Presentation is loading. Please wait.

Presentation is loading. Please wait.

2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.

Published byAustin Lang Modified over 8 years ago

Similar presentations

Presentation on theme: "2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey."— Presentation transcript:

1 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey CLRC/RAL, UK

2 2002-03-13Security in DataGrid2 The EU DataGrid DataGrid: generic Grid middleware and test bed for –High Energy Physics –Earth Observation and ozone modelling –Bio-informatics & bio-medicine Middleware components (on top of Globus): –scheduling and accounting –data replication and management –monitoring –data storage –fabric and farm management

3 2002-03-13Security in DataGrid3 No allocated effort, so groups distributed over WP’s: –CA Coordination (Test bed WP6) Started before the project (end 2000), well established –Ad-hoc Authorization (Test bed WP6) Interim solutions for distributing collaboration user lists and “virtual organization directories”. –Security Coordination (“Networking” WP7) Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development

4 2002-03-13Security in DataGrid4 Start with … Authentication

5 2002-03-13Security in DataGrid5 WP6 CACG 11 DataGrid Testbed1 CA’s –See WP6 web –Much effort to run these – growing number of cert requests –Several moving to OpenCA US DOE ScienceGrid CA –Operational since January 2002 –Approved as a DataGrid “trusted” CA (& vice-versa!) –First test of transatlantic authentication last month Karlsruhe CA (CrossGrid and HEP Germany) –To be incorporated later Seems to attract Grid CA issues that should have gone to GGF!

6 2002-03-13Security in DataGrid6 Authentication (2) One of the EDG CA’s (CNRS) acts as a “catch-all” CA –CP/CPS will get explicit statements about RA’s Matrix of Trust (work ongoing) – much work! –Feature matrix –Acceptance matrix (WP6 CA Mgrs check each other against min. requirements) BUT: Still another 7 CrossGrid countries with no CA And many other LHC countries Scaling problems! –Automate the feature checking –Continue to work with GGF in the GridCP group

7 2002-03-13Security in DataGrid7 Authentication (3) DataGrid CA Features matrix

8 2002-03-13Security in DataGrid8 CA Acceptance Matrix Detailed reports per CA Guidelines for “national” site admins To be done: – versioning of CP/CPS – invalidation after CP/CPS updates

9 2002-03-13Security in DataGrid9 And now … Authorisation

10 2002-03-13Security in DataGrid10 GSI – Grid map file Resource Authorization based on access lists Maps “Grid name” (cert subject DN) → local UID In effect after successful authentication triode:davidg:1002$ cat /etc/grid-security/grid-mapfile "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg "/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn "/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon "/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/Email=Piergiorgio.Cerello@to.infn.it" aliprod

11 2002-03-13Security in DataGrid11 mkgridmap and VO’s Virtual Organizations (VOs) define user groups “ATLAS”, “LHCb”, “OzoneModelling”, … Directory with user lists maintained by VO admin Resource owners extract list from “allowed” VOs optional: AND with one other directory (AUP!) periodically generated (once per day)

12 2002-03-13Security in DataGrid12 grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

13 2002-03-13Security in DataGrid13 Entries in VO Directory VO Membership list dn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=org objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: pkiUser sn: Barbera cn: Roberto Barbera mail: roberto.barbera@ct.infn.it labeledURI: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate (sub) groups dn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org objectClass: domain objectClass: organizationalUnit objectClass: groupofnames.. owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org VO administrators sub-group administrators

14 2002-03-13Security in DataGrid14 Authorisation WP6 Authorisation group (R. Cecchini – INFN) Future plans –Evaluation of CAS and PERMIS –Better VO Directory management; –Support of replicas of VO Directories; –Support for users’ attributes in the VO Directories: e.g. the AUP signing information (with expiration date...)

15 2002-03-13Security in DataGrid15 Authorisation (2) Globus Community Authorisation Server (CAS) –Long awaited! –Hot news – alpha release by end of next week PERMIS (http://www.permis.org) –EU funded project –Univ of Salford (UK) – member of SecureGrid –Policy-based Role-based (XML) Access control

16 2002-03-13Security in DataGrid16 Spitfire Security Mechanism Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Request and connection ID Connection Pool

17 2002-03-13Security in DataGrid17 WP4 Subsystems and relationships (D4.2)

18 2002-03-13Security in DataGrid18 GridMapDir (WP6 - McNab) Account sharing mechanism for local UIDs Modifier version of GSI allows mapping to ‘account pools’ (à la DHCP) nice when VO directories are large and not all users go to all sites difficult to recycle accounts (files!) sucessfully deployed in EDG TB1

19 2002-03-13Security in DataGrid19 SlashGrid (WP6 - McNab) Framework for creating “Grid-aware” filesystems –different types of filesystem provided by dynamically loaded plugins. –Source, binaries and API notes: http://www.gridpp.ac.uk/slashgrid/ certfs.so plugin provides local storage governed by Access Control Lists based on DN’s. Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. Also, a GridFTP plugin could provide secure replacement for NFS.

20 2002-03-13Security in DataGrid20 Authorisation issues We need more functionality –“Dynamic policy-based Access control” –Users with more than one allowed role –Move away from Unix uid based security (and grid mapfile) –Applicable to all Grid services (and callable from) Users may belong to multiple VO’s –Authorisation may need to be based on “joins” Global & Local authorisation mechanisms –need to negotiate policy – Global/VO/Local We should aim for a limited number of compatible authorisation mechanisms –Job for Architecture group and WP7 Security OGSA?

21 2002-03-13Security in DataGrid21 Security Architecture for EDG And now …

22 2002-03-13Security in DataGrid22 WP7 Security/D7.5 “Security Requirements and Testbed-1 Security Implementation” List of Requirements (now more than ~ 70) List of security functions Currently being discussed: –matching matrix requirements vs. function –see how much is already fulfilled in EDG TB1 –setting “realistic” goals for EDG (only 20 month to go!) Should be ready by mid April.

23 2002-03-13Security in DataGrid23 Future plans The EU review encouraged us to do more on security –It is already happening! WP6 CA group –continue Acceptance matrix and work with GGF WP6 Authorisation group –Test and evaluate CAS and PERMIS WP7Sec D7.6 (M25) “Security Design and TB2 report” Work going on in all middleware WP’s on security WP7Sec & Architecture group need to –Coordinate activities –Check that mechanisms are “secure”

Download ppt "2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey."

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file www.gridpp.ac.uk grid “ping”

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Similar presentations

Ads by Google