---

GGF Athens 13-16 February 2006

---

GGF/GRNET Opening Plenary: Welcome & EC Keynote

Some general welcomes, then...

Mark Linesch, chair, GGF

(gave the main introduction from GGF) More people here from industry than before (about 22% of participants).

Major theme this time is for production grids. Builders vs Architects.

Ulf Dahlsten - European Commission

• "The hype is over"

Production Grids Plenary

Fabrizio Gagliardi, EMEA Director for Technical Computing, Microsoft [previously CERN and ?EGEE?] Production Grids overview: EGEE, OSG, HellasGrid

EGEE Grid, 234 sites >24000 cpus

• Current situation (globally)
  • Many grids - very few maintained as a persistent infrastructure Need for public and open grids (OSG, EGEE, NAREGI and TERAGRID etc.) Persistence, support, sustainability are the major challenges.
  Major challenges:
  • Security Stable industrial standards (GGF and EGA converging) Easier learning curve for new starters.
  Where are we going?
  • Top 500 supercomputers - their trneds
    • Industry usage rising Clusters used over 50% Gigabit Ethernet usage is gaining
    Architecture smaller, costs have come down a lot (supercomputing has become personal) On the chip:
    • Coming to the limits, so many processors more attractive. However, the chips could be improved for SC And applications need to be written to benefit from parallel processing.
    Then a bit of an advert for Microsoft HPC new products along the way (not too much, though).

Dejan Milojicic - HP Laboratories

Enterprise IT (and grids)

• IT Imperatives
  • Need to simplify IT environment Need adaptive monitoring
    • Data missing, other imperfections etc.
  Virtual Desktop System with a compute cluster at the back How does this relate to grid. Talk generally went too fast to pick out much of interest.

Wayne Clark, Cisco: Networking Challenges in the support of Grid Computing

A few lists of different architectures of network control for the future.

Erwin Laure EGEE

Enabling Grids for E-sciencE (EGEE) project

• EGEE is clustered into federations (usually nationally run) Have to have secure and robust middleware. EGEE today

  • >170 sites in 39 countreies 17 000 CPUs, >5 PB of storage.

  (EGEE-II is to expand and be more truly worldwide (production grids).) 20 supported applications from 7 domains (high energy physics, biomedecine etc. etc.).
  • About 10,000 jobs per day
  Data sharing

Frank Wuerthwein, Open Science Grid

(US grid computing infrastructure)

• 23 active virtual organisations Mentioned something about reading roles from the users' certificates. Need to know more!

• Frank showed the activities of different disciplines. One he labelled as "Bio/Eng/Me" and this was "ragged". The users have peaks of activities and then go quiet. Other communities are a little more constant in processor demand.

  Check out the OSG AuthZ info at http://www.opensciencegrid.org/index.php?option=com_content&task=view&id=93&Itemid=82#Appendix_B_List_of_Known_Vomses

Nectarios Koziris: "Building a nation-wide production Grid infrastructure in Greece: The Hellasgrid project"

NTUA & Vice-Chairman, GRNET. Hellasgrid, part of EGEE.

Grid Primer - Pawel Plaszczak

I (MN) attended this for two purposes:

• to fill in a few gaps where I may not have the right grid background

• to see how "the Grid" is likely to be sold to managers

I found the session really useful. It was pitched just right for me (if I had have been a "manager" who did not know any background about the grid, I doubt if I'd have followed a huge amount, though). But I filled in quite a few gaps. I have the notes/slides if anyone wants to borrow them.

Ian Foster - Plenary on Tuesday morning (14th Feb 06)

Began by talking about the kinds of projects that he's been involved in recently.

• e.g. earthquake prediction
  • business intelligence applications (dynamic VO within a managed pool of shared resources).

• Vision: on demand access to computing Reality: much manual configuration Service oriented applications and service oriented grid infrastructure Security and policy:
  • Identify VO participants and roles (for people and services) Specify and control actions of members

    • empower members -> delegation enforce restrictions -> federate policy

    Restrict VO operations based on requestor characteristics Intra-VO Evolution of grid security and policy
    • began by GSI (grid security infrastructure) recently we have had utilities to simplify the operation al use

      • MyProxy, VOMS etc. etc.

