Title: Security for Group Collaborations
Argonne National Laboratory
PI: Steve Tuecke
Argonne National Laboratory
Mathematics and Computer Science Division
9700 SO. Cass Avenue – Building 221
Argonne, IL 60439
Tel: 630-252-3378, Email: Stevens@mcs.anl.gov
University of Southern California
PI: Carl Kessleman
USC Information Sciences Institute
4676 Admiralty Way, Suite 1001
Marina Del Ray, CA 90292
Email: carl@isi.edu
University of Wisconsin
PI: Miron Livny
Department of Computer Science
University of Wisconsin
1210 W. Dayton Street
Madison, WI 53706-1685
Tel: 608-264-0856, Email: miron@cs.wisc.edu
Today, scientific advances are rarely the result of an individual toiling in isolation, but are typically the result of a collaborative, team effort. We can find many examples of such collaborative teams in areas of science of interest to the Department of Energy, including particle physics experiments (e.g. BABAR, CMS, ATLAS), global climate change, and fusion science.
Such examples exhibit four essential properties of collaborative work: 1) the participants, as well as the resources used to perform the work of the collaboration, are distributed both geographically and organizationally; 2) collaborations can scale in size from a few individuals to thousands of participants, and membership may change over the lifetime of the collaborative task; 3) collaborations may span areas of expertise, with members filling different roles within the collaboration; 4) the work of the team is enabled by providing team members with access to a variety of community resources, including computers, storage systems, datasets, applications, and tools.
While considerable work has been done on collaboration tools to assist in performing the work of a collaboration (e.g. electronic notebooks, mechanisms for annotating and cataloging information, interfaces to computing resources), little has been done on mechanisms for establishing and maintaining the structure of the collaboration. This structure includes means for identifying who is a member of the collaboration, what role they play, what types of activities they are entitled to perform, and what community resources are available to members of the collaboration. Yet these issues must be addressed in a comprehensive manner before collaborative environments can be used to solve problems of real consequence.
At the center of this problem of structure is determining the identity of both participants and resources in a collaboration and, based on this identity, determining the rights of the participant and resource. These operations fall under the general heading of security technologies: identity and role being implemented via authentication mechanisms, and rights by authorization mechanisms. Yet while many basic mechanisms for authentication and authorization have been defined, the issues of distribution, dynamics and scale discussed above complicate their application to collaborative environments, posing major research challenges that must be addressed.
In this project, we focus on this fundamental question of how to structure collaborations. Our goal is to develop scalable, secure, and usable methods and tools for defining and maintaining membership, rights, and roles in group collaborations. Our concern is not with any specific collaboration or collaboratory but rather with 1) understanding the basic mechanisms required to structure a collaboration, 2) developing infrastructure elements in the form of middleware services and tools that implement the mechanisms, and 3) demonstrating the validity of these methods within the context of a number of demonstration collaboration environments.
Specific work to be performed in the project includes: To reduce greatly the cost of adding new members to a collaboration, we are developing and evaluating new techniques for creating and managing credentials based on public key certificates, including support for on line certificate generation, online certificate repositories, and support for multiple certificate authorities. To facilitate the integration of new resources into a collaboration, we are improving significantly the integration of local security environments. To make it easy to create and change the role and associated privileges of both resources and participants of collaboration, we are developing community-wide authorization services that provide distributed, scalable means for specifying policy. These services will make it possible for the delegation of capability from the community to a specific user, class of user, or resource. Finally, we will instantiate our research results into a framework that makes it useable to a wide range of collaborative tools. The widespread adoption of our Grid Security Infrastructure and Globus Toolkit technology provides a natural dissemination and technology transfer vehicle for our results.
Deliverables – by all three PIS combined
In the project activity details below we show year 1 tasks in some detail; activities for subsequent years will be detailed in the project planning tasks that will take place in Q4 of the previous year. Please note that this plan overview is preliminary and subject to change of technical and deployment approach. Years indicated are from the initiation of the project. This high level overview does not indicate task duration - many of the tasks, once started, are ongoing. Some may diminish in workload as the project proceeds, replaced by tasks that will be identified in Year 2-5 project planning efforts. The Lead column indicates the institution responsible for leading a particular task, though the other institutions will often participate in accomplishing these same tasks.
