EDG Security European DataGrid Project Security Coordination Group

Slides:



Advertisements
Similar presentations
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
Mine Altunay July 30, 2007 Security and Privacy in OSG.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
Edg-voms-admin European DataGrid Project Security Coordination Group
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS Server Giuseppe La Rocca INFN EGEE Tutorial Rome November 2005.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
OSG AuthZ components Dane Skow Gabriele Carcassi.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
WP7: Security Coordination Group (SCG)
R-GMA Security Principles and Plans
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Update on EDG Security (VOMS)
Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
The GENIUS Security Services
Presentation transcript:

EDG Security European DataGrid Project Security Coordination Group

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 2 Overview  How it works – EDG security through use cases  VO Management Service  Authentication and Authorization components

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 3 Registration user user cert (long life ) VO-VOMS CA low frequency high frequency registration newconfirmedaccepteddone VO membership request (user) address confirmation (user) allow create to the requestor: address confirmation to the administrator: new request notification denied deny to the requestor: request is accepted/denied (VO admin) web Tool support for the registration workflow(s) to ease the life of VO managers.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 4 Multi-VO registration VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency registration VO administration operations u create/delete (sub)group/role/capability u add/remove member of g/r/c u get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member Support for multi-VO registration and login using the same user certificate.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 5 “Login” user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init edg-voms-proxy-init -voms iteam u /tmp/x509_up (normal proxy location) u backward compatible proxy format The credential created in the “login” procedure is backward compatible: one can use it with the existing services, which are based on GSI

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 6 Multi-VO “Login” VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init voms-proxy-init -voms iteam -voms wp6 u single proxy certificate is generated u each VO provides a separate VOMS credential first one is the default VO u each VOMS credential contains multiple group/role entries first one is the default group One can be member of many VOs and use their resources at the same time. The VO specific credentials are separate, but collected into the same proxy certificate.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 7 Old-style Service VO-VOMS service VO-VOMS CA low frequency high frequency host cert (long life ) crl update gridmap-file mkgridmap Old-style services still use the gridmap-file for authorization u gridftp u EDG 1.4.x services u EDG 2.x service in compatibility mode no advantage, but everything works as before... GSI Backward compatibility on the service side: one can generate gridmap- files from the VO userlist for existing services based on GSI.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 8 Replica Management user RM authentication & authorization info user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation edg-java- security 2. service URI(s) for VOs in authz? 3. calling the service (URI) VO credential on the client side is used to select the VO specific service. VO credential on the server side is used for authorization.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 9 Job Submission user CE user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation ( AccessControlBase) 4. CEs for VOs in authz? 3. job submission MyProxy server WMS 2. cert upload VO credential is used by the resource broker to pre-select available CEs.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 10 MyProxy server Running a Job CE cert (long term) host cert proxy authz VO WMS 1. cert download LCAS/ LCMAPS authentication & authorization info 2. job start LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups u default VO = default UNIX group u other VO/group/role = other UNIX group(s) voms-proxy-init VO credential for authorization and mapping on the CE.

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 11 Virtual Organization Management Service  Issues credentials to prove group/role/VO membership n standard RFC 3281 Attribute Certificate format n single string attributes – FQAN  Core service: standalone daemon for the “login” n single purpose – high performance  Administrative service: web service with API, command line and web user interface n for administration and registration  Migration tools for gridmap-files and VO-LDAP servers

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 12 VOMS FAQ  No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change  Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups  Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it  VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration)

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 13 VOMS migration plan VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 0. VO-LDAPVOMS userservice proxy (voms) gridmap-file edg-mkgridmap ldap-voms-sync voms-proxy-init phase 2. VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 1. VOMS userservice gridmap-file voms-proxy-init phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS aware services

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 14 Auth/Authz in Services  GSI based or compatible authentication  grid-mapfile or VOMS based authorization (can be both)  policy or ACL based access control n coarse and fine grained solutions n access control description’s syntax is not standard  implemented alternatives: n edg-java-security for Java web services n GSI/LCAS/LCMAPS for native C/C++ services n mod_ssl/GACL for Apache based web services n Slashgrid for transparent filesystem ACLs and GridSite

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 15 Overview of the Components MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 16  Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s authorization decisions based on proxy user certificate and job specification; s supports grid-mapfile mechanism. n Plug-in framework (hooks for external authorization plugins) s allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db), GACL s plugin for VOMS (to process authorization data)  Local Credential Mapping Service (LCMAPS) n provides local credentials needed for jobs in fabric n mapping based on user identity, VO affiliation, local site policy n plug-ins for local systems (Kerberos/AFS, LDAP nss) Local Site Authorization

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 17 edg-java-security  Trust manager n GSI compatible authentication (supporting proxy chain) n Adapters to HTTP and SOAP n Currently deployed for Tomcat4 n VOMS credential verification  Authorization Manager n Authorization and mapping for Java services n Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file n Handles VOMS attributes

2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 18 More Information  European DataGrid Project Security Coordination Group  LCAS/LCMAPS homepage  Java Security  GridSite  VOMS 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.