      General standards-based framework is coming now.
    Need:
    • Attribute Assertions AuthN and digital sinature Delegation Attribute mapping (across VOs and organisations) Policy management (including provenance)
    He calls attribute authorities (ATAs)
    • and authorization authorities (AZAs)
    He gave an example of ATAs and delegation of authority from user to user.
    • All this stuff actually exists - we've just got to put it together.
    Closing the loop with GT4 Security Toolkit
    • CAS, VOMS, SAML/X.509 attrib. certs etc.
  Forming and operating communities
  • Bootstrapping a VO by assembling services
    1. Integrate services from other sources
       • Virtualize external services as VO services
         • Community has application-specific content and activity. This stacks up on top of services and resources below this. We'd like to have service providers putting in the service and resource/capacity components. Negotiate SLAs Delegate and deploy services
    2. Co-ordination and composition
       • Data replication service
         • Pull "missing" files to a storage system
           • Lots of other bits, and the load is spread across many sites (a little like bitorrent)
    • Foster talked about deploying services dynamically (services like virtual machines GridFTP etc.) "Separation of Concerns and Roles"
      • (but I didn't quite pick up his point that followed this!)
      GT4 containers
      • Services register themselves, so resource/service discovery is not a big deal anymore.
  He finished off by again conceding that a lot of this is done manually at the moment. We need to move further towards a dynamic (and virtualised) situation.
  • Grid=dynamic behaviours and envoronments We have tools to realise dynamic scenarios We now need much experimentation (?implementations?) with the software.

Neil Geddes - Grid computing in the UK

Began in 2001 with e-Science (although e-Science not actually definitely grid).

• Talked about example grid activities that came from this

• LHC community gave rise to EGEE 2003 roadmap to try to get to an application-independent grid. NGS formed in 2003. NGS based on globus toolkit and part of EGEE. 11 partner sites. 4 core clusters. Range of parner contributions (more clusters, shared memory, portals etc.) Access is free at the point of use for lightweight on-demand computing. If you want more secure, longer-term resources, you have to find some funding.

Steven Newhouse OMII - General talk on OMII

OMII UK started in Jan 06, but a continuation of previous projects (MyGrid, OGSA-DAI, and some Southampton activities).

• MyGrid - biological stuff, based in Manchester OGSA-DAI - database stuff Southampton - mostly middleware

• Objectives of OMII-UK
  • To distribute well engineered, documented, interoperable middleware services, broadly accepted standards etc.
  User engagement Sourcing - UK and international service developers (outsourcing) Software engineering (as above) Grid engagement - tracking and engagement with the standards processes Sustainable business - blah blah Not a research activity, but many of the people involved are involved in research activities. OMII emerged from the e-Science users, PPARC, EPSRC etc.

  • There was a lot of ad hoc e-infrastructure -> rationalisation of these services to maintain and build upon

    • This is where OMII sits (main task)
    Also higher-level services and tools (e.g. Taverna) All of this sits (ideally) on top of the NGS with its infrastructure and services.
  Re. the higher-level services and tools
  • Divides into data and compute tools.
  Types of users:
  • System Administrators Middleware developers Service developers Application developers End users (with increasing diversity down that list)
  Gathering requirements
  • OMII will accept requiremnts and work with that to give a functional/technical spec.
  Managed Programme Funding
  • Not blue sky but development of prototypes into prime-time/production
  Current release OMII 2.3.3
  • Open source infrastructure
    • Tomcat http/https Axis WSS4J (WS-Security) GridSAM GRMOIRES UDDI registry and a bit more I missed...

Neil Chue Hong took over and talked about OGSA-DAI

Neil is Project Manager of OGSA-DAI

• Many challenges to get data used with grids
  • Scale
    • Many sites, large collections, many uses
    Longevity Diversity
    • No "one size fits all" solutions will work
    Many Data Resources You may therefore need to bring data in to your own data source
    • Copying it Federating it (across sites) Integrating it (with other data - maybe yours)
  Requirements
  • Need common data model Common Query Language(s) Standard access to
    • Data schema Physical data resource (for optimisation) Descriptive information for discovery
    Single security model Dynamic publication and discovery Multiple, efficient delivery methods Move computation towards data etc.
  OGSA-DAI in one slide
  • An engineered *extensible framework* for data access and integration Expose heterogeneous data resources through web services Interact with data resources
    • Queries/updates Data transformation/compression Data delivery
    Base for higher level services
  Distributed Query Processing
  • Allows you to split complex queries across a number of nodes.
  Future plans
  • New version of the OGSA-DAI engine Are XML and SOAP messages the *best* way of doing things?
  Question: data resources level - just labelled this with JDBC. But also expect some optimisation and surely the native queries/tools work better and faster? Have you written low level services that are specific to proprietary RDBMSs? (Didn't ask it though!)

