Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials."— Presentation transcript:

1 DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials David Groep & Gridification Team partly based on CHEP2003 talk by Luca dell’Agnello et al. (SCG, WP4, WP6) davidg@nikhef.nl http://hep-project-grid-scg.web.cern.ch/

2 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 2 Talk Outline u Introduction u Authorization requirements u VO Membership Service u Spitfire TrustManager u Local site enforcement mechanisms (LCAS, LCMAPS) n LCMAPS architecture n Evolution Manager and the Policy Language n Credential Enforcement Gotchas u Conclusions

3 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 3 Introduction (1) u EDG security infrastructure based on X.509 certificates (PKI) u Authentication n 16 national certification authorities n Policies and procedures  mutual thrust n Users identified by certificates signed by their national CA u Authorization n Cannot decide Authorization for grid users only on local site basis n At least 2 entities involved s Resource Providers (e.g. Tiers in LCG framework) s Virtual Organizations (e.g. LHC experiments collaborations)

4 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 4 Introduction (2) u Authorization (cont.) n Resource granting established by agreements VO’s - RP’s. s VO’s administer user membership, roles and capabilities s RP’s evaluate authorization granted by VO to a user and map into local credentials to access resources n Trust/Authorization Manager for Java (e.g. Spitfire) n LCAS/LCMAPS for farms n SlashGrid for storage (Andrew’s talk) n Need tool to manage membership for large VO’s (10000 users) s Globus mechanism (grid-mapfile) not scalable n VO membership service (VOMS) s Extends existing grid security infrastructure architecture with embedded VO affiliation assertions s Permits authorization control on grid services for job submission, file and database access.

5 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 5 Authorization requirements u Architecture n centralized and scalable (for an Auth policy VO based) u Attributes support n group membership (subgroup, multiple inheritance,..) n Roles (admin, student,..), capabilities (free form string),.. n Temporal bounds u Resource Provider n keep full control on access rights n traceability user level (not VO level) u Security issues n Auth Server must not be a Single point of failure n Auth communications must be trusted, secured and reserved

6 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 6 Globus Authorization Mechanism u grid-mapfile n Grid credentials (user’s Certificate) to local credentials (unix account) mapping n “Boolean” authorization n Information provided via VO-LDAP servers n Managed “manually” by the resource admin (via mkgridmap) u No centralization u No scalability u Lack of flexibility "/C=IT/O=INFN/L=Parma/CN=Roberto Alfieri/Email=roberto.alfieri@pr.infn.it" alfieri "/C=IT/O=INFN/L=Parma/CN=Fabio Spataro/Email=fabio.spataro@pr.infn.it" spataro

7 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 7 VO-LDAP Architecture mkgridmap grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local users ban list Adopted by DataGrid Testbed0 (2001/02) DataGrid Testbed1 (2003) DataTAG Testbed (2003)

8 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 8 The Virtual Organization Membership Service u The Virtual Organization Membership Service (VOMS) n Developed by European Datagrid and Datatag collaborations to solve current LDAP VO servers limitations n Grants authorization data to users at VO level s Each VO has its own VOMS s Support for group membership (subgroup, multiple inheritance,..), “forced” groups (i.e. for negative permissions), roles (admin, student,..) and capabilities (free form string) n Essentially a front-end to an RDBMS s User client – queries the server for authorization info s User server – returns authorization info to the client s administration client – used by VO administrators for management s administration server – executes client update operations on db s transition tool – interface to mkgridmap++ (see below) n All client-server communications are secured and authenticated n Authorization info is processed by the gatekeeper s full functionality of VOMS achieved via LCAS/LCMAPS plug-ins (see below)

9 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 9 VOMS overview soap DB JDBC GSI https Tomcat & java-sec axis VOMS impl servlet vomsd Perl CLI Java GUI browser voms-proxy-init mkgridmap Apache & mod_ssl voms-httpd DBI http

10 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 10 DB Structure (simplified) users uid dn ca … … acl aclid principal operation allow/deny groups gid dn aclid m m user group role capability roles rid dn capabilities cid dn CA caid dn

11 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 11 VOMS Operations Query Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert 1. Mutual authentication Client-Server n Secure communication channel via standard Globus API 2. Client sends request to Server 3. Server checks correctness of request 4. Server sends back the required info (signed by itself) in a “Pseudo-Certificate” 5. Client checks the validity of the info received 6. Client repeats process for other VOMS’s 7. Client creates proxy certificates containing all the info received into a (non critical) extension 8. Client may add user-supplied auth. info (kerberos tickets, etc…)

12 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 12 Pseudo-Certificate Format /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C= IT/O=INFN/CN=INFN CA Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it /C=IT/O=INFN/CN=INFN CA VO: CMS URI: http://vomscms.cern.ch TIME1: 020710134823Z TIME2: 020711134822Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A... u The pseudo-cert is inserted in a non- critical extension of the user’s proxy n 1.3.6.1.4.1.8005.100.100.1 u It will become an Attribute Certificate u One for each VOMS Server contacted user’s identity server identity user’s info

13 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 13 Authorization User VOMSservice authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire service dn dn + attrs Fine-grained e.g. RepMeC Coarse-grained e.g. CE, Gatekeeper Fine-grained e.g. SE, /grid Java C authenticate ACL

14 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 14 Spitfire u Provides uniform access to various implementations of database back ends via a grid-enabled front end n SOAP interface n JDBC interface to RDBMS u TrustManager: certificate validator for Java services n Permits (mutual) secure client-server authentication n Supports X509 certificates and CRL’s u Support for connections via HTTP(S) using GSI certificate for authentication u Role-based authorization n Support for Authorization info provided by VOMS

