View
213
Download
0
Tags:
Embed Size (px)
Citation preview
PPDG for CHEP03 1
Results of PPDG Site Requirements on AAA Project
Dane SkowRobert Cowles
PPDG SiteAAA ProjectCHEP03
March 25, 2003
PPDG Work Supported by the SciDAC Project of the US Dept. of Energy
PPDG for CHEP03 2
Summary
Site-AAA evaluated current GRID toolkits with respect to Resource Provider needs
Sites took on specific integration tasks as concrete tests of how well they could work with existing toolkits.
Project advanced both site understanding of GRID infrastructure and developers’ understanding of Resource Providers’ needs.
Significant follow-up work remains and should be included in the various Grid projects.
PPDG for CHEP03 3
Tasks EvaluatedTask BNL FNAL JLAB LBL/NERSC SLAC Issues Remain ?User Registration YVO Membership YCertificate Generation User Authentication YPrivate Key Hygiene YProxy Generation YAuthorization Credentials YIdentity Federation YAuthorization Protocol YPolicy Enforcement YData Transfer Mass Storage Integration Credential Translation YAuthorization Termination Proxy Renewal YIncident Handling YCredential Revocation YAccounting YAuditing YMaintenance YExecution Environment YIntegration with Firewalls Y
PPDG for CHEP03 4
Community
Large HEP Labs represented
Integration efforts included working with “friendly” University groups.
GRID scale integration tests just now beginning
Clash of world views yet to be resolved
Site policies
Sponsor policies
Legal requirements
PPDG for CHEP03 5
Operational Context
Testbed efforts with kludged solutions
Some eye to operational needs but mostly from reliability aspects, little analysis of efficiency measures.
PPDG for CHEP03 6
From Development to Production
The GRID is protocols not implementations
Time to begin standardization
Integration work hampered by lack of documented standards for interfaces, protocols, libraries, etc.
de facto touchstone is interoperability with Globus Toolkit.
PPDG for CHEP03 7
Reliability
Most components still finding bugs in serious testing.
CMS/D0 had many problems with GridFTP
Default accept in GridFTPd non-root
Weak encryption tending for grid-proxy-init
Need to focus effort (integrators, distributors and developers) to eliminate bugs at appropriate point. When?
We found proper bug reporting to be tedious
PPDG for CHEP03 8
Exception Handling
Currently systems are operated assuming competence and goodwill (and that errors aren't costly).
Need some level of validation effort at appropriate time
The method for dealing with Exceptions needs to be specified as part of a Grid definition.
Incident Handling
Accreditation
Service Level Agreements
PPDG for CHEP03 9
Outstanding Issues
Authentication for Long Running Jobs
Condor-G proposal looks promising (initial contender)
Relies on Proxy Generation Service
Standardize● MyProxy (NCSA product)● KCA (NMI product and FNAL project)● VSC (Virtual Smart Card) (SLAC project)
Authorization for Long Running Jobs
No agreement on whether or how this is done.
PPDG for CHEP03 10
Federation of Identity
Who needs to know which PKI identities correspond to the same individual ?
Resources that need to map different identities to same local account.
Virtual Organizations that need to map different identities to same member and/or roles.
Relying parties that want to correlate actions and/or block access to an individual.
Accounting system for chargeback mechanisms ?
What are the privacy issues ?
Who holds the federation ?
PPDG for CHEP03 11
Incident Response
Real-time incident response expected through authorization control.
Investigation, resolution, and feedback channels unclear.
Who “owns” an investigation ?
PPDG for CHEP03 12
Migration to OGSA
Web Services is a new framework with richer communications.
Some current methods should be re-implemented in new framework.
Expect same level of integration testing/feedback will be needed.
PPDG for CHEP03 13
Services
GRID Level Services provide:
Standards
GGF working hard to transform into an IETF for GRIDs.
Need to document specifications independent of a toolkit.
National Level Services provide:
Clarification of identity & privacy requirements.
Integration with National ID systems ( is this planned ? )
PPDG for CHEP03 14
Grid Instance Level Services
Provide:
Standards
GGF standards allow for non-interoperable choices.
Minimum standards required for interoperability
de facto standard is Globus Toolkit
Need:
Software components (applications, libraries, etc.)
PPDG for CHEP03 15
VO Level Services
Provides
VO membership and roles management
Registration Service (for Resource Providers)
Resource Brokering
Needs
Standard method of asserting authorizations
Standard interfaces with Resource Providers
Registration
Standard Resource Descriptions (incl. Authorization requirements
PPDG for CHEP03 16
Resource Provider Services
Provides
Minimum standard policy requirements
Local Policy Enforcement
Point of Contact for Incident Response
Needs
Policy description schema
Local Policy Enforcement Callout
Points of contact for VOs and CAs
Authentication Method Description
PPDG for CHEP03 17
GRID Resource Services
Provide
Fine-grained access control
Accounting information
Grid transaction support
Need
Attribute information
Authorization services
PPDG for CHEP03 19
Expected Community Growth
Growth of Current Communities
Current active PKI community is ~few 100s in HEP
Expect 10X demand within year
Interested Parties
LHC collaborations
Current Large Collaborations (BaBar, CDF, D0)
Current Distributed Collaborations (SDSS, LIGO, AUGER,...)
PPDG for CHEP03 20
Trust Relationships
TimescaleNegotiations contain a good deal of detailed discussion, terminology checks, and verification.
Start in pair-wise fashion and allow 6 months
Establishing Bona FidesPeer review process has been very helpful in understanding community practices and consensus solutions
MaintenanceAgreements will tend to decay and periodic checks against “as built” implementations are required.
Method of establishing personal contacts
PPDG for CHEP03 21
eCommerce Parallels
eCommerce relies on 2 key aspects:
Requestor provides identity that can be billed charges appropriate to the request.
Credit card company insures resource providers against loss.
What are possible losses in Grids ?
Loss of Grid Resource consumables
Liability for misuse
Manpower for troubleshooting
PPDG for CHEP03 22
Conclusions
Requirements exercise useful earlier in development
Integration testing useful about now in development
Written Specifications and Standards needed.
Most items needed for Production quality are also needed to handoff code to vendors.
Problems largely due to (anticipated) success.
PPDG for CHEP03 23
What needs to be done next?Authorization framework definitions
Push Globus/EDG/PRIMA/FNAL collab
Interface definitions
Globus and GGF drive
Virtual Organizations remain virtual
EDG and BNL projects
Authentication refresh (long running jobs)
Push Condor-G/MyProxy collab
Incident handling
What forum ? Who drives ?
Private Key management for the masses
KCA/VCS/MyProxy activities are interesting
Restricted execution environment