Carol Goble (Manchester) to talk about Taverna Workbench

• Problem: remote, third party external applications and services
  • Legacy accessibility Application service discovery
  Workflows
  • User-guided and user-guidance The researchers generally don't own the databases, and the DBs don't actually use good standards Workflows that bioinformatician would understand (but look quite complex to me!)
  Results management
  • Semantic metadata Provenance Reuse of workflows very important (part of the attraction of doing it in the first place).

  All the above was the MyGrid project and Taverna was one of the outputs. Middleware platform for data intensive in silico bioinformatics experiments. All very open

  • Open sources (LGPL) Open domain services and resources Open community Open application
    • - nothing absolutely specific to biology (necessarily)
    Open model and open data
    • No prescribed typing model layered information model
    Open architecture
    • Service Oriented Architecture Loosely coupled, web services based.
  Scufl - simple conceptual unified flow language
  • Developed inpartnership with the biologists (who did't like the way that the computer scientists did it originally)

Grid and Shib investigators meeting

• 10 minute sessions quick run through

Andrew Martin Oxford/CCLRC ShibGrid project

• "Integrating NGS into the academic framework".
  • Targets
    • collation and reporting of requirements
    • system to allow cert. holders to use NGS via Shib
    • allow non-cert holders
    • extension of NGS portal to use Shib
    • write good quality software
    Scenario 1
    • Only shibboleth-provided credentials Authenticates to online CA Therey gains proxy cert for NGS proxy cert is written out with DN derived from Shib attributes
    Scenario 1a
    • User already has cert, but above scenario is similar
    Scenario 2
    • (Authz at NGS is just list of DNs) User registers with NGS using web form, Shib handshake...
    Scnario 3
    • NGS portal via Shib.
    Steven Pickles asked a question. Why don't we just use Shib to miss out the RA step to get a real certificate?

Erik Vullings - MAMS

• A ship on the grid.
  • Lots of pre-projects, e.g. Shibbolizing gridsphere and SPs Attribute Release Policy
    • Based on business card concept. MAMS has written a nice GUI ARP application
    • N.B. Special attribute depending on you being a Wagga Wagga tribe member.
    Authenticated Federated Access
    • Shibbolized Authenticated Federation Search interface

    Shibbolizing MyProxy

    • Looking at 2 ways of doing it
    VOs via Attribute Authority
    • Special WAYF for VO members? Claim Transformation Service (CTS)

      -> Federation to Federation SSO!

David Chadwick GridShibPermis

• Plugged PERMIS into GT3, GT4, GridShib (latter held up because of a cryptography bug in Java). What's the benefit?

  • A common AuthZ infrastructure for grid and non-grid users
  [He went really fast - too fast to get good notes]

Mike Jones SHEBANGS and GridSite

• SHEBANGS: Shibboleth Enabled Bridge to Access the National Grid Service
  • NGS is a globus 2 based grid Users need heavyweight tools and network access SHEBANGS is targetting the people without credentials

    Client -> Portal -> Grid

    Client delegates "someting" to MyProxy server and that releases a proxy cert for use in the portal. (Client apparently does not need GSI credentials) Client talks to the Credential Translation Service which issues them with an identity credential. The system covers only authentication, so they (later) want the CTS to take on a VOMS server to do the authZ

    -> packages everything up and puts them into the myProxy server -> user gets cert. with authN and authZ attributes. Outcomes:

    • Online CA Shibbolized VOMS server

GridSite and Shibboleth Integration Project

GridSite was for managing and formatting the content of GridPP web sites.

• based on X.509 cert authN method.

• GridHTTP(S) file transfer service Proxy cert. delegation service Storage Resource Management web service.

