Sppolers, pilots and Trust in the OSG. ====================================== D. Petravick, Open Science Grid Security Officer. Slide one gives a schematic diagram of the systems USLHC VO's are deploying in on the OSG. Experiments have one (or mare) job spoolers, Experimenters submit to the spoolers. The spooler maintains the job content and the correspondance between the user and the job, and eventually submits to a site. Slide 2) Sites wishing to know the identify of the end user must trust that the spooler software systems does its function. There are several components to this trust. However, at the highest level, we are trusting that the VO - has built a spooling system that is appropriately attack-resisitant. - operates the system on a platform that is run well. - operates the system faithfully. It seems to the OSG that there are very similar trust elements in a pilot job. We have to trust that the VO has constructed pilot software that - faithfully obtains the job from the spooler - faithfully maintains the correspondence between the user and the job - faithfully declares the identiity of the end user to the site. The qualitiative level of trust a site invests in a VO with a pilot system is about the same as the level of trust a site invests in a VO that operates a job spooler. To put it simply, if you trust VO-run spoolers, then there are conditions where you ought to trust a pilot. It may very well be if you never trust a pilot, you should never trust a VO to run a spooler. Slide 3) In the US, we think of maintaining security by means of controls. Controls can be technical (i.e. a and encryption algorithm); operational (counting on the behavior of individuals), or managerial (setting up an organization). It seems to us that security in grid system flows from operational and mangerial controls. In the scenario under discussion, for the case of a pilot and a spooler, sites need to trust the VO's provisiong of software and the VO's operation of software. The main controls are that: - the VO's stand behind the operation - the VO's are trustworthy. Notice that since spoolers and pilots are both likely open source software, it is quite possible for a user to run their own spooler. This is likely against the interest of the VO, since the VO may have implemented the spooler in an attempt to enforce a resource allocation policy. Any V0 that is planning to have a system that degrades well given a shortage of resources is, presumeably, interested in making sure that sites trade with users only in the context of VO-operated spoolers. One idea, not fully developed is to insist that he credentials presented by the pilot to the site are from a person the VO has authorized to operate a spooler/pilot infrastrucuture. What is the role of GLexec on the worker nodes? Glexec provides site services to a trusted pilot. It provides no security when trust of the pilot and trust of the spooler is absent. In summary, when we examined the issue of pilots, we discovered the a larger notion that subusmes pilots and extends back to any VO provided software that handles jobs. The insight is that sites place a great amount of trust in these kinds of VO's, pilots or not.