC 2010 22

Growth issues · A few statistics: · · · · 86 trust anchors 3 operational authentication profiles 71 distinct authorities Mid-size CA: 500 active users Large CA: 5000 - 20000 users Small CA: 1 -10 users Research and educational community in a small country: ~ 1 000 people · Number of end-users that understand PKI: << 1 % · How can we maintain both trust and scalability? · But not disenfranchise small communities · And with a focus on end-to-end security risks David Groep – davidg@eugridpma. org APGrid. PMA Plenary Meeting, March 2010 - 23

Federated CAs - To make use of other Id. M systems 2 Jun 10 Kelsey, TNC 2010 24

Grid Certificates from other Id. Ps • Two IGTF profiles – Short Lived Credential Service (SLCS) • Certificate lifetime <1 M seconds • Certificates linked to another authentication system – large site or federation – Member Integrated Credential Service (MICS) • Longer-lived certificates (<13 months) 2 Jun 10 Kelsey, TNC 2010 25

Grid & IGTF requirements on federations • Lo. A requirements on identity proofing • Persistent and unique naming • Used for Authorisation and traceability • Reasonable representation of names – Given name and surname – privacy issues • Revocation needs to be handled 2 Jun 10 Kelsey, TNC 2010 26

Federation-based SLCS-only countries David Groep – davidg@eugridpma. org APGrid. PMA Plenary Meeting, March 2010 - 27

TERENA Certificate Service • A very important recent development • https: //www. terena. org/activities/tcs/ • Use national AAI federations – And the already existing Id. Ps • Issue certificates quickly and easily to end users – e. Science Personal TCS • Certs issued by a commercial CA • TCS also issues e. Science Server certs 2 Jun 10 Kelsey, TNC 2010 28

TERENA e. Science Personal eligible David Groep – davidg@eugridpma. org APGrid. PMA Plenary Meeting, March 2010 - 29

Federated IGTF CAs elsewhere • USA - CIlogon – Leverage In. Common Silver for a SLCS certificate – http: //www. cilogon. org/ • Australia - ARCS SLCS CA – National federation backed (AAF) – Shibboleth based – http: //wiki. arcs. org. au/bin/view/Main/SLCS 2 Jun 10 Kelsey, TNC 2010 30

Federated Security Policies 2 Jun 10 Kelsey, TNC 2010 31

Policy Interoperability • The Joint (EGEE/WLCG) Security Policy Group aimed to – prepare simple and general policies – applicable to the primary stakeholders, but – also of use to other Grid infrastructures (NGI's etc) • common policies eases the problems of interoperability (and scaling) • Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) • Other participants then know that their actions are already bound by the policies – No need for additional negotiation, registration or agreement 2 Jun 10 Kelsey, TNC 2010 32

JSPG Security Policies Certification Authorities Site & VO Policies Security Incident Response Security Policy Grid & VO AUPs Pilot Jobs and VO Portals Accounting Data Privacy 2 Jun 10 Traceability and Logging Kelsey, TNC 2010 33

Security Policies: from EGEE to EGI 2 Jun 10 Kelsey, TNC 2010 34

EGI Security Policy Group • Primary stakeholders: NGIs, Sites, Application communities • Starting with the current set of JSPG policies • SPG will build on this to develop a policy framework – And produce template policies • And to address issues not yet fully covered – More formal responsibilities, privacy 2 Jun 10 Kelsey, TNC 2010 35

NRENs and Grids Advertise the upcoming “NRENs and Grids” workshop at EGI Technical Forum – Jointly organised by TERENA and EGI • 15 Sep 2010 - Amsterdam • http: //www. terena. org/activities/nrens-n-grids/ • Indeed the whole Tech Forum (14 -17 Sep) 2 Jun 10 Kelsey, TNC 2010 36

director@egi. eu

Future Directions • Production Grids already “federated” • Auth. N scalability being actively addressed – Will be more use of AAI federations – Number of Grid-specific CAs will decrease – Privacy will become more of an issue • Will Grids start to use other Auth. N middleware? • Control of Authorisation will grow in importance – Need to define best practice for VO attribute services – work has started in IGTF • Policy development will continue – e. g. Liabilities, responsibilities and data privacy 2 Jun 10 Kelsey, TNC 2010 38

Links • • • EGI http: //www. egi. eu/ IGTF http: //www. igtf. net/ EUGrid. PMA http: //www. eugridpma. org/ JSPG: http: //www. jspg. org EGEE http: //www. eu-egee. org/ WLCG http: //lcg. web. cern. ch/LCG/ 2 Jun 10 Kelsey, TNC 2010 39

Questions? 2 Jun 10 Kelsey, TNC 2010 40