This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/wiki/do/viewPage/projects.ipg/wiki/OGF24 at Thu, 03 Nov 2022 15:23:41 GMT SourceForge : View Wiki Page: OGF24
Home Projects Search
User Password Logins Disabled Help

Project Home
Tracker
Documents
Tasks
Source Code
Discussions
File Releases
Wiki
Project Admin
Search Wiki Pages Project: IPG     Wiki > OGF24 > View Wiki Page
wiki2173: OGF24

Date of Meeting: 15th September 2008

Minutes authors: Bob Jones, Erwin Laure

Attendees

EGEE: Bob Jones (phone), Erwin Laure

DEISA: Stefan Heinzel, Andreas Schott

OSG: Miron Livny (phone), Ruth Pordes (phone)

TeraGrid: JP Navarro

NAREGI: Kento Aida

Invited: Dave Kelsey

Summary of AAAA Information

Each infrastructure (with the exception of NAREGI which stated that since they have not yet reached production status they do not have documented policies) provided a paper before the meeting outlining their policy for Authentication, Authorization, Accounting, and Auditing (AAAA).

Dave Kelsey had reviewed the material before the meeting and prepared slides comparing the similarities and differences of the policies between the infrastructures.

For Authentication, all infrastructures use X.509 PKI and, with the exception of TeraGrid, the set of Certificate Authorities (CAs) accredited by IGTF. TeraGrid has additional requirements on CAs which could represent useful input to the IGTF.

For Authorisation, EGEE and OSG use Virtual Organisation (VO) Membership Services (VOMS) and have similar approaches while DEISA and TeraGrid rely on local LDAP databases. EGEE and OSG delegate user registration to VOs while DEISA and TeraGrid count on user registration facilities at sites and hold the Principle Investigator (PI) as the responsible contact. In the discussion, similarities between the role of PIs and VO managers or contacts were highlighted.

For Accounting, there are no policy documents but accounting is used in all infrastructures. EGEE and OSG share accounting data for the WLCG VOs. Similarly, there is no common auditing process but OSG and EGEE share a common Incident Response policy and TeraGrid has a well defined incident handling workflow.

Dave summarized a number of points for discussion:

  • Given the similarities, could the infrastructure standardize the Grid Acceptable Usage Policy?
  • Could the infrastructures agree on IGTF for Authentication with the possibility to add other CAs if needed?
  • Can we use a common language for the manager of the User Database (i.e. the PI, VO manager or contact)?
  • The Joint Security Policy Group as well as the IGTF Authorisation Working Group is revising all the relevant policy documents and input from this group would be highly
desirable. Dave also noted some longer-term issues that will need to be addressed:
  • If infrastructures shared VOs and/or users then it is likely that they will also have to exchange accounting data. Is a policy necessary here, in particular for privacy concerns?
  • If infrastructures share users, they are likely to share security incidents. Coordinated incident handling is highly desirable and a policy for audit logs would be very beneficial.

Interoperation Experiences

Ruth presented with slides the work to deploy on OSG the WISDOM drug discovery application coming from the EGEE BioMed VO. There were some technical issues which can be discussed at the GIN group but two key policies points were highlighted:
  • Mutual trust between infrastructures;
  • Pairing of infrastructures or enabling VOs to use different infrastructures without explicit pairing.

In the discussion that followed mutual trust was highlighted as a pre-requirement to enable VOs without explicit pairing and that the concept of a VO is not the basis for Authentication and Authorisation in TeraGrid and DEISA where it is performed on a per user basis. TeraGrid has "community accounts" where identity is managed and is moving towards PIs responsible for their users.

JP presented briefly the OSG/TeraGrid interactions and the issues identified. Authentication is basically solved via IGTF and the next step is Authorisation where allocation and accounting mechanisms are currently manual. In terms of resource allocation, TeraGrid gives allocations to PIs and Ruth reported that there is no official OSG allocation on TeraGrid yet, rather a first interoperability test. They are currently experimenting with a gateway between FermiGrid and NCSA.

The role of community portals as a way of providing gateways was discussed. An advantage of both is seen to be that they provide a focus point for the community and, in certain cases, permit pseudonymity as requested by various user communities. Two types of community portals were noted: those that allow the user to select an application for execution from a pre-defined set compared with those which allow the user to upload their own application. The first, more restrictive type of portal makes it easier for infrastructures such as TeraGrid and DEISA to allocation resources since there is better control over the access. Ruth questioned if in the move to pair infrastructures are we not making it more difficult for ad-hoc groups to form transient VOs? Erwin noted that in EGEE, long-term “discipline” VOs such as BioMed and CompChem act as framework for such agile scientific collaboration.

Actions

Based on the discussions, the following actions were agreed:
  • Dave Kelsey will prepare a template for AAAA policies which can be used by the infrastructures as a consistent means of providing public documentation in a table format – deadline 31st October 2008.
  • Each infrastructure will circulate its Resource Allocation Policy and Procedure – deadline 12th January 2009.
  • Dave Kelsey will interact with the JSPG to review AUPS and related policies and see whether they can be made to converge. Dave will report on progress at the next meeting.
  • Each infrastructure will circulate its relevant material concerning portal policies in preparation for a discussion at the next meeting – deadline 12th January 2009.

Next Meeting

It was agreed that the next meeting of this group will be held at the joint OGF25 and EGEE User Forum, 2-5 March 2009 in Catania, Italy.
 


 
Show Details
 

The Open Grid Forum Contact Webmaster | Report a problem | GridForge Help
This is a static archive of the previous Open Grid Forum GridForge content management system saved from host forge.ogf.org file /sf/wiki/do/viewPage/projects.ipg/wiki/OGF24 at Thu, 03 Nov 2022 15:23:43 GMT