EGEE Workshop on Management of Rights in Production Grids

This talk will cover some of the common mechanisms and themes in the authentication and authorization frameworks used in today's middleware stacks, and describe their capabilities and limitations. Efforts currently underway in standards organizations such as OASIS and GGF will be discussed, as well as some of the "wild ideas" that lurk around the corner. The OSG privilege project will also be described.

I will describe features of the software used in LCG & EGEE for data management, in the context of rights management. In particular I shall look at encrypted data storage and key management components as well as considering ACL support.

Data grids are becoming the standard data management infrastructure for organizing shared collections.  Data grids implement the data and trust virtualization mechanisms needed to support rights management on distributed data. The usual approach is to identify explicitly the persons who will have special privileges, such as the ability to change metadata or files.  Non-public access is through authentication and authorization mechanisms to assure the integrity of the shared collection. The approaches used in data grids and federations of data grids will be illustrated.

In this talk, we will discuss rights management requirements for data services in the Globus Toolkit, including GridFTP, the Reliable File Transfer Service,  Replica Location Services, and the Data Replication Service. We will discuss our initial work on utilizing the Globus Toolkit Version 4 authorization framework to support richer and more fine-grained authorization of data operations. We will also discuss future plans for providing rights management in Globus data services.

This talk summarises different authorization models which can be applied to data services, with particular focus on efforts based on OGSA-DAI services from inteligrid, SIMDAT, and Wright State University. It examines potential authorization points within OGSA-DAI and requirements to support more detailed and dynamic authorization for database services in general.

Controlling access to Data that is replicated to several administrative domains is a nontrivial distributed problem. The current approaches, pros and cons are discussed and compared for supporting access control lists, as well as encryption of data, with special emphasis on the implementation and possible solutions in the Storage Resource Manager (SRM) Interface.

The talk is about policy management issues in grid computing and about the approach to those issues proposed within the EGEE project. A flexible approach to policy management will be of great importance to the real usability of the grid infrastructure. We describe the gpBox policy management system and the capabilities it delivers to VO administrators and site managers to define access policies. We then describe the usage of gpBox integrated with the DGAS accounting system to implement usage qouta based access policies and fair-share acces to computing resources

This talk addresses the issue of how to build dynamic grids without using the proxy extensions that cause concern within the security community.  This discussion is made in the context of the Unicore grid infrastructure. Unicore is known to have a strong, respected security model, but at the cost of not supporting some dynamic grid capabilities. The discussion shows how Unicore is enhanced using Explicit Trust Delegation to provide dynamic capabilities.

This talk will discuss the requirements and design of a site-oriented identity management service to facilitate the use of dynamic accounts. We will describe a GT4-based service allowing authorized Grid clients to dynamically associate a Grid identity with a local site identity allocated from a pre-configured pool and manage this association. We will discuss both user and administrator views of the service as well as describe its implementation and performance.

As jobs traverse the different layers of the middleware stacks on their way from the submission point to the execution site and back, they assume different identities and interact with different right management systems.  Technologies developed by the Condor project have to deal with this diversity of systems as they are used at different layers of the stack. We will discuss the challenges of supporting and operating in such a heterogeneous environment and present possible approaches and solutions.

The OMII-UK distribution has to support Authenticated and Authorised access to a variety of different services within the same hosting environment, some of which may need to account for usage against a defined quota. Geographically dispersed hosting environments may be deployed as part of a virtual organisation which need to be managed through defined policies. This talk will describe the infrastructure used to manage access to the deployment of the GridSAM Job Submission and Monitoring Service, the available accounting support, and the use of standards within the OMII-UK container.