Update on EDG Security (VOMS)

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Security Mechanisms The European DataGrid Project Team

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

EDG Security European DataGrid Project Security Coordination Group

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

Security Mechanisms The European DataGrid Project Team

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

Edg-voms-admin European DataGrid Project Security Coordination Group

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

OSG AuthZ components Dane Skow Gabriele Carcassi.

INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Gilda certificates. Certification Authority

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Security Mechanisms The European DataGrid Project Team

The European DataGrid Project Team

AuthN and AuthZ in StoRM A short guide

Authentication, Authorisation and Security

Classic Storage Element

WP7: Security Coordination Group (SCG)

MyProxy Server Installation

Authorization and Authentication in gLite

Practicals on VOMS and MyProxy

R-GMA Security Principles and Plans

NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit

ESRIN Grid Workshop Tutorial

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Tweaking the Certificate Lifecycle for the UK eScience CA

Grid Security Jinny Chien Academia Sinica Grid Computing.

THE STEPS TO MANAGE THE GRID

The New Virtual Organization Membership Service (VOMS)

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

The EU DataGrid Security Services

The EU DataGrid Security Services

The GENIUS Security Services

Presentation transcript:

Update on EDG Security (VOMS) European DataGrid Project Security Coordination Group http://cern.ch/hep-project-grid-scg

Registration CA user VO-VOMS user cert (long life) registration low frequency high frequency user user cert (long life) VO-VOMS registration web denied deny VO membership request (user) email address confirmation (user) create user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. allow new confirmed accepted done (VO admin) email to the administrator: new request notification email to the requestor: email address confirmation email to the requestor: request is accepted/denied email

Multi-VO registration CA low frequency high frequency user user cert (long life) VO-VOMS registration VO administration operations create/delete (sub)group/role/capability add/remove member of g/r/c get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member VO-VOMS VO-VOMS user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO-VOMS

proxy cert (short life) authz cert (short life) “Login” CA low frequency high frequency user user cert (long life) VO-VOMS voms-proxy-init proxy cert (short life) user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. edg-voms-proxy-init -voms iteam /tmp/x509_up<UID> (normal proxy location) backward compatible proxy format authz cert (short life)

proxy cert (short life) authz cert (short life) Multi-VO “Login” CA low frequency high frequency voms-proxy-init -voms iteam -voms wp6 single proxy certificate is generated each VO provides a separate VOMS credential first one is the default VO each VOMS credential contains multiple group/role entries first one is the default group user user cert (long life) VO-VOMS VO-VOMS voms-proxy-init VO-VOMS proxy cert (short life) user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO-VOMS authz cert (short life)

Old-style Service CA service crl update mkgridmap GSI VO-VOMS VO-VOMS low frequency high frequency host cert (long life) service crl update VO-VOMS VO-VOMS Old-style services still use the gridmap-file for authorization gridftp EDG 1.4.x services EDG 2.x service in compatibility mode no advantage, but everything works as before... mkgridmap VO-VOMS user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. gridmap-file VO-VOMS GSI

Replica Management RM user authentication & authorization info low frequency high frequency host cert information system RM user 1. VO affiliation user cert 2. service URI(s) for VOs in authz? proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO authz 3. calling the service (URI) edg-java- security authentication & authorization info

1. VO affiliation (AccessControlBase) Job Submission low frequency high frequency host cert information system CE user 1. VO affiliation (AccessControlBase) user cert 4. CEs for VOs in authz? WMS 3. job submission proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO authz MyProxy server 2. cert upload

authentication & authorization info Running a Job LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups default VO = default UNIX group other VO/group/role = other UNIX group(s) host cert MyProxy server CE cert (long term) voms-proxy-init WMS proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO 2. job start authz 1. cert download authentication & authorization info LCAS/ LCMAPS

VOMS FAQ No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration)