PPDG for CHEP03 1

Results of PPDG Site Requirements on AAA Project

Dane SkowRobert Cowles

PPDG SiteAAA ProjectCHEP03

March 25, 2003

PPDG Work Supported by the SciDAC Project of the US Dept. of Energy

PPDG for CHEP03 2

Summary

Site-AAA evaluated current GRID toolkits with respect to Resource Provider needs

Sites took on specific integration tasks as concrete tests of how well they could work with existing toolkits.

Project advanced both site understanding of GRID infrastructure and developers’ understanding of Resource Providers’ needs.

Significant follow-up work remains and should be included in the various Grid projects.

PPDG for CHEP03 3

Tasks EvaluatedTask BNL FNAL JLAB LBL/NERSC SLAC Issues Remain ?User Registration YVO Membership YCertificate Generation User Authentication YPrivate Key Hygiene YProxy Generation YAuthorization Credentials YIdentity Federation YAuthorization Protocol YPolicy Enforcement YData Transfer Mass Storage Integration Credential Translation YAuthorization Termination Proxy Renewal YIncident Handling YCredential Revocation YAccounting YAuditing YMaintenance YExecution Environment YIntegration with Firewalls Y

PPDG for CHEP03 4

Community

Large HEP Labs represented

Integration efforts included working with “friendly” University groups.

GRID scale integration tests just now beginning

Clash of world views yet to be resolved

Site policies

Sponsor policies

Legal requirements

PPDG for CHEP03 5

Operational Context

Testbed efforts with kludged solutions

Some eye to operational needs but mostly from reliability aspects, little analysis of efficiency measures.

PPDG for CHEP03 6

From Development to Production

The GRID is protocols not implementations

Time to begin standardization

Integration work hampered by lack of documented standards for interfaces, protocols, libraries, etc.

de facto touchstone is interoperability with Globus Toolkit.

PPDG for CHEP03 7

Reliability

Most components still finding bugs in serious testing.

CMS/D0 had many problems with GridFTP

Default accept in GridFTPd non-root

Weak encryption tending for grid-proxy-init

Need to focus effort (integrators, distributors and developers) to eliminate bugs at appropriate point. When?

We found proper bug reporting to be tedious

PPDG for CHEP03 8

Exception Handling

Currently systems are operated assuming competence and goodwill (and that errors aren't costly).

Need some level of validation effort at appropriate time

The method for dealing with Exceptions needs to be specified as part of a Grid definition.

Incident Handling

Accreditation

Service Level Agreements

PPDG for CHEP03 9

Outstanding Issues

Authentication for Long Running Jobs

Condor-G proposal looks promising (initial contender)

Relies on Proxy Generation Service

Standardize● MyProxy (NCSA product)● KCA (NMI product and FNAL project)● VSC (Virtual Smart Card) (SLAC project)

Authorization for Long Running Jobs

No agreement on whether or how this is done.

PPDG for CHEP03 10

Federation of Identity

Who needs to know which PKI identities correspond to the same individual ?

Resources that need to map different identities to same local account.

Virtual Organizations that need to map different identities to same member and/or roles.

Relying parties that want to correlate actions and/or block access to an individual.

Accounting system for chargeback mechanisms ?

What are the privacy issues ?

Who holds the federation ?

PPDG for CHEP03 11

Incident Response

Real-time incident response expected through authorization control.

Investigation, resolution, and feedback channels unclear.

Who “owns” an investigation ?

PPDG for CHEP03 12

Migration to OGSA

Web Services is a new framework with richer communications.

Some current methods should be re-implemented in new framework.

Expect same level of integration testing/feedback will be needed.

PPDG for CHEP03 13

Services

GRID Level Services provide:

Standards

GGF working hard to transform into an IETF for GRIDs.

Need to document specifications independent of a toolkit.

National Level Services provide:

Clarification of identity & privacy requirements.

Integration with National ID systems ( is this planned ? )

PPDG for CHEP03 14

Grid Instance Level Services

Provide:

Standards

GGF standards allow for non-interoperable choices.

Minimum standards required for interoperability

de facto standard is Globus Toolkit

Need:

Software components (applications, libraries, etc.)

PPDG for CHEP03 15

VO Level Services

Provides

VO membership and roles management

Registration Service (for Resource Providers)

Resource Brokering

Needs

Standard method of asserting authorizations

Standard interfaces with Resource Providers

Registration

Standard Resource Descriptions (incl. Authorization requirements

PPDG for CHEP03 16

Resource Provider Services

Provides

Minimum standard policy requirements

Local Policy Enforcement

Point of Contact for Incident Response

Needs

Policy description schema

Local Policy Enforcement Callout

Points of contact for VOs and CAs

Authentication Method Description

PPDG for CHEP03 17

GRID Resource Services

Provide

Fine-grained access control

Accounting information

Grid transaction support

Need

Attribute information

Authorization services

PPDG for CHEP03 18

Transaction Services

Provide

Error handling

Need

Authorization Services

PPDG for CHEP03 19

Expected Community Growth

Growth of Current Communities

Current active PKI community is ~few 100s in HEP

Expect 10X demand within year

Interested Parties

LHC collaborations

Current Large Collaborations (BaBar, CDF, D0)

Current Distributed Collaborations (SDSS, LIGO, AUGER,...)

PPDG for CHEP03 20

Trust Relationships

TimescaleNegotiations contain a good deal of detailed discussion, terminology checks, and verification.

Start in pair-wise fashion and allow 6 months

Establishing Bona FidesPeer review process has been very helpful in understanding community practices and consensus solutions

MaintenanceAgreements will tend to decay and periodic checks against “as built” implementations are required.

Method of establishing personal contacts

PPDG for CHEP03 21

eCommerce Parallels

eCommerce relies on 2 key aspects:

Requestor provides identity that can be billed charges appropriate to the request.

Credit card company insures resource providers against loss.

What are possible losses in Grids ?

Loss of Grid Resource consumables

Liability for misuse

Manpower for troubleshooting

PPDG for CHEP03 22

Conclusions

Requirements exercise useful earlier in development

Integration testing useful about now in development

Written Specifications and Standards needed.

Most items needed for Production quality are also needed to handoff code to vendors.

Problems largely due to (anticipated) success.

PPDG for CHEP03 23

What needs to be done next?Authorization framework definitions

Push Globus/EDG/PRIMA/FNAL collab

Interface definitions

Globus and GGF drive

Virtual Organizations remain virtual

EDG and BNL projects

Authentication refresh (long running jobs)

Push Condor-G/MyProxy collab

Incident handling

What forum ? Who drives ?

Private Key management for the masses

KCA/VCS/MyProxy activities are interesting

Restricted execution environment