Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008

Summary of AAAA Information

David KelseyInfrastructure Policy Group,

Singapore, 15 Sep 2008

15 Sep 08 IPG AAAA summary, Kelsey 2

AAAA Documents submitted• DEISA: “DEISA AAA Policies”• OSG: “OSG AAAA” and many linked policies• TeraGrid: “TeraGrid Certificate Management and

Authorization Policy” (TG5), “Policy Framework” (TG1) & “Core Services” (wiki)

• EGEE: “EGEE Security Policies” (summary document with all policies in appendix)

• NAREGI– Not yet in production– New task force to discuss technical/operational issues– No documents to share yet


Authentication• In common

– All use X.509 PKI– All except TeraGrid rely on IGTF to define trusted CAs

• Differences– TeraGrid defines its own list of CAs (some are IGTF accredited)– TeraGrid policy document states general responsibilities

• Similar to EGEE top-level security policy document• User must accept TeraGrid User Responsibility form prior to certificate issue

– TeraGrid PI requests host/service certs for external resources– DEISA has policies which partners have to obey (and also local policy)– OSG and EGEE (will) have different policies for CA removal– TeraGrid has many detailed requirements for CAs

• Important input for IGTF (not always compliant with IGTF profiles)• E.g. CRL must be issued every 24 hours

– OSG and EGEE have defined high-level requirements on IGTF


Authorisation• In common

– EGEE/OSG use VOMS and have similar approaches• Also working on VO registration and VO membership management policies

– DEISA/TeraGrid have similar approaches• AuthZ relies on X.509 authentication and mapping into local databases• DEISA have additional user attributes in their LDAP database

• Differences (particularly in the security model)– EGEE/OSG delegate User Registration to VO– DEISA/TeraGrid: User Registration at Sites (& “Home”)

• “Project PI” has similar role to “VO Manager”

– Local (Site) versus Global (VO) Authorisation

– EGEE/OSG have AuthZ policies related to operation of VOs


Accounting• In common

– No policy documents but accounting is used!– OSG and EGEE sharing accounting data for WLCG Vos– DEISA/TeraGrid have standards based accounting

• With access control

• Differences– OSG has a Data Privacy policy– JSPG working on Accounting Data policy

• Data privacy concerns relates to User-level accounting (required by VOs)


Auditing• In common

– No common auditing polices – But OSG/EGEE share a common Incident Response policy– TeraGrid has a well defined incident handling workflow

(DEISA?)

• Differences– EGEE has policy on Traceability and Logging

• Requires middleware to produce appropriate logs• Sites and Service providers must keep logs

– In a site central server– For at least 90 days

• Details defined by Operational Security Coord Team– Including some core logs which must be kept for 180 days

AUP• In common

– Grid User AUP• EGEE and OSG identical wording

– Accepted by user during registration with VO

• DEISA uses slightly modified version• OGF GIN also uses slightly modified

– OSG/EGEE: VO AUP belongs to the VO

• Different– TeraGrid has an AUP per site (so does DEISA)

• Accepted by user during registration


Other Policies• TeraGrid

– Policy Framework (TG1)• Process for agreeing policy

• JSPG has a top-level Security Policy• JSPG, EGEE, OSG

– Site Registration, Site Operation– VO Registration, VO Operation, VO

Membership– Pilot Jobs


Policy precedence• OSG defines an order of precedence

– Site then VO then Workspace then OSG

• EGEE:– Each Site has its own local policies– EGEE policy augments local policies by

setting out additional Grid-specific requirements

– And has an exceptions handling process

• DEISA/TeraGrid?15 Sep 08 IPG AAAA summary, Kelsey 9

IGTF – new work• EUGridPMA Authorisation WG

– Tackling scaling problem:• Build trust between large number of both VOs and Grids

– Working on document defining minimum requirements for running an Attribute Authority service (e.g. VOMS). Accreditation process TBD.

• https://grid.ie/eugridpma/wiki/AA_Profile

• VO responsibilities defined in JSPG document:VO Membership Management Policy

• http://www.jspg.org/wiki/VO_Membership_Management_Policy


https://grid.ie/eugridpma/wiki/AA_Profile

http://www.jspg.org/wiki/VO_Membership_Management_Policy

JSPG future work• JSPG currently working on

– VO registration, VO membership, Accounting Data, & Grid Portals

• Once that is all complete– Plan to revise and simplify all policies

• Working towards EGI and many NGIs– To produce simple and general policies

• To augment the NGI local policies• Establish trust for international Grid interoperation


Issues for discussion• Standardise the Grid AUP?• Agree on IGTF for AuthN?

– With possibility to add other CAs if needed

• Can we use common language for manager of the User Database?– “VO” versus “Resource Provider/Site”?

• JSPG revision of all policies– It would be highly desirable to get IPG input

• Input also welcome to IGTF AuthZ WG


Longer term issues• Accounting

– If we share VOs and/or users, accounting data exchange is very likely to be needed

• We do need policy here, particularly for Privacy concerns

• Auditing– If we share users, we are likely to share security incidents

(e.g. recent ssh attacks)– Audit logs important – need for common policy here?

• Coordinated incident handling is highly desirable• OSG has a “peer Grid” contact list• OSG/TeraGrid/EGEE is discussing high-level communication

– To avoid n*n communication paths
