1. Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Outline u EDG Testbed Overview u Sysadmins’ issues u Existing VO vs CAS u Pool accounts u SlashGrid u Grid ACL’s u XML Grid ACL’s u GACL library u GGF Authorisation Working Group u WP2 Java Security u WP4 LCAS/LCMAPS Site Access Control

3. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Existing EDG Testbed Currently ~25 sites across Europe

4. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Testbed site administrators’ initial worries... u How can Grid users gain access without me creating new accounts every day? u How can I limit what they can do? u How can I audit what they’ve done to me? u How can I keep track of files they’ve created? u Local access control and account management usually boils down to n mapping Grid identities into appropriate local Unix identities n while respecting the above.

5. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Existing EDG LDAP VO u EDG already has a type of VO authorisation server in use: centrally provided authorisation listings n published via LDAP (~300 users in ~10 VO ’s) n mkgridmap tool for building local grid-mapfile with local choice of VO ’s. n GUI tools allow VO managers to manage VO membership u Provides a list of DN ’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n can’t be defined on ad-hoc basis by small groups of users u Current system gives the functionality running experiments like BaBar cope with, so ok. u However, scaling issues since each site must frequently (daily?) fetch listings for VO ’s it accepts.

6. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Joining an application VO u Users first join the Acceptable Use Policy VO, with their web browser, using their certificate n this involves agreeing to the DataGrid wide AUP, that sets out obligations of sites and users n legal wording done in conjunction with CERN legal experts (who understandably have a lot of experience of international law) u Users can then join the VO of their application (eg an LHC experiment) n VO manager can choose whether to accept user u At each site, AND of AUP VO and Application VO controls access

7. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 VOMS - VO Membership Service u This is similar to first CAS prototype, but retains user identity. n where CAS gave the user a VO-specific proxy to use, VOMS provides the user with an attribute certificate to include in their own proxy cert u This means proxy can be used with existing GSI-based services n but VOMS-aware services can see additional credentials, like VO or subgroup membership n this will remove the necessity to fetch membership lists every day n but for legacy services, DN membership list can still be obtained to construct grid-mapfile’s etc u VOMS administered in much the same way as existing LDAP VO u Users use voms-proxy-init tool which fetches signed attribute certificate from VOMS and includes this in proxy cert extensions u This will be deployed during current EDG 1.3/2.0beta development

8. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Pool accounts u The other half of removing account creation burden from admins n pre-create pools of accounts and allocate these to users when they request access u Widely used by EDG Testbed sites, but not obligatory n in practice, almost all have chosen to use it u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing gridmapdir lock files with NFS. u Existing system works ok for CPU+tmpfile only jobs. n but not really appropriate if users creating long lived files at the site in question. u Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

9. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 SlashGrid / certfs / curlfs u Prototype framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: http://www.gridpp.ac.uk/authz/slashgrid/ u certfs.so plugin provides local storage governed by Access Control Lists based on Grid DN’s (and groups.) u Since new ACL’s just have creator’s DN, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u HTTP/HTTPS plugin (curlfs) ultimately aims to provide NFS/AFS- like functionality, again governed by Grid ACL’s.

10. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Grid ACL’s u For simplicity, would want to have an ACL format we can use local and remote files, and other types of resources. u Current SlashGrid prototype and GridSite use per-directory ACL in.gacl u As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. u Implementing ACL’s also solves some other issues that emerged during with Testbed 1: n eg per-UID tape storage: can store all tape files with one UID but associate ACL with the file and use that. u Sysadmins want disk filesystem ACL’s on same physical disk as files if possible.

11. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Grid ACL vs VOMS (or fine-grained VO/CAS) u VOMS provides ACL-like feature of specifying what capability (eg write) is permissible on an object (eg higgs-wg-montecarlo). n (If using lots of subgroups within an LDAP VO, could achieve much the same thing: eg define a group of people in higgs-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to have to set up a new entry on the central VOMS machine u The two systems should be seen as complementary n when you create some Higgs Monte Carlo simulation, put it somewhere the ACL gives write access for people with “higgs-wg-montecarlo” group.) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

12. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 An example XML Grid ACL format... ldap://ldap.abc.ac.uk/ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcVOMS Abc readers /O=Grid/DN=Andrew

13. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but have several products in use which need to use it: GridSite for www.gridpp.ac.uk; SlashGrid; fileGridSite; and EDG Storage Element. u ACL may change again in the future; may need to understand different (ugh!) ACL’s from other Grid projects. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles ACL’s in a reasonably general way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as new types. u Despite current C implementation, API is readily translatable to object-orientated languages n Java API and implementation being produced

14. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 GGF Authorization Working Group (Authz) u This had BOF at GGF6 and is with GFSG now n proposed chairs Markus Lorch (VT) and Andrew McNab (Manchester) u Initial objectives are authorisation Glossary, Requirements and Systems Review documents. u But underlying aim is to get all the authorisation people talking to each other, and hopefully standardising. u Areas we’re hoping for convergence in, are: n VOMS vs CAS vs IETF Attribute Certificates n GACL acl’s + other ACL’s n Callouts/plugins for services to enforce locally defined policies n Fitting authorisaiton solutions emerging from Grids into wider Web Services security world u See http://zuni.cs.vt.edu/grid-authz for Authz WG website

15. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Other authorisation work u EDG WP2 (Data Management) has built a set of Java security modules n this includes modules for verifying GSI proxies, and enforcing ACL and grid-mapfile access control n can provide security handling for other Grid services n filtering of both plain HTTP and SOAP requests, and queries from service itself during processing u EDG WP4 (Fabric Management) site access system n LCAS - provides site-specific callouts to check authorisation based on user identity, what is requested, quotas, free-slots in batch system etc n LCMAPS - manages current mappings of Grid to local identities n some of this functionality will also be provided by recent Globus proposal for authorisation callouts, but limited to yes/no on identity only

16. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 WP2 Authorization (slide from Joni Hahkala)

17. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6

18. Andrew McNab - EDG Access Control - 4 Dec 2002 GridPP / EDG / WP6 Summary u Most of the concerns of Testbed site admins are being addressed u Current VO system is probably sufficient, but VOMS (or CAS) would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs provides a solution to this. u GACL library provides API for handling XML Grid ACL’s u Standardisation of these efforts starting with GGF Authz WG u Java Security tools being written for Grid Services to use u LCAS/LCMAPS allows flexible, locally configurable site policies u See http://www.gridpp.ac.uk/authz/ for links to source code and details of all tools mentioned in this talk