  User uses GridSite, talks HTTPS to a service, DN and password - gets attributes. User ends up with password and DN Handle

  Time limited password -> proxy password instead of proxy certificate. Attribute-based access control Looking at integrating it into VOMS.

Cristoph Witzig - SWITCH

• SWITCH Plans for Shibboleth and Grid
  • Swiss have SWITCHaai. Efforts started in 2002, went live last summer. Have about 10,000 users. So far SWITCH has not been active in grids SWITCH also operates the SWITCHpki Interoperability of Shibboleth and gLite (part of EGEE-2 proposal) Work will start in April and last for 2 years.
    • 3 phases:
      • 2 initial phases
        • Start small and Shib gLite w minimum amout of changes
        3rd phase
        • SAML support at the resource end Implementation Spring 2008
    Looking at using Shib to apply for certificates. Also looking at Shib-Grid symmetry (coming back the other way)
    • Grid user with a certificate, authN to a virtual home (VHO) which talks SAML to web based (Shibbed) SPs

Richard Sinnott

• Shib and Grid at the NeSC @ Glasgow DyVOSE - advanced authZ structure for teaching
  • Got students to use PERMIS policy editor to develop security policies for use in their assignment.
  BRIDGES
  • Use a host certificate on the BRIDGES portal to identify the jobs. Shibbed the front end of that.
  VOTES
  • Virtual Organisations for Trials and Epidemiological Studies
    • To get access to data sets, but presents privacy/anonymisation issues. AuthZ - get access to all data, anonymised data, some data etc.
  GLASS
  • Glasgow single sign on and Shib early adopter project.

Von Welch

• GridShib: integration of Shib and MyProxy

  • GridShib work to date

    • Using Shibboleth as an AA Globus can now query the IdP AA via Shibboleth (?in GT4.2)

    Recent MyProxy features

    • On-line CA functionality Long term certificate store Lots of authN mechanisms now supported (becuase of PAM module)
      • Kerberos, etc. etc.
    Future plans: Attribute Refinement
    • There isn't a WAYF for the grid
      • So they are putting a SAML authN assertion into certificates, so that the SP knows which IdP/AA to go to.
      Name binder service
      • Allows users to bind DNs to their Shib Ids (mapping at a local level)
      SSO
      • Users without existing X509 credentials

        • or credentials only in MyProxy

        Use Shib to log onto Grid
        • to get short-lived X509 credential from Shib authN
    Prototype SP-CA

    • Shib protected MyProxy on-line CA Issues short-lived credentials to anyone who can authenticate via InQueue Uses Java Web Start to get certificate to the desktop.

Nate Klingenstein - Internet2. Shibboleth 2.0 Update

• Separating the new releases into 2 batches Shib 2.0 and 2.1 SAML 2.0 lots of new features.
  • AuthN request - as to how they would like the user to be authenticated. (e.g. "use certificate", use "high level asurance" etc.) Single Logout NameID mapping and management

    • IdPs can inform SPs of name changes TargettedID into SAML assertion

    New metadata Enhanced Client of Proxy (ECP) Profile - to avoid the messy WAYF interface. Uses SOAP request. WAYF as a client application (good for grid users, but maybe bad for having to install things locally) Encryption - improve Attribute Push
  OpenSAML 2.0
  • nearly rewritten for cleaner interfaces backwards compatible
  Shib 2.0 features
  • This will be Shib 1.3 functionality but built on a SAML 2.0 base with just a few urgent enhancements Java SP Improved SP Clustering
    • backend ODBC timeout/attribute sharing
    Production ready WAYF
  Shib 2.1 features
  • Delegated AuthN

    Support for all SAML 2.0 assertions except AuthnQuery and AuthzDecisionQuery SAML NameID management requests account linking Attribute aggregation

    • At IdP At SP
    Enhanced client support
    • PAOS - WAYF solution
    Global Logout Improved targettedID implementation (SAML persistent identifier).
  OpenSAML 2.0
  • Beta in March
  Other cool stuff:
  • SHARPE Signet Grouper Nexus (but still Memphis-specific)

Grid and Shib investigators meeting (DAY 2)

• Von started off introducing the common areas of discussion from the previous day.
  • Internet2 - there's an April meeting for Grid and Shib developers, Arlington, Virginia (use as a deadline)
  Should we draft a requirements document for this April ?12th? meeting
  • Email list Shib/Grid portal architecture How to represent a VO with Shib? How to map Shib/Grid names IdP discovery N-tier delegation Specific attributes useful for grids

    • Which attributes are proper for IdPs/institutions to hold/manage and which are appropriate for VOs

    Authentication strength

    • SAMLauthenticationMethod can be used but probably not fine grained enough. Need some sort of level of assurance. However, web browsers are not really very secure!? (Passing cookies around).

