Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDG Security European DataGrid Project Security Coordination Group

Published byBarbara Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "EDG Security European DataGrid Project Security Coordination Group"— Presentation transcript:

1 EDG Security European DataGrid Project Security Coordination Group http://cern.ch/hep-project-grid-scg

2 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 2 Overview  How it works – EDG security through use cases  VO Management Service  Authentication and Authorization components

3 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 3 Registration user user cert (long life ) VO-VOMS CA low frequency high frequency registration newconfirmedaccepteddone VO membership request (user) email address confirmation (user) allow create email to the requestor: email address confirmation email to the administrator: new request notification denied deny email to the requestor: request is accepted/denied (VO admin) web email Tool support for the registration workflow(s) to ease the life of VO managers.

4 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 4 Multi-VO registration VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency registration VO administration operations u create/delete (sub)group/role/capability u add/remove member of g/r/c u get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member Support for multi-VO registration and login using the same user certificate.

5 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 5 “Login” user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init edg-voms-proxy-init -voms iteam u /tmp/x509_up (normal proxy location) u backward compatible proxy format The credential created in the “login” procedure is backward compatible: one can use it with the existing services, which are based on GSI

6 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 6 Multi-VO “Login” VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init voms-proxy-init -voms iteam -voms wp6 u single proxy certificate is generated u each VO provides a separate VOMS credential first one is the default VO u each VOMS credential contains multiple group/role entries first one is the default group One can be member of many VOs and use their resources at the same time. The VO specific credentials are separate, but collected into the same proxy certificate.

7 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 7 Old-style Service VO-VOMS service VO-VOMS CA low frequency high frequency host cert (long life ) crl update gridmap-file mkgridmap Old-style services still use the gridmap-file for authorization u gridftp u EDG 1.4.x services u EDG 2.x service in compatibility mode no advantage, but everything works as before... GSI Backward compatibility on the service side: one can generate gridmap- files from the VO userlist for existing services based on GSI.

8 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 8 Replica Management user RM authentication & authorization info user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation edg-java- security 2. service URI(s) for VOs in authz? 3. calling the service (URI) VO credential on the client side is used to select the VO specific service. VO credential on the server side is used for authorization.

9 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 9 Job Submission user CE user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation ( AccessControlBase) 4. CEs for VOs in authz? 3. job submission MyProxy server WMS 2. cert upload VO credential is used by the resource broker to pre-select available CEs.

10 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 10 MyProxy server Running a Job CE cert (long term) host cert proxy authz VO WMS 1. cert download LCAS/ LCMAPS authentication & authorization info 2. job start LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups u default VO = default UNIX group u other VO/group/role = other UNIX group(s) voms-proxy-init VO credential for authorization and mapping on the CE.

11 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 11 Virtual Organization Management Service  Issues credentials to prove group/role/VO membership n standard RFC 3281 Attribute Certificate format n single string attributes – FQAN  Core service: standalone daemon for the “login” n single purpose – high performance  Administrative service: web service with API, command line and web user interface n for administration and registration  Migration tools for gridmap-files and VO-LDAP servers

12 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 12 VOMS FAQ  No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change  Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups  Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it  VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration)

13 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 13 VOMS migration plan VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 0. VO-LDAPVOMS userservice proxy (voms) gridmap-file edg-mkgridmap ldap-voms-sync voms-proxy-init phase 2. VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 1. VOMS userservice gridmap-file voms-proxy-init phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS aware services

14 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 14 Auth/Authz in Services  GSI based or compatible authentication  grid-mapfile or VOMS based authorization (can be both)  policy or ACL based access control n coarse and fine grained solutions n access control description’s syntax is not standard  implemented alternatives: n edg-java-security for Java web services n GSI/LCAS/LCMAPS for native C/C++ services n mod_ssl/GACL for Apache based web services n Slashgrid for transparent filesystem ACLs and GridSite

15 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 15 Overview of the Components MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request

16 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 16  Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s authorization decisions based on proxy user certificate and job specification; s supports grid-mapfile mechanism. n Plug-in framework (hooks for external authorization plugins) s allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db), GACL s plugin for VOMS (to process authorization data)  Local Credential Mapping Service (LCMAPS) n provides local credentials needed for jobs in fabric n mapping based on user identity, VO affiliation, local site policy n plug-ins for local systems (Kerberos/AFS, LDAP nss) Local Site Authorization

17 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 17 edg-java-security  Trust manager n GSI compatible authentication (supporting proxy chain) n Adapters to HTTP and SOAP n Currently deployed for Tomcat4 n VOMS credential verification  Authorization Manager n Authorization and mapping for Java services n Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file n Handles VOMS attributes

18 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 18 More Information  European DataGrid Project Security Coordination Group http://cern.ch/hep-project-grid-scghttp://cern.ch/hep-project-grid-scg  LCAS/LCMAPS homepage http://www.dutchgrid.nl/DataGrid/wp4/lcas/ http://www.dutchgrid.nl/DataGrid/wp4/lcas/  Java Security http://cern.ch/grid-data-management/security/ http://cern.ch/grid-data-management/security/  GridSite http://www.gridpp.ac.uk/gridsite/ http://www.gridpp.ac.uk/gridsite/  VOMS http://grid-auth.infn.it/ http://cern.ch/edg-wp2/security/voms http://grid-auth.infn.it/ http://cern.ch/edg-wp2/security/voms  Akos.Frohner@cern.ch Akos.Frohner@cern.ch

Download ppt "EDG Security European DataGrid Project Security Coordination Group"

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Similar presentations

Ads by Google