Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and."— Presentation transcript:

1 DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and LCMAPS David Groep, NIKHEF davidg@nikhef.nl EDG Security Coordination A. Frohner – CERN D. Kouril - CESNET F. Bonnassieux - CNRS R. Alfieri, R. Cecchini, V. Ciaschini, L. dell'Agnello, A. Gianoli, F. Spataro - INFN O. Mulmo – KDC D.L. Groep, M. Steenbakkers, W. Som de Cerff, O. Koeroo, G. Venekamp – NIKHEF L. Cornwall, D. Kelsey, J. Jensen – RAL A. McNab – University of Manchester P. Broadfoot, G. Lowe – University of Oxford http://hep-project-grid-scg.web.cern.ch/

2 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 2 Talk Outline u Introduction u Authorization requirements u VO Membership Service u Java Security for Hosted Environments u Native Mechanisms (LCAS, LCMAPS) u Conclusions

3 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 3 Authentication – only the first step u EDG security infrastructure based on X.509 certificates (PKI) u Authentication n Needs “trusted third parties”: 16 national certification authorities n Policies and procedures  mutual thrust n Users identified with “identity” certificates signed by a national CA See also next talk by Dave Kelsey… u Authorization n Several entities involved s Resource Providers (e.g. computer centres, storage providers, NRENs) s Virtual Organizations (e.g. LHC experiments collaborations) n Cannot decide Authorization for grid users only on local site basis

4 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 4 User’s Authorization in Globus user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) CA crl update low frequency high frequency host cert (long life ) grid-proxy-init

5 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 5 User’s Authorization in EDG 1.4.x VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

6 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 6 VOMS Overview u Provides info about the user’s relationship with his VO(’s) n groups, “compulsory” groups, roles (admin, student,...), capabilities (free form string), temporal bounds u Features n single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); n expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); n backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; n multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; n security: all client-server communications are secured and authenticated.

7 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 7 User’s Authorization in EDG 2.x VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration service cert (short life) authz cert (short life) registration LCAS LCMAPS edg-java-security

8 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 8 Pseudo-Certificate Format /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C= IT/O=INFN/CN=INFN CA Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it /C=IT/O=INFN/CN=INFN CA VO: CMS URI: http://vomscms.cern.ch TIME1: 020710134823Z TIME2: 020711134822Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A... u The pseudo-cert is inserted in a non- critical extension of the user’s proxy n 1.3.6.1.4.1.8005.100.100.1 u It will become an Attribute Certificate u One for each VOMS Server contacted user’s identity server identity user’s info

9 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 9 VOMS Architecture DB JDBC GSI https Tomcat & java-sec axis VOMS impl servlet vomsd Perl CLI Web interface voms-proxy-init mkgridmap Apache & mod_ssl voms-httpd DBI https VOMS server soap + SSL MySQL db – with history and audit records u User query server and client (C++) u Java Web Service based administration interface n Perl client (batch processing) n Web browser client (generic administrative tasks) u Web server interface for mkgridmap

10 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 10 Authorization User VOMSservice authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire service dn dn + attrs Fine-grained e.g. RepMeC Coarse-grained e.g. CE, Gatekeeper Fine-grained e.g. SE, /grid Java C authenticate ACL

11 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 11 Authorization for Web Services u Java TrustManager can secure both web sites and web services u Based on Apache Tomcat Catalina servlet container n SOAP client, as an extension of the Axis SocketFactoryFactory n HTTP client, as an API that creates HTTPS connections. u Authorization Mngr gives attributes based on userDN and VOMS extensions u For web services n Service uses proxy of host u For browser interaction n Must use long-lived host cert to be TLS compliant

12 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 12 Services secured by EDG-Java-Sec u Spitfire uniform access to SQL database services (MySQL, DB/2, Oracle) u Replica Location Service, RepMeC, Giggle – metadata and replica information services u VOMS server u R-GMA Relational Grid Monitoring Architecture – Information System u Basis for new OGSA/WebServices components

