EGEE-II INFSO-RI- 031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Background information on authorization service Christoph Witzig, SWITCH ([email protected]) TMB - Nov 29, 2008
Jan 07, 2016
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
Background information on authorization service
Christoph Witzig, SWITCH
TMB - Nov 29, 2008
TMB 19.11.2008 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Quote
“There has never been a design of the authorization system”
J "prioritizing the fair scare" T
approx. Oct/Nov 2007
TMB 19.11.2008 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
A bit of history
• Sept. 2007: – C.Grandi assigns a comprehensive review of authZ
mechanisms in gLite (-> milestone MJRA1.7)– Goals:
clear set of recommendations to TCG, which - upon acceptance by TCG - will be implemented within EGEE-III
• MJRA1.7 milestone document: https://edms.cern.ch/document/887174/1
• Previous discussions in TCG/TMB:– Jan. 16, 2008– Mar. 12, 2008– June 18, 2008
TMB 19.11.2008 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Key Features of new authZ Service
• MUST:– Basis for a long-term solution for the uniform and consistent authorization and
policy management in gLite– Standards based (XACML)– Initial focus on use-cases for job management
• Data management: see next slide
– Be extendable for future development Eg SAML
– Flexible deployment scenarios Multiple solutions must be possible - need to obtain feedback from SA1/3
– No single point of failure– Integration into new kinds of execution environments– Support for multiple languages
Initially Java and C, but other languages must be easily supported
– Ease of use for system administrators
• Note: – Joint effort of several institutes active in Grid security -- beneficial for
long term support and sustainability
TMB 19.11.2008 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
What about Data Management?
• authZ study recommendation #12: – DPM model should be accepted by other storage solutions– Recommendation accepted by TCG– Up to now nobody requested a change in this recommendation
(ASAIK)
• authZ service is NOT designed to handle authorization requests on thousands of files (e.g. ls-like command)
• However, authZ service can be used to authorize access to storage elements (e.g. at the command level)– Will clarify possible use-cases with DPM, FTS developers and
others
TMB 19.11.2008 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Last but not least …
• Consider today’s presentation and discussion as a update on the progress of the authZ service
• And not as the final presentation on all the authZ issues