Presentation is loading. Please wait.

Presentation is loading. Please wait.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Published byVictor Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service."— Presentation transcript:

1 WP3 Security and R-GMA Linda Cornwall

2 WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Coarse-grained e.g. CE, Gatekeeper WP4 Fine-grained e.g. SE, /grid WP5 Java C authenticate acl

3 WP3 edg-java-security Provided by WP2 Trustmanager (but no delegation) Authorization service –Course grained – authorization on front of service (I.e. y/n can the person connect) –Fine grained – authorization within a service (Some development on this – no documentation)

4 WP3 Trustmanager and R-GMA Tried out using the trustmanager on a version of R-GMA prior to re-factoring –Hard-coded changes – rather than proper setup scripts –ServletConnectionTest worked –Tells me what I need to do.

5 WP3 How to integrate the trustmanager. Install a lot of the globus and edg security related stuff. Modify rgma-config, config-rgma-tomcat.. –To allow choice of http or https connections. –To include all the extra dependences. –To configure tomcat – using trustproperties Create trustproperties configuration files for user and service.

6 WP3 How to integrate the trustmanager - contd Modify ServletConnection to use trustmanager. (possibly different version for service connecting on and actual end client as each will need different trustproperties files.) –Maybe modify each service that connects on? C and C++ API’s will need modification too. We can (hopefully) find out how to do modify the C and C++ API’s from other WP’s or globus – I think this problem has already been addressed.

7 WP3 What we will have with the trustmanger The client will authenticate themselves with the service. Servlets with authenticate with one another. No delegation, therefore no authentication between user and service that one servlet connects on to. If a trusts b – a then has to trust everyone b trusts. If b trusts c, a has to trust everyone that b and c trust…….

8 WP3 Authorization for J+30 Plan to have user’s only seeing their own jobs. Only way to do this in the absence of delegation in the trustmanager is –extract the DN of the user when they connect –Pass this to the next servlet or refuse request if they are asking for info that does not match. –Or does user ALWAYS connect directly to Producer of the job info? Not secure – anyone with an acceptable certificate could get the info – but they would have to write their own code.

9 WP3 Sensor Code Producer API Application Code Consumer API Registry “Event Dictionary” Consumer Instance Registry API Registry API Producer Instance Schema API Schema If job info –does DN match? Have to trust the consumer to pass on DN

10 WP3 Rogue Consumer Rogue Consumer has acceptable Certificate. DN DN info matches Without Delegation it is possible to obtain info one is not authorized to see. But it requires a consumer to be hacked or written.

11 WP3 EDG Security issues For J and beyond, plan to authenticate services using a proxy of a service certificate.

12 WP3 Authorization beyond J+30 Need proper delegation – end producer needs to authenticate the client. The producer needs to do the authorization otherwise –Confidentiality can be breached. –Fine-grained won’t work. VOMS and edg-java-security tools being developed should give us VO, roles, DN etc. GACL (Grid Access Contol List) is a format for specifying access control. May be able to use this.

13 WP3 Beyond J+30 contd. If an info service is either available or not to a client – could use the WP2 Authorization service. –Imagine this will be true of some info services, especially canonical producers –Registry for VO won’t work – as separate Registries are virtual, not really separate services

14 WP3 Authenticated USER Course Grained RGMA Service Authorization decision ACL (DN, Vo, Role) DN, Vo, Role(s) Course grained R-GMA service In future there may be R-GMA services where authorization depends only on the entire service. E.g. a user may read all/none, write all/none, administrate the service. One ACL applies to whole service

15 WP3 Authenticated USER ACL (DN, Vo, Role) DN, Vo, Role(s) Fine grained R-GMA service In fine grained Authorization a decision must be made within the producer. Each table, even each row of a table will have it’s own ACL ACL (DN, Vo, Role) ACL (DN, Vo, Role)

Download ppt "WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service."

Similar presentations

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
WP2: Data Management Gavin McCance University of Glasgow.

WP2: Data Management Gavin McCance University of Glasgow.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Introduction to R-GMA: Relational Grid Monitoring Architecture.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Introduction on R-GMA Shi Jingyan Computing Center IHEP.

Introduction on R-GMA Shi Jingyan Computing Center IHEP.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Similar presentations

Ads by Google