  We then had a bit of a discussion around eduPersonTargettedID aka ?SAMLPersistentIdentifier? VO-VO federation

  • After we discussed this it was kind of concluded that this might be an issue of naming problem VOs being groups of resources or being groups of users
  Von plans to establish a GGF WG for this area and to use the new email list to get a list of ideas to agree/discuss at that time.

Security Area session - Wednesday afternoon

• Olle Mulmo doing introduction
  • Trusted Computing Research Group - they have a use case document to which they are hoping for comments. Firewall Issues RG - Ad Hoc and recent stuff:
    • GIN - Grid Interoperation Now - work continuing. 10 grids using a VOMS server to interoperate. Focus group on Shibboleth - Von Welch made a brief summary of our meeting. Authorisation workshop on Thursday (which I'll miss).
    OGSA security architecture document of a few years ago. GFD.32 Site AAA requirements doc.
    • These documents need replacing or updating.
    Spoke of lots of activities showing requirements for a list of security-related things. Useful looking table. There is now a use case repository in gridforge. Urgent stuff:
    • Service specification for performing delegation with profiles for X.509 and SAML assertions. Provisioning/lifecycle management issues Black-list/white-list service (may also be used as a panic-mode button service Logging: minimal requirements and operational recommendations Simple, initial set of capabilities allowing for constrained delegation.

Blair Dillaway, Microsoft gave a talk about Microsoft R&D Distributed System Security

• Motivations:
  • Key technology trends
    • increasing underutilised resource (as processors get faster etc. not really used enough)
    Some customer requirements
    • cross organisation interactions de-centralised control outsourcing of services elimination of productivity barriers due to physical location
    "Strong correlation with Grid community interests" Talked a lot about idle (at night machines). e.g. Microsoft have about 10,000 desktop machines. Key Challenges
    • Security decisions about multiple principals Fine-grained trust Simple and scalable AuthN
      • (Seamless cross-domain AuthN - SSO) (Flexible revocation approaches)
      Uniform and flexible authZ Seamless communications security
      • Efficient discovery/negotiation of security requirements Flexible security for both control- and data-plane
      Automatic and safe code deployment
      • Code identity manifests with policy-controlled actions Securely deliver code and provisioning info.
      Distributed resource management
      • Policy controlled resource disclosure AuthZ for job scheduling, monitoring, cancellations...
      Constrained delegation
      • Delegated access rights
        • Explicit authZ to delegate all, or part, or a principal's rights Consistent with other credential types
        Includes job management, policy authoring rights Delegated authZ decisions
      Uniform auditing approach to support forensics
      • Plan this from the start Integrated with authZ policy - common semantic

Life Sciences session 5.30pm Wednesday

• Life Sciences Grids (falsely advertised as Security and Privacy Needs of Health Grids) Main presenter not here (Dave Angulo) so presented by ??Abbas Farazdel?? Life Sciences Work Group (and lots of sub-groups listed

  • from architecture, workflows, requirements etc.
  Then a list of open positions (from secretary to Requirements Doc, Discovery, Medical Imaging etc. etc.) The LSG
  • Explores issues related to the integration of information Technology with Life Sciences on a grid infrastructure Throughout 05-06 LSG has been exploring privacy and security needs of the health care industry
  Names: Allen Luniewski and Dave Berry, Andrew Simpson (Oxford), Peter Kunszt As a result, there will be a Grid Authz Interoperability "Here and Now" workshop (tomorrow) Thurs 16 at this GGF The meeting kind of ground to a halt as it became clear that most people in the room (of about 25) were 'tourists' like me. I was there as I was interested in the security aspects (privacy, confidentiality etc.) and I wanted to hear a good discussion. At least one other person said he was there for the same reason. There wasn't enough people actually involved in the LSG it seems

That was the end of things for me. Apart from the final session on Weds, it was a very useful meeting!