1 / 8

The EU DataGrid security issues for testbeds and applications

The EU DataGrid security issues for testbeds and applications. www.eu-datagrid.org Bob Jones (CERN) DataGrid Deputy Project Manager. 9.8 M Euros EU funding over 3 years 90% for middleware and applications (Physics, Earth Observation, Biomedical) 3 year phased developments & demos

binh
Télécharger la présentation

The EU DataGrid security issues for testbeds and applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The EU DataGrid security issues for testbeds and applications www.eu-datagrid.org Bob Jones (CERN)DataGrid Deputy Project Manager

  2. 9.8 M Euros EU funding over 3 years 90% for middleware and applications (Physics, Earth Observation, Biomedical) 3 year phased developments & demos Total of 21 partners Research and Academic institutes as well as industrial companies Extensions (time and funds) on the basis of first successful results: DataTAG (2002-2003) www.datatag.org CrossGrid (2002-2004) www.crossgrid.org GridStart (2002-2004) www.gridstart.org Project started on Jan. 2001 Testbed 0 (early 2001) International test bed 0 infrastructure deployed Globus 1 only - no EDG middleware Testbed 1 ( early 2002 ) First release of EU DataGrid software to defined users within the project Testbed 2 (end 2002) Builds on Testbed 1 to extend facilities of DataGrid Focus on stability Passed 2nd annual EU review Feb. 2003 Testbed 3 (2003) Advanced functionality & scalability Currently being deployed Project stops on Dec. 2003 The EU DataGrid Project

  3. DataGrid in Numbers People >350 registered users 12 Virtual Organisations 16 Certificate Authorities >200 people trained 278 man-years of effort 100 years funded Testbeds >15 regular sites >40 sites using EDG sw >10’000s jobs submitted >1000 CPUs >15 TeraBytes disk 3 Mass Storage Systems Software 50 use cases 18 software releases Current release 1.4 >300K lines of code Scientific applications 5 Earth Obs institutes 9 bio-informatics apps 6 HEP experiments

  4. Security Issues in EDG release 1.4 • Immaturity of grid middleware means there are still an number of important security risks • GSI based static mappings between users and accounts • LDAP servers used to manage VO membership are single points of failure and openly readable • Replica Catalog and information system (MDS & BDII) do not use the authorization scheme • Root-user access to proxies on trusted hosts • Resource Broker services requires host certificate and key readable from the account running the daemons • Possibility for replacement of binaries on Resource Broker hosts • Outward bound connectivity from worker nodes at certain sites could provide opportunity for denial of service attacks • No enforced limits or quota on usage (disk space and job submission) • Black-hole sites – bad published information can cause the resource broker to send many jobs to an ill-configured site • Debugging and development means some security restrictions are relaxed to simplify trouble-shooting

  5. Security Requirements in DataGrid • Based on experience gathered, a security requirements document (deliverable D7.5) lists more than 100 individual requirements • Authentication (17: certificates) • Authorization (33: Virtual Organisations, access to files) • Auditing (5: logging) • Non-repudiation (3: integrity of audit logging) • Delegation (8: restricting passing of permission) • Confidentially (18: non-disclosure of information) • Integrity (4: unmodified information) • Network & Manageability (6) • Usability & Interoperability (13) • Scalability & Performance (6) http://edms.cern.ch/document/340234

  6. Security Design in DataGrid • A Security framework has been designed taking into account the requirements (deliverable 7.6): • Authentication and Delegation • GSI/PKI/X509, CAs, etc. • Global Authorization • VO membership (VOMS) • Local Authorization • banned users, local policy (LCAS/LCMAPS) & Java security • Network Security • firewalls & ACLs, ports used by grid protocols • Accounting • economic model implemented using GSI authenticated messages between servers/clients • Confidentiality • don’t let sensitive info off-site & restrict access, use encryption • Data integrity • Use of Trusted Layer Security for data transfer https://edms.cern.ch/document/344562

  7. Security Development • Security aspects need to be included in all layers of the middleware and integrated in all grid services • The current implementation does not cover all of the design but work is underway to integrate the framework into the following grid services • Resource Brokering • Data Management • Information Systems • Software Distribution and Installation • Fabric Management • Network features • VPNs, QoS, outward bound connectivity from worker nodes

  8. Plans for the Future • Further developments in 2003 • Further iterative improvements to security driven by prioritized users needs • DataGrid will not address all identified security issues • Concentrating on Authorization • Participating in GGF Working Group • Prepare EDG software for future migration to Open Grid Services Architecture • Interaction with LHC Computing grid (LCG) • LCG deploys LCG-1 service in summer 2003 on 20 sites • LCG-1 service uses many software components from EDG 2.0 • New EU project • Security is an important aspect of the proposed EGEE project • Proposal for FP6 (www.cern.ch/egee) • EGEE – Enabling Grids for E-Science and industry in Europe

More Related