Science Grid This Week
Gabriele Carcassi: ATLAS Security Guard


Gabriele Carcassi
Gabriele Carcassi has been writing software since he was 10 years old. Now a software engineer at Brookhaven National Laboratory, Carcassi works on the security aspects of grid computing for the ATLAS experiment and the experiments at BNL's Relativistic Heavy Ion Collider.

"One aspect of grid security is accountability," said Carcassi. "Previously, all jobs and file transfer work submitted to the grid ran on one local account, and there was only one account per virtual organization. We are working on ways to increase accountability; to tell who did what on which grid computing site."

Much of his work on grid security in the past year has focused on re-engineering the Grid User Management System for the ATLAS experiment, which will begin taking data at the Large Hadron Collider at CERN in 2008. Many sites that participate in U.S. ATLAS will have a central GUMS server that manages the mapping of grid credentials to different users' site accounts.

"Here's basically how things work if you're in ATLAS and want to run a job on the grid," explains Carcassi. "First, you log on to the computer where you usually do your work, either at your home institution or at a place like BNL. You would already have your own grid certificate installed on that computer. With your certificate, you generate a proxy, a temporary credential. You submit your job to run on a certain site, and the "gatekeeper" at that site exchanges information with your proxy. If the gatekeeper determines that you're allowed to run your job, for example if you certificate is listed as part of the ATLAS virtual organization, it will map you to a local account that would allow you to execute the job."

"Although this might sound complicated," noted Carcassi, "it's based on concepts and tools that you use whenever you buy something securely over the Internet."

Carcassi also collaborates with scientists at the Fermi National Accelerator Laboratory on role-based authentication. In this system, you are assigned certain privileges and priorities based on the tasks you will be expected to perform—installing software, running applications—within a given virtual organization.

"It's a balancing act," said Carcassi. "Many users will be accessing the same computers to run different kinds of jobs. We need to make sure the most important tasks receive the highest priority, but that everyone gets their work done in a timely manner."

Learn more at the GUMS Web site.

—Katie Yurkewicz