Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Security. Typical Grid Scenario Users Resources.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Summer School Certificates Diego Romano & Gilda Team.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Security, Authorisation and Authentication.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
LCG User Level Accounting John Gordon CCLRC-RAL LCG Grid Deployment Board October 2006.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.
GRID-FR French CA Alice de Bignicourt.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security Mechanisms The European DataGrid Project Team
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Security, Authorisation and Authentication Mike Mineter,
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Security in gLite Gergely Sipos MTA SZTAKI
Authentication, Authorisation and Security
Grid Security.
Authorization and Authentication in gLite
Practicals on VOMS and MyProxy
LCG Security Status and Issues
Cryptography and Network Security
Ian Bird GDB Meeting CERN 9 September 2003
NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit
HellasGrid CA & euGridPMA
EGEE VO Management.
Radius, LDAP, Radius used in Authenticating Users
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Certificate management Miroslav Dobrucký Institute of Informatics SAS
THE STEPS TO MANAGE THE GRID
Gonçalo Borges, Mário David, Jorge Gomes
Viet Tran Institute of Informatics Slovakia
Update on EDG Security (VOMS)
The New Virtual Organization Membership Service (VOMS)
The EU DataGrid Security Services
The EU DataGrid Security Services
The GENIUS Security Services
EGEE Operation Tools and Procedures
AAI in EGI Status and Evolution
Information System (BDII)
GRIF : an EGEE site in Paris Region
Presentation transcript:

Grid Security M. Jouvin / C. Loomis (LAL-Orsay) jouvin@lal.in2p3.fr Grid Administration Training LAL, Orsay, September 2008, 15-19

Grid Security - M. Jouvin Agenda Requirements and Constraints Different Components Certificates Virtual Organizations Proxies Grid Security - M. Jouvin 27/11/2018

Security Requirements Grid is a massively distributed system: More than 5000 users belonging to many different communities More than 250 sites around the world Bi-lateral relationships don’t scale, trust relationships must exist between: Sites and site administrators Users (e.g. privacy) Site administrators and users Security infrastructure must generation trust between all the actors for the grid to work Grid Security - M. Jouvin 27/11/2018

Main Features Required Authentication Who is the user ? Authorization Check right to do an action Auditing Who did what and when ? Traceability of actions is critical for trust in case of problem Accounting Identify resources used by a user Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Constraints Must be flexible, scalable and evolutive: Nobody can know everybody else Performance must be reasonable Must allows controlled access from any country Usage must be “simple” : If not, nobody will use it Tradeoffs required between security and simplicity Must allow right delegation (e.g. to a service) Grid Security - M. Jouvin 27/11/2018

Grid Security Infrastructure (GSI) De-facto standard for grid middleware Developped by Globus project (U.S.A.) Used by almost all production grids Based on a « Public Key Infrastructure » Every entity has both a public key and a private key Only one key can match the other Format : X509v3 Main features : Single sign-on : password protecting private key is entered once for a certain period of time Delegation : a person or a service may authorize another service to act on his behalf Allow another entity to use one’s authentication and authorization Mutual authentication : originator and recipient both authenticate other party Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Certificate… A grid-compliant (x509v3) certificate may be issued for: A physical person (personal certificate) A machine (host certificate) An application (service certificate) Not yet used Public key (certificate) Signed by an authority after checking who is the owner Publicly available, published on the network Private key Stored on user’s machine Encrypted, must be password protected A certificate is an identity card: doesn’t give any specific right Used to identify owner of a right by services Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin … Certificate Main informations in certificate: Subject or DN : unique identifier of certificate owner Replace username in grid world Validity duration of certificate : generally 1 year X509v3 extensions What the certificate can be used for Owner’s email 2 different formats usable with grid: PKCS12 : 1 file containing both private key and public key PEM : 2 files, 1 for private key, 1 for public key All Globus and gLite tools can use PKCS12 but they use a different file name…!!! usercert.p12 for gLite, usercred.p12 for Globus The easiest is to symlink one to the other Grid Security - M. Jouvin 27/11/2018

Who Signs Certificates? Certification Authority (CA) Is responsible for checking entity identity before issuing certificate 1 per country or sometimes a group of country (~35) Establish trust relationships with other CAs Coordinate security activities in its country In France, only « GRID-FR » certificates are accepted on EGEE http://igc.services.cnrs.fr/GRID-FR : Load « AC Certificates » then request a personal certificate Policy Management Authority (PMA) Define minimul rules a CA must adhere to to be valid on grid CA auditing and accreditation International Grid Trust Federation (http://www.gridpma.org) EUGridPMA (http://www.eugridpma.org/) … Grid Security - M. Jouvin 27/11/2018

Virtual Organizations Virtual Organizations (VOs) Group of people with common goals VO members organized in groups and subgroups A VO member may also have a role in its group/subgroup VO membership determines what resources can be used Groups and roles may modify access right to resources Several criteria for VO membership: Experiment or disciplinary based: biomed, alice, atlas, esr, … Laboratory or institute : vo.lal.in2p3.fr, vo.u-psud.fr, vo.ucad.sn, … Projects : embrace, gridpp, auvergrid, … Others : dteam, ops, … 1 utilisateur may belong to several VOs CIC Portal allow to list all registered VOs: http://cic.gridops.org/index.php?section=home&page=volist New VO must normally be registered… Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Authorization Actors VO Administrator: Decide who may be a member of the VO Organize members in groups and sub-groups Define roles A VO may have several administrator Site administrator: Responsible for deciding which VO can use the site resources Define resource access control based on VO requirements VOMS Service (VO Membership Service) allow VO administrators to manage their members. Grid services use VOMS to check group and roles (FQANs) and decide access rights Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Delegation Users cannot authorize every transaction in the grid: To many jobs Jobs are not necessarily local 1 job may involve several service Requires to delegate access rights to jobs and grid services Private key is a too sensitive information, with a long lifetime to be transmitted to grid services and jobs A “proxy” is created from the certificate and transmitted to services Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin « Proxy » New certificate derived from user’s certificate: Signed by user’s certificate Similar process as user’s certificate signed by the issuing CA Very short period of validity By default, ~1/2 day Includes all VO, groups, role (FQANs) the user have Stored in a file sent with job and to services Short life proxy (around 12 heures) voms-proxy-init (--voms), -info, -destroy Long life proxy myproxy-init, -info, -destroy, -get-delegation Required a valid VOMS proxy (short lived) Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Other Services  Grid services logs their action to allow auditing Understand who is doing what, where and when Understand global behaviour of the system Accounting Central database containing per VO view of used resources http://www3.egee.cesga.es/gridsite/accounting/CESGA/egee_view.html No quota currently available in the middleware Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Summary EGEE security is based on Globus GSI + VOMS Authentication A network of CAs sign entity’s certificate (person, host or service) Certificate is a “grid passeport” for the user Authorization Based on virtual organizations (VO) Site administrators are responsible for configuring authorization, based on VO requirements « Proxies » Contain information about VO, groups and role of a user at one point in time Allow to delegate access rights to grid services and jobs Grid Security - M. Jouvin 27/11/2018

Grid Security - M. Jouvin Useful Links Man pages for voms-proxy-xxx and myproxy-xxx commands GRIF gLite tutorial: https://trac.lal.in2p3.fr/GridSupport/wiki/Tutorial/Authorization Grid Security - M. Jouvin 27/11/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.