Edg-voms-admin European DataGrid Project Security Coordination Group

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Data Management Expert Panel - WP2. WP2 Overview.

JLab Lattice Portal – Data Grid Web Service Ying Chen, Chip Watson Thomas Jefferson National Accelerator Facility.

DataGrid is a project funded by the European Commission under contract IST WP2 – R2.1 Overview of WP2 middleware as present in EDG 2.1 release.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Participation in the development of certification tests for LCG/GLITE Galaktionov V.V. The works presented in the report are executed in accordance to.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Multiple Tiers in Action

Security Mechanisms The European DataGrid Project Team

APACHE SERVER By Innovationframes.com »

Session 5: Working with MySQL iNET Academy Open Source Web Development.

Xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

M1G Introduction to Database Development 6. Building Applications.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.

5/17/2004VOMRS Technical Overview1 VOMRS Technical Overview John Weigand.

Mark Dixon 1 09 – Java Servlets. Mark Dixon 2 Session Aims & Objectives Aims –To cover a range of web-application design techniques Objectives, by end.

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

EDG Security European DataGrid Project Security Coordination Group

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks AMGA PHP API Claudio Cherubino INFN - Catania.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

DATABASE CONNECTIVITY TO MYSQL. Introduction =>A real life application needs to manipulate data stored in a Database. =>A database is a collection of.

INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS Server Giuseppe La Rocca INFN EGEE Tutorial Rome November 2005.

INFSO-RI Enabling Grids for E-sciencE

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

OSG AuthZ components Dane Skow Gabriele Carcassi.

INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

DSpace System Architecture 11 July 2002 DSpace System Architecture.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

CP476 Internet Computing Perl CGI and MySql 1 Relational Databases –A database is a collection of data organized to allow relatively easy access for retrievals,

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

1 Enabling Grids for E-sciencE Joachim Flammer Service Management Configuration, service instrumentation & service management Joachim Flammer on behalf.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

CS320 Web and Internet Programming Database Access with JDBC Chengyu Sun California State University, Los Angeles.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Jean-Philippe Baud, IT-GD, CERN November 2007

UVOS and VOMS differences

R-GMA Security Principles and Plans

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Creating Novell Portal Services Gadgets: An Architectural Overview

Update on EDG Security (VOMS)

Presentation transcript:

edg-voms-admin European DataGrid Project Security Coordination Group

edg-voms-admin - n° 2 VOMS architecture  MySQL database – with history and audit records  core query service and client in C++  Java Web Service based administration interface n Perl client (batch processing) n Web browser client (generic administrative tasks)  replication is planned, but not implemented yet command line interface SOAP+SSL Perl Web interface HTTP+SSL web browser MySQL++ C++ Core Server voms-proxy-init SSL C++ Database MySQL JDBC Admin server VOMSAdmin VOMSHistory VOMSCompatibility Java / AXIS / Tomcat Web service VOMSRequest

edg-voms-admin - n° 3 VOMS internals  SOAP and HTTP access are sharing the implementation of the business logic  authentication: Trust Manager (edg-java-security)  authorization: ACL checking logic inside the implementation SOAP+SSL HTTP+SSL JDBC Admin server TrustManager Axis servlet web-ui servlet security context TrustManager VOMSAdmin VOMSHistory VOMSCompatibility VOMSRequest ACL checking DB* classes...

edg-voms-admin - n° 4 Proxy in Perl client package EDG::HTTPS; sub setEnv { # euid is not 0: this is a user with user cert or proxy if($>) { $proxy = $ENV{X509_USER_PROXY} || "/tmp/x509up_u". $>; splitProxy(); $ENV{HTTPS_CERT_FILE} = $proxy. ‘.proxy’; $ENV{HTTPS_KEY_FILE} = $proxy. ‘.key’; $ENV{HTTPS_CA_FILE} = $proxy. ‘.user’; { # fallback solution: the real user certificate $ENV{HTTPS_CERT_FILE} = $ENV{X509_USER_CERT} || $ENV{HOME}.'/.globus/usercert.pem'; $ENV{HTTPS_KEY_FILE} = $ENV{X509_USER_KEY} || $ENV{HOME}.'/.globus/userkey.pem'; } # euid is 0: this is a daemon, so we use the hostcert/key else { $ENV{HTTPS_CERT_FILE} = $ENV{X509_USER_CERT} || '/etc/grid-security/hostcert.pem'; $ENV{HTTPS_KEY_FILE} = $ENV{X509_USER_KEY} || '/etc/grid-security/hostkey.pem'; } $ENV{HTTPS_VERSION} = 3; $ENV{HTTPS_CA_DIR} = $ENV{X509_CERTDIR} || '/etc/grid-security/certificates'; }

edg-voms-admin - n° 5 SecurityContext package org.edg.security.voms.service; public class InitSecurityContext extends BasicHandler { public static void initSC (ServletRequest req) { SecurityContext sc = new SecurityContext(); SecurityContext.setCurrentContext(sc); sc.setClientCertChain((X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate")); // We use the old DN format in the database. if (sc.getClientName () != null) sc.setClientName (new DNConvert (sc.getClientName ()).removeProxySuffix (DNConvert.X500)); if (sc.getIssuerName () != null) sc.setIssuerName (new DNConvert (sc.getIssuerName ()).reformat (DNConvert.X500)); }

edg-voms-admin - n° 6 VOMSAdmin.getUser() package org.edg.security.voms.service.admin; public final class VOMSAdminSoapBindingImpl implements VOMSAdmin { synchronized public User getUser (String username, String userca) throws RemoteException { try { QueryWrapper c = QueryWrapper.get (); try { DBGroup vo = DBGroup.getVOGroup (c); vo.checkPermission (c, Operation.LIST); User result = DBUser.getInstance (c, username, DBCA.getInstance (c, userca)).getAsUser (c); log.info ("Returned detailed information about user \"" + result.getDN () + "\""); return result; } finally { c.release (); }

edg-voms-admin - n° 7 DBGroup.checkPermission() package org.edg.security.voms.database; final public class DBGroup implements DBContainer { public void checkPermission (Connection c, Operation o) { getACL (c).checkPermission (c, o); } public DBACL getACL (Connection c) { return DBACL.getInstance (c, aclId, this); } CREATE TABLE acl ( -- Access Control List for containers aid bigint unsigned NOT NULL, -- ACL identifier (common id for all entries in one list) adminid bigint NOT NULL,-- Administrator's identifier operation smallint NOT NULL,-- Operation on the container allow tinyint NOT NULL, -- 0 means deny, 1 means allow ) CREATE TABLE admins ( -- List of the administrator users adminid bigint NOT NULL, -- Administrator's identifier dn varchar(250) NOT NULL, -- the DN of the administrator ca smallint unsigned NOT NULL, -- Issuer certificate authority ) CREATE TABLE groups ( -- Holds all groups in a VO. gid bigint unsigned NOT NULL, -- Internal entity identifier. dn varchar(255) NOT NULL, -- Fully Qualified Group Name parent bigint unsigned NOT NULL, -- Parent group. -- Applied ACL (entries are in 'or' relation). aclid bigint unsigned NOT NULL, -- Default ACL for a group/role created under this group. defaultAclid bigint unsigned NOT NULL, )

edg-voms-admin - n° 8 Access Control Lists container.checkPermission (operation)  An ACL is a set of subject-operation-allow triplets bound to a container n The subject is (an attribute of) the client requesting the operation n If the allow flag is true the access is granted (positive match), if false access is denied (negative match)  Subject is matched against all known attributes of the client n Client’s DN+CA (direct match) n Authorization Manager attributes n VOMS attributes in the local database n VOMS attributes embedded in the client’s proxy cert  Access is granted iff there is a positive match and there is no negative match

edg-voms-admin - n° 9 Request handling (plans)  VOMSRequest interface for request processing outside the core VOMS database tables: n new user in the VO n member in an existing group n... and for the rest upon request  planned: extensible Producer/Consumer pattern as an implementation to satisfy complex use cases (e.g. US-CMS VOX project, multiple admins) newconfirmedaccepteddone newCreateUserRequest confirm Address allowRequest createUser to the requestor: address confirmation to the administrator: new request notification denied denyRequest to the requestor: request is accepted/denied

edg-voms-admin - n° 10 Installation  Install RPMs: edg-voms-admin, edg-voms-admin-interface, edg- voms-admin-config (, edg-voms-admin-client)  edg-voms-admin-configure install –-vo=fred –dbapwd=...  $EDG_LOCATION/etc/init.d/edg-voms-admin start  edg-voms-admin-local fred --add-admin  edg-voms-admin-local fred --add-host  CLI: edg-voms-admin –url= list-users  web:

edg-voms-admin - n° 11 VOMS migration VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 0. VO-LDAPVOMS userservice proxy (voms) gridmap-file edg-mkgridmap ldap-voms-sync voms-proxy-init phase 2. VO-LDAPVOMS userservice proxy gridmap-file edg-mkgridmap voms-ldap-sync grid-proxy-init phase 1. VOMS userservice gridmap-file voms-proxy-init phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS aware services