13 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 13 Authorization for Native Environments u All systems for running Grid jobs and storing files are UNIX based u Need for interface between Grid rights and local rights u Two-phase process n Authorization of users: LCAS n Acquiring and enforcing local ( UNIX -style) credentials: LCMAPS u Why the split? n Authorization decisions may be applied for more than single resources n Credential mapping may be time-consuming and “heavy” n Internal service security credential mapping needs root privileges, authorization can do without

14 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 14 LCAS: Local Centre AuthZ Service C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Gate Keeper exec=/bin/cat arguments=/etc/passwd Gate Keeper GridFTP Server LCAS Service Job Manager Node Authorization using: Authentication + VO data Job description Site policy other clusters Plug-in framework currently shipping modules Allowed-users list Banned-users list wall-clock limitations

15 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 15 LCMAPS – Local Credential MAPping u Provides local credentials needed for jobs within the fabric u Plug-in framework, driven by (site specific) policy u Mapping based n user identity n VO affiliation, groups and roles n site-local policy u Supports multiple credential types: n Traditional POSIX: in-process & LDAP, via fixed or PoolAccounts* n AFS tokens n true Kerberos5 C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOM S pseu do- cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept

16 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 16 LCMAPS – new functionality u Local UNIX groups based on VOMS group membership and roles u More than one VO and group/role per grid user u No pre-allocation of pool accounts to specific groups u New mechanisms: n groups-on-demand n support for central user directories (primarily LDAP ) u Why do we continue to need LCAS? n Centralized site decisions on authorized users for multiple fabrics n Coordinated access control across multiple CEs and SEs n (and save on ‘expensive’ account allocation mechanisms in LCMAPS)

17 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 17 Conclusions u EDG provides extensive Grid authorization infrastructure today n LCAS* and Java-security already deployed n VOMS and LCMAPS ready for deployment (confirmed for June ’03) n Updates for various services in October ’03 User Side u Support for large, fast-changing user community u Roles and groups within the experiment VOs u Multiple affiliations and roles per user Resource Side u Minimal effort on resource provider side u More smooth integration in Grid computing at large u Retains tracability and auditability at all levels

18 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 18 More Information EDG Security Coordination Group Web site http://hep-project-grid-scg.web.cern.ch/http://hep-project-grid-scg.web.cern.ch/ VOMS Web site http://grid-auth.infn.it/http://grid-auth.infn.it/ CVS site http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/ Developers’ mailing list sec-grid@infn.itsec-grid@infn.it PoolAccounts Web sitehttp://www.gridpp.ac.uk/authz/gridmapdir/ LCAS-LCMAPS Web site http://www.dutchgrid.nl/DataGrid/wp4/http://www.dutchgrid.nl/DataGrid/wp4/ CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/ http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern.chhep-proj-grid-fabric-gridify@cern.ch EDG Java Security Web site http://edg-wp2.web.cern.ch/edg-wp2/security/

19 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 19 Some Related Works u CAS (Globus Team) n Proxy generated by CAS server, not by user (no direct traceability) n Proxy not backward compatible n Attributes are permissions (resources access controlled by VO) u Permis (Salford Univ., England) n AC’s stored in a repository at the local site n Good policy engine n VOMS complementary (flexible VOMS AC + PERMIS pol. engine) u Akenti (US Gov.) n Target Web sites, not easy migration in a VO environment

20 HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 20 LCMAPS Site Policy and Preferences VOMS-group LocalAccount PoolAccount LDAP FALSE POSIX TRUE path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount.mod \ -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms.mod -vomsdir /etc/grid-security/certificates \ -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount localaccount -> posix_enf poolaccount -> ldap ldap -> posix_enf

Download ppt "DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and."

Similar presentations

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.

NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
The VOMS System for Authorization Management inside Virtual Organizations Vincenzo Ciaschini INFN-CNAF GGF School Vico Equense, 22/7/2003.

The VOMS System for Authorization Management inside Virtual Organizations Vincenzo Ciaschini INFN-CNAF GGF School Vico Equense, 22/7/2003.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Similar presentations

Ads by Google