15 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 15 Local Site Authorization Services u Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s Authorization decisions based on proxy user certificate and job specification s Supports grid-mapfile mechanism n Plug-in framework (hooks for external authorization plug-ins) s Allowed users (grid-mapfile or allowed_users.db) s Banned users (ban_users.db) s Available timeslots (timeslots.db) s Plugin for VOMS (to process Authorization data) u Local Credential Mapping Service (LCMAPS) n Provides local credentials needed for jobs in fabric n Plug-in framework, driven by comprehensive policy language n Mapping based on user identity, VO affiliation, site-local policy n Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5

16 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 16 EDG Gatekeeper (release 2.1) Gatekeeper LCAS allowed timeslot banned policy C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept TLS auth assist_gridmap Jobmanager-* Ye Olde Gatekeeper

17 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 17 LCMAPS – requirements u Backward compatible with existing systems (grid-mapfile, k5cert) u Support for multiple VOs per user (and thus multiple UNIX groups) u Mimimum system administration n Poolaccounts n Pool”groups” n Understandable configuration u Extendible u Boundary conditions n Has to run in privileged mode n Has to run in process space of incoming connection (for fork jobs)

18 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 18 LCMAPS – control flow u User authenticates using (VOMS) proxy u LCMAPS library invoked n Acquire all relevant credentials n Enforce “external” credentials n Enforce credentials on current process tree at the end u Run job manager n Fork will be OK by default n Batch systems may need primary group explicitly n Batch systems will need updated (distributed) UNIX account info u Order and function: policy-based CREDs LCMAPS Credential Acquisition & Enforcement Job Mngr GK

19 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 19 LCMAPS – plugin introspect u Framework is “resistent” to new module functionality and v.v. u Invocation and arguments list for modules discovered via the ”introspection API” u Various modules can support different interfaces u Modules from multiple generation can be “mixed” u An “old” framework will work with “bleeding-edge” modules u See apidoc for more details…

20 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 20 LCMAPS – modules u Modules represent atomic functionality u VOMS from role info and local mapfile assign gid (A) u PoolAccounts from username assign unique uid (A) u PoolGroups from (VOMS) groupname assign unique gid (A) u LocalAccount from username assign local existing unique uid (A) u AFS/Krb5 get token based on user DN info (A) u POSIX process setuid() and setegid() (E) u POSIX LDAP update distributed user database (E) u Krb5 run job via k5cert (E) u …

21 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 21 LCMAPS – policy evaluation u State machine approach (superset of boolean expressions) u Policy description file: VOMS-group LocalAccount PoolAccount LDAPPOSIX FALSE TRUE path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount.mod \ -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms.mod -vomsdir /etc/grid-security/certificates \ -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount localaccount -> posix_enf poolaccount -> posix_enf

22 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 22 LCMAPS – invocation and running TBD

23 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 23 LCMAPS – enabling new functionality u Local UNIX groups based on VOMS group membership and roles u More than one VO/group per grid user u No pre-allocation of pool accounts to specific groups u New mechanisms: n groups-on-demand n Central user directories (nss_LDAP, pam-ldap) u Why do we (still) need LCAS: n Centralized decisions on authorized users (like at FNAL) n Coordinated access control across multiple CEs n (and save on expensive account allocation mechanisms in LCMAPS)

24 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 24 Status and Future Works LCAS was in release 1.4.x and is currently used VOMS release delayed till after 2.0.0 Unit deployment VOMS (Client/server, Admin, mkgridmap++) in Feb. ‘03 LCMAPS release foreseen for $DATE (see status talk ) Work in progress u VOMS n Certificates will be substituted by true Attribute Certificates (RFC3281) n Support for time cyclic/bound permissions and roles n Database Replication u LCAS/LCMAPS n Framework ready, evolution manager ready, doc & apidoc available n Completed plug-ins: localaccount, poolaccount, POSIX n In development (various stages): VOMS, AFS/Krb5, PoolGroups, LDAP

25 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 25 mkgridmap++ u Need for a tool for the transition to LCAS/LCMAPS mechanism u VOMS and VO-LDAP can and MUST coexist n VOMS can also be used for grid-mapfile generation. n New directive in the config file u New feature n Authenticated access to VOMS (not LDAP) servers based on https protocol to restrict the clients allowed to download the list of the VO members mkgridmap++ group ldap://… group https://…. grid-mapfile VO-LDAP VOMS CE restricted access

26 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 26 More Informations EDG Security Coordination Group Web site http://hep-project-gris-scg.web.cern.ch/http://hep-project-gris-scg.web.cern.ch/ VOMS Web site http://grid-auth.infn.it/http://grid-auth.infn.it/ CVS site http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/ Developers’ mailing list sec-grid@infn.itsec-grid@infn.it LCAS-LCMAPS Web site http://www.dutchgrid.nl/DataGrid/wp4/http://www.dutchgrid.nl/DataGrid/wp4/ CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/ http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern.chhep-proj-grid-fabric-gridify@cern.ch Spitfire Web site http://spitfire.web.cern.ch/Spitfire/http://spitfire.web.cern.ch/Spitfire/

27 WP4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 27 Related Works u CAS (Globus Team) n Proxy generated by CAS server, not by user (difficult traceability) n Proxy not backward compatible n Attributes are permissions (resources access controlled by VO) u Permis (Salford Univ., England) n AC’s stored in a repository at the local site n Good policy engine n VOMS complementary (flexible VOMS AC + PERMIS pol. engine) u Akenti (US Gov.) n Target Web sites, not easy migration in a VO environment

Download ppt "DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.

NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
WP4 Security Update For WP4: David Groep

WP4 Security Update For WP4: David Groep
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Similar presentations

Ads by Google