DataGrid Security Wrapup Linda Cornwall 4 th March 2004
DataGrid Security Co-ordination Group No single work-package to tackle Grid security –But WP2 has a security task and team Security Coordination Group (SCG) was formed in late 2001 –Lead by David Kelsey Mandate of SCG (sub-group of WP7) –To produce the Deliverables of WP7 on Security –To help coordinate security activities in WPs 1 to 7 –To liaise with WP6 CA & Authorization groups (and others) –To contribute to the architecture of the EU DataGrid (ATF) SCG has larger scope than originally foreseen –At least one representative per middleware WP –Collaboration with DataTAG and national Grid projects
SCG Achievements - overview Authentication: Certification Authorities (CAs) for EDG and others –WP6 Certificate Authorities Coordination Group DataGrid Security Requirements (D7.5, May 2002) –112 requirements in many areas… –Authentication, Authorization, Auditing, Non-repudiation, Delegation, Confidentiality, Integrity, Network, Manageability, Usability, Interoperability, Scalability, Performance, Robustness –Priority attached – DataGrid Requirements, Aims within EDG, Long Term aims Several joint meetings with WP8, 9 and 10 for VO use cases Security Design (D7.6, March 2003) (Large UK contribution) Final Security Report (D7.7, January 2004) –includes comparison with initial requirements
Summary of the EDG Security design Users are issued with a PKI certificate from their local (country) Certification Authority. Users become a member of one or more `Virtual Organisation’ (VO) Users are issued with authorization credentials by the VOs to which they belong Authorization rules are enforced by the local sites or resources –Various Language dependent tools have been developed
Overview of the EDG Security Components (D7.6) MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RMC) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request
Achievements - Authentication PKI based Certification Authorities (CAs) for EDG and other Grid Projects –DataTAG, CrossGrid, LCG – including a global service for particle physics –Same CAs used by many national projects Tools to carry out Authentication in languages other than `C’ (GSI) –java (edg-java-security trustmanger) –Apache web services (mod_ssl)
Authorization – Early on VO LDAP server was developed to manage VO membership –This produced a grid-mapfile Tool for leasing Pool Accounts to users defined in the grid-mapfile obtained from the VO LDAP server Combination of these allowed users access to resources without a specific account on that particular host. This provides very course grain authorization according to a VO based identity
Authorization VOMS Virtual Organisation Membership Service (VOMS) developed jointly between EDG and DataTAG projects. Allows for the managements of VO membership for both Users and Services and the issuing of Credentials proving –VO membership, Groups, Roles and Capabilities VOMS credentials are in the form of a extension to the GSI proxy –VOMS proxy
`Local’ Authorization Various tools have been developed within EDG to allow access in the local environment. LCAS and LCMAPS for authorization in C/C++ services Java authorization Manager –Coarse grained authorization mapping –Credential extraction and checking to allow fined grained authorization by the service GridSite – Authorization in Web services environment GACL `Grid Access Control Language’ for defining access control based on Grid Credentials
Requirements analysis (EDG 2.1) DataGrid Requirements Success Mostly satisfied Not satisfied FS= fully, PS=partially, NS=not… satisfied “Partially” means not all WPs and/or not all languages No.FSPSNS Authentication Authorization23896 Confidentiality Non-Repudiation33 Usability33 Interoperability321 Other areas15384 Total
Summary of progress Authentication – lots of success! Large amount of progress in Authorization mechanisms –Need to be fully integrated with other middleware Confidentiality – area where we largely failed. –Depended on Authorization integration being complete, and data being stored in encrypted form –More of a problem for e.g. Bio Medical applications than particle physics Interoperability – also largely successful. –Based on GSI –Worked closely with the international community, GGF Some other areas need much more work – security largely turned off in EDG testbed 2.1 –Liable to denial of service attacks Areas like non-repudiation need more attention.
Lessons learned Be careful collecting requirements –In hindsight, the D7.5 requirements were rather ambitious –The expectations of the applications were documented but there was not sufficient analysis of the difficulty of integration Security must be an integral part of all development –from the start Building and maintaining “trust” between projects and continents takes time –Not just about middleware Integration of security into existing systems is complex –When designing middleware `think security’ –Don’t rely on adding it later There must be a dedicated activity dealing with security EGEE planning has already benefited from our experience
Exploitation Authentication –The CA infrastructure will continue –EGEE will manage the EDG PKI in a new EU PMA –LCG driving the requirements for global physics authentication –Grid CAs to be registered in new TERENA CA repository (TACAR) –eInfrastructure and eIRG meetings (Ireland) to consider this topic A general EU Grid PKI infrastructure? –DataGrid people will continue in EGEE and GGF Security Policy issues –DataGrid people already active in defining LCG policy and procedures –Important input to EGEE and eIRG
Exploitation (2) Authorization –EDG components and people will continue in EGEE, LCG and other projects –VOMS is part of LCG-2 The HEP applications need roles and groups –Integration with SlashGrid, ACLs (GACL) and GridSite Joint work with UK GridPP, using VOMS and working with PERMIS team Greater exploitation of the various Authorization tools will possible when they are fully integrated with other middleware –Work in GGF security area groups will continue EDG providing reference implementations in OGSA-AuthZ WS-security, VOMS, LCAS, GridSite, SlashGrid etc XML policy, XACML, VOMS Attribute Certificates, SAML Will continue to drive and track standards Publication of the work is ongoing