Results of PPDG Site Requirements on AAA Project

Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG Site. AAA Project CHEP 03 March 25, 2003 PPDG Work Supported by the Sci. DAC Project of the US Dept. of Energy 12/13/2021 1

Summary Site-AAA evaluated current GRID toolkits with respect to Resource Provider needs Sites took on specific integration tasks as concrete tests of how well they could work with existing toolkits. Project advanced both site understanding of GRID infrastructure and developers’ understanding of Resource Providers’ needs. Significant follow-up work remains and should be included in the various Grid projects. 12/13/2021 2

Tasks Evaluated 12/13/2021 3

Community Large HEP Labs represented Integration efforts included working with “friendly” University groups. GRID scale integration tests just now beginning Clash of world views yet to be resolved Site policies Sponsor policies Legal requirements 12/13/2021 4

Operational Context Testbed efforts with kludged solutions Some eye to operational needs but mostly from reliability aspects, little analysis of efficiency measures. 12/13/2021 5

From Development to Production The GRID is protocols not implementations Time to begin standardization Integration work hampered by lack of documented standards for interfaces, protocols, libraries, etc. de facto touchstone is interoperability with Globus Toolkit. 12/13/2021 6

Reliability Most components still finding bugs in serious testing. CMS/D 0 had many problems with Grid. FTP Default accept in Grid. FTPd non-root Weak encryption tending for grid-proxy-init Need to focus effort (integrators, distributors and developers) to eliminate bugs at appropriate point. When? We found proper bug reporting to be tedious 12/13/2021 7

Exception Handling Currently systems are operated assuming competence and goodwill (and that errors aren't costly). Need some level of validation effort at appropriate time The method for dealing with Exceptions needs to be specified as part of a Grid definition. Incident Handling Accreditation Service Level Agreements 12/13/2021 8

Outstanding Issues Authentication for Long Running Jobs Condor-G proposal looks promising (initial contender) Relies on Proxy Generation Service Standardize ● ● ● My. Proxy (NCSA product) KCA (NMI product and FNAL project) VSC (Virtual Smart Card) (SLAC project) Authorization for Long Running Jobs No agreement on whether or how this is done. 12/13/2021 9

Federation of Identity Who needs to know which PKI identities correspond to the same individual ? Resources that need to map different identities to same local account. Virtual Organizations that need to map different identities to same member and/or roles. Relying parties that want to correlate actions and/or block access to an individual. Accounting system for chargeback mechanisms ? What are the privacy issues ? Who holds the federation ? 12/13/2021 10

Incident Response Real-time incident response expected through authorization control. Investigation, resolution, and feedback channels unclear. Who “owns” an investigation ? 12/13/2021 11

Migration to OGSA Web Services is a new framework with richer communications. Some current methods should be re-implemented in new framework. Expect same level of integration testing/feedback will be needed. 12/13/2021 12

Services GRID Level Services provide: Standards GGF working hard to transform into an IETF for GRIDs. Need to document specifications independent of a toolkit. National Level Services provide: Clarification of identity & privacy requirements. Integration with National ID systems ( is this planned ? ) 12/13/2021 13

Grid Instance Level Services Provide: Standards GGF standards allow for non-interoperable choices. Minimum standards required for interoperability de facto standard is Globus Toolkit Need: Software components (applications, libraries, etc. ) 12/13/2021 14

VO Level Services Provides VO membership and roles management Registration Service (for Resource Providers) Resource Brokering Needs Standard method of asserting authorizations Standard interfaces with Resource Providers Registration Standard Resource Descriptions (incl. Authorization requirements 12/13/2021 15

Resource Provider Services Provides Minimum standard policy requirements Local Policy Enforcement Point of Contact for Incident Response Needs Policy description schema Local Policy Enforcement Callout Points of contact for VOs and CAs Authentication Method Description 12/13/2021 16

GRID Resource Services Provide Fine-grained access control Accounting information Grid transaction support Need Attribute information Authorization services 12/13/2021 17

Transaction Services Provide Error handling Need Authorization Services 12/13/2021 18

Expected Community Growth of Current Communities Current active PKI community is ~few 100 s in HEP Expect 10 X demand within year Interested Parties LHC collaborations Current Large Collaborations (Ba. Bar, CDF, D 0) Current Distributed Collaborations (SDSS, LIGO, AUGER, . . . ) 12/13/2021 19

Trust Relationships Timescale Negotiations contain a good deal of detailed discussion, terminology checks, and verification. Start in pair-wise fashion and allow 6 months Establishing Bona Fides Peer review process has been very helpful in understanding community practices and consensus solutions Maintenance Agreements will tend to decay and periodic checks against “as built” implementations are required. Method of establishing personal contacts 12/13/2021 20

e. Commerce Parallels e. Commerce relies on 2 key aspects: Requestor provides identity that can be billed charges appropriate to the request. Credit card company insures resource providers against loss. What are possible losses in Grids ? Loss of Grid Resource consumables Liability for misuse Manpower for troubleshooting 12/13/2021 21

Conclusions Requirements exercise useful earlier in development Integration testing useful about now in development Written Specifications and Standards needed. Most items needed for Production quality are also needed to handoff code to vendors. Problems largely due to (anticipated) success. 12/13/2021 22

What needs to be done next? Authorization framework definitions Push Globus/EDG/PRIMA/FNAL collab Interface definitions Globus and GGF drive Virtual Organizations remain virtual EDG and BNL projects Authentication refresh (long running jobs) Push Condor-G/My. Proxy collab Incident handling What forum ? Who drives ? Private Key management for the masses KCA/VCS/My. Proxy activities are interesting Restricted execution environment 12/13/2021 23