Results of PPDG Site Requirements on AAA Project

1
Results of PPDG Site Requirements on AAA Project

• Dane Skow
• Robert Cowles
• PPDG SiteAAA Project
• CHEP03
• March 25, 2003

PPDG Work Supported by the SciDAC Project of the
US Dept. of Energy
2
Summary

• Site-AAA evaluated current GRID toolkits with
  respect to Resource Provider needs
• Sites took on specific integration tasks as
  concrete tests of how well they could work with
  existing toolkits.
• Project advanced both site understanding of GRID
  infrastructure and developers understanding of
  Resource Providers needs.
• Significant follow-up work remains and should be
  included in the various Grid projects.

3
Tasks Evaluated
4
Community

• Large HEP Labs represented
• Integration efforts included working with
  friendly University groups.
• GRID scale integration tests just now beginning
• Clash of world views yet to be resolved
• Site policies
• Sponsor policies
• Legal requirements

5
Operational Context

• Testbed efforts with kludged solutions
• Some eye to operational needs but mostly from
  reliability aspects, little analysis of
  efficiency measures.

6
From Development to Production

• The GRID is protocols not implementations
• Time to begin standardization
• Integration work hampered by lack of documented
  standards for interfaces, protocols, libraries,
  etc.
• de facto touchstone is interoperability with
  Globus Toolkit.

7
Reliability

• Most components still finding bugs in serious
  testing.
• CMS/D0 had many problems with GridFTP
• Default accept in GridFTPd non-root
• Weak encryption tending for grid-proxy-init
• Need to focus effort (integrators, distributors
  and developers) to eliminate bugs at appropriate
  point. When?
• We found proper bug reporting to be tedious

8
Exception Handling

• Currently systems are operated assuming
  competence and goodwill (and that errors aren't
  costly).
• Need some level of validation effort at
  appropriate time
• The method for dealing with Exceptions needs to
  be specified as part of a Grid definition.
• Incident Handling
• Accreditation
• Service Level Agreements

9
Outstanding Issues

• Authentication for Long Running Jobs
• Condor-G proposal looks promising (initial
  contender)
• Relies on Proxy Generation Service
• Standardize
• MyProxy (NCSA product)
• KCA (NMI product and FNAL project)
• VSC (Virtual Smart Card) (SLAC project)
• Authorization for Long Running Jobs
• No agreement on whether or how this is done.

10
Federation of Identity

• Who needs to know which PKI identities correspond
  to the same individual ?
• Resources that need to map different identities
  to same local account.
• Virtual Organizations that need to map different
  identities to same member and/or roles.
• Relying parties that want to correlate actions
  and/or block access to an individual.
• Accounting system for chargeback mechanisms ?
• What are the privacy issues ?
• Who holds the federation ?

11
Incident Response

• Real-time incident response expected through
  authorization control.
• Investigation, resolution, and feedback channels
  unclear.
• Who owns an investigation ?

12
Migration to OGSA

• Web Services is a new framework with richer
  communications.
• Some current methods should be re-implemented in
  new framework.
• Expect same level of integration testing/feedback
  will be needed.

13
Services

• GRID Level Services provide
• Standards
• GGF working hard to transform into an IETF for
  GRIDs.
• Need to document specifications independent of a
  toolkit.
• National Level Services provide
• Clarification of identity privacy requirements.
• Integration with National ID systems ( is this
  planned ? )

14
Grid Instance Level Services

• Provide
• Standards
• GGF standards allow for non-interoperable
  choices.
• Minimum standards required for interoperability
• de facto standard is Globus Toolkit
• Need
• Software components (applications, libraries,
  etc.)

15
VO Level Services

• Provides
• VO membership and roles management
• Registration Service (for Resource Providers)
• Resource Brokering
• Needs
• Standard method of asserting authorizations
• Standard interfaces with Resource Providers
• Registration
• Standard Resource Descriptions (incl.
  Authorization requirements

16
Resource Provider Services

• Provides
• Minimum standard policy requirements
• Local Policy Enforcement
• Point of Contact for Incident Response
• Needs
• Policy description schema
• Local Policy Enforcement Callout
• Points of contact for VOs and CAs
• Authentication Method Description

17
GRID Resource Services

• Provide
• Fine-grained access control
• Accounting information
• Grid transaction support
• Need
• Attribute information
• Authorization services

18
Transaction Services

• Provide
• Error handling
• Need
• Authorization Services

19
Expected Community Growth

• Growth of Current Communities
• Current active PKI community is few 100s in HEP
• Expect 10X demand within year
• Interested Parties
• LHC collaborations
• Current Large Collaborations (BaBar, CDF, D0)
• Current Distributed Collaborations (SDSS, LIGO,
  AUGER,...)

20
Trust Relationships

• Timescale
• Negotiations contain a good deal of detailed
  discussion, terminology checks, and verification.
• Start in pair-wise fashion and allow 6 months
• Establishing Bona Fides
• Peer review process has been very helpful in
  understanding community practices and consensus
  solutions
• Maintenance
• Agreements will tend to decay and periodic checks
  against as built implementations are required.
• Method of establishing personal contacts

21
eCommerce Parallels

• eCommerce relies on 2 key aspects
• Requestor provides identity that can be billed
  charges appropriate to the request.
• Credit card company insures resource providers
  against loss.
• What are possible losses in Grids ?
• Loss of Grid Resource consumables
• Liability for misuse
• Manpower for troubleshooting

22
Conclusions

• Requirements exercise useful earlier in
  development
• Integration testing useful about now in
  development
• Written Specifications and Standards needed.
• Most items needed for Production quality are also
  needed to handoff code to vendors.
• Problems largely due to (anticipated) success.

23
What needs to be done next?

• Authorization framework definitions
• Push Globus/EDG/PRIMA/FNAL collab
• Interface definitions
• Globus and GGF drive
• Virtual Organizations remain virtual
• EDG and BNL projects
• Authentication refresh (long running jobs)
• Push Condor-G/MyProxy collab
• Incident handling
• What forum ? Who drives ?
• Private Key management for the masses
• KCA/VCS/MyProxy activities are interesting
• Restricted execution environment