|
Lead |
Type |
Activity or Milestone |
|
YEAR 1 Q1-2 |
||
|
ANL |
Coordinate |
Develop project plan for Project Year 1 |
|
ISI |
Specification |
Develop CAS server, client, and protocol specifications |
|
ISI |
Development |
Implement CAS server & client, with ACL-based policy language |
|
ANL |
Research |
Prototype storage, compute, and bandwidth broker resource services that accept CAS capabilities |
|
ISI |
Research |
Prototype policy evaluation API & SDK |
|
ISI |
Research |
Prototype simple ACL policy evaluator |
|
Milestone |
Demonstrate CAS in small testbed with multiple resource types |
|
|
ANL |
Research |
Prototype compute, storage, & bandwidth broker resource servers that support CAS |
|
ANL |
Standards |
Propose standards for X.509 Impersonation Certificates, Restricted ICs, Delegation Tracing, TLS Delegation Protocol, and GSS-API Extensions |
|
ISI |
Research |
Prototype Extended ACL policy evaluator |
|
UW |
Research |
Prototype ClassAd policy evaluator |
|
Year 1 Q3-4 |
||
|
ANL |
Development |
Implement and track all proposed standards |
|
ANL |
Development |
Implement restricted delegation extensions, with simple attr/value restrictions |
|
Deliverable |
Deliver GSS-API, which tracks standards, and has restricted delegation |
|
|
ISI |
Development |
Incorporate restricted delegation into CAS |
|
ISI |
Development |
Incorporate proposed standards into CAS |
|
Milestone |
Demonstrate CAS, with restricted delegation, in testbed with real application |
|
|
ANL |
Development |
Improve error reporting and logging |
|
ANL |
Development |
Implement storage and compute resource services that support CAS |
|
UW |
Development |
Implement CAS support in Condor-G compute resource service |
|
Deliverable |
Deliver CAS version 1, and supporting storage & compute services |
|
|
UW |
Research |
Evaluate CAS and policy languages |
|
ISI |
Research |
Review and explore utility of more powerful policy languages |
|
ANL |
Coordinate |
Develop project plan for Project Year 2 |
|
YEAR 2 |
||
|
ANL |
Standards |
Finalize all standards |
|
ANL |
Development |
Implement all final standards |
|
Deliverable |
Deliver GSS-API with final standards |
|
|
ISI |
Specification |
Re-evaluate CAS specifications, based on year 1 experience |
|
ISI |
Development |
Implement changes to CAS, based on revised specifications |
|
Milestone |
Deploy CAS into real collaboration |
|
|
ANL |
Research |
Evaluate policy languages for CAS, restricted delegation, and resource discovery |
|
UW |
Research |
Evaluate ClassAds against other policy languages |
|
ISI |
Development |
Implement policy evaluation API & SDK |
|
ISI |
Research |
Prototype use of languages & API for extended CAS & restricted delegation policies |
|
ISI |
Development |
Add accounting GUID to CAS capabilities, and use it for resource usage logs |
|
Deliverable |
Deliver CAS version 2, and support storage & compute services |
|
|
ANL |
Specification |
Develop Online CA specification |
|
ANL |
Development |
Implement Online CA |
|
UW |
Research |
Evaluate Online CA use with Condor-G |
|
Milestone |
Demonstrate Online CA in friendly collaboration |
|
|
ANL |
Specification |
Develop Online Credential Repository specification |
|
ANL |
Development |
Implement Online Credential Repository |
|
UW |
Research |
Evaluate Online Credential Repository use with Condor-G |
|
Milestone |
Demonstrate Online Credential Repository in friendly collaboration |
|
|
ANL |
Development |
Implement support for subordinate CAs for domains |
|
ANL |
Coordinate |
Develop project plan for Project Year 3 |
|
YEAR 3 |
||
|
ANL |
Development |
Re-evaluate and implement changes to Online CA |
|
Deliverable |
Deliver Online CA version 1 |
|
|
Milestone |
Deploy Online CA into real collaborations |
|
|
ANL |
Development |
Re-evaluate and implement changes to Online Credential Repository |
|
Deliverable |
Deliver Online Credential Repository version 1 |
|
|
Milestone |
Deploy Online Credential Repository into real collaborations |
|
|
UW |
Development |
Implement Online CA and/or Credential Repository in Condor-G |
|
ISI |
Research |
Choose policy language(s) |
|
ISI |
Development |
Implement policy evaluation for language(s) |
|
ISI |
Development |
Implement policy language(s) into CAS and restricted delegation |
|
UW |
Development |
Implement policy language(s) into Condor-G |
|
Deliverable |
Deliver CAS version 3 |
|
|
Milestone |
Deploy CAS with improved policy language support into real collaboration |
|
|
ANL |
Development |
Improve integration with Kerberos and AFS |
|
ISI |
Development |
Implement tools and protocol for distributing accounting information |
|
Deliverable |
Deliver GSS-API, and miscellaneous supporting tools |
|
|
ANL |
Development |
Add simple multiple credential handling to client and Online Credential Repository |
|
ISI |
Standards |
Propose standards for policy languages, and policy evaluation API |
|
ANL |
Coordinate |
Develop project plan for Project Year 4 |
|
YEAR 4 |
||
|
ANL |
Development |
Implement tools for aggregating and analyzing community accounting information |
|
Deliverable |
Deliver community accounting tools |
|
|
ISI |
Research |
Extend policy language to support resource consumption policies |
|
ISI |
Development |
Extend CAS and resources to support resource consumption policies |
|
ISI |
Research |
Prototype CAS distribution and replication |
|
Milestone |
Deploy CAS with consumption policies |
|
|
UW |
Research |
Prototype policy based resource discovery and selection |
|
ANL |
Development |
Add multiple credential discovery |
|
Milestone |
Deploy Online Cred Repository with multiple credential handling & discovery |
|
|
Deliverable |
Deliver updated CAS, Online CA, Online Credential Repository |
|
|
ANL |
Research |
Prototype multi-factor authentication |
|
ISI |
Standards |
Propose standards for distributed accounting and resource consumption policies |
|
ANL |
Research |
Prototype Independent Data Unit support |
|
ANL |
Coordinate |
Develop project plan for Project Year 5 |
|
YEAR 5 |
||
|
ISI |
Development |
Implement CAS distribution and replication |
|
Milestone |
Deploy CAS with distribution and replication |
|
|
UW |
Development |
Implement policy based resource discovery and selection |
|
ANL |
Development |
Add multiple credential delegation |
|
ANL |
Development |
Implement and deploy multi-factor authentication |
|
ANL |
Development |
Implement and deploy Independent Data Unit support |
|
ISI |
Development |
Implement tools to assist in flexible application of message protection |
|
Deliverable |
Deliver updated CAS, Online CA, Online Credential Repository |
|
|
Deliverable |
Deliver GSI with IDU support, multi-factor authentication, supporting tools |