Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Slides:

Advertisements

Similar presentations

Data Management Expert Panel - WP2. WP2 Overview.

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab

A Model for Grid User Management

f f FermiGrid – Site AuthoriZation (SAZ) Service

AuthZ Interop report out

Presentation transcript:

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina

9/24/2006 APAC 2006 VOMRS 2 Talk Outline Privilege Project  Project Collaboration  GUMS  PRIMA/SAML  gPlazma  SAZ  Future  Contacts, etc

9/24/2006 APAC 2006 VOMRS 3 Privilege Project Goal: Privilege Project provides fine-grained authorization for access to grid-enabled resources and services Improves user account assignment and management at grid sites. Reduces the associated administrative overhead. Provides flexible and dynamic user-to-account mapping based not only on user identity (distinguished name) but also on VO-related attributes (FQAN) and least privilege access. Limits the damage a malicious entity can cause when a user's credentials are compromised. Obtains different authorization for different activities. The VO Privilege Project software, relies on, interfaces to and further develops at least some of the following independent pieces of VO- implemented and site-implemented authorization software: VOMRS, VOMS, Gridmap callout interface, GUMS, gPlazma and SAZ. The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG.

9/24/2006 APAC 2006 VOMRS 4 Privilege Project Collaboration (slide from G. Garzoglio’s presentation at HPDC Workshop)presentation Stakeholders giving requirements: US CMS and US ATLAS. Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG Different institutions are responsible for the maintenance of different components Project started in 2003 Core software distributed via VDT

9/24/2006 APAC 2006 VOMRS 5 Privilege Project Architecture SE CE Grid Site SAZ Sitewide Services VOMSVOMRS VO Services Gatekeeper SRM gPlazma Storage Auth Service synchronize register get-voms-proxy synchronize GUMS Prima/SAML callouts (C) Job Manager Is authorized? DN, FQAN Prima/SAML Client (Java) Submit request with voms-proxy Yes/No Privilege Project Module Legend VO Management Services Storage priv set user name DN, FQAN user name DN, FQAN Storage priv set

9/24/2006 APAC 2006 VOMRS 6 GUMS Goal: GUMS (Grid User Management System) maps users' gridGUMS credentials to site-specific identities in accordance with the site's grid resource usage policy Replaces the Globus grid-mapfile.Globus Retrieves membership information from a VO server such as LDAP or VOMSs. Can be configured to generate static grid-mapfiles or to map users dynamically as each job is submitted.  If configured to generate a grid-mapfile, GUMS downloads the file to each gatekeeper as scheduled or requested by an administrator via the GUMS client tools.  If configured to map users dynamically and individually, GUMS is called by the gatekeeper via PRIMA callouts upon each job submission. Uses configuration file is written in XML. It maps a particular group of user to either pool account or individual account Stores pool account and DN of a user in a database  Does not reuse assigned pool account  Has ways to increase the pool range

9/24/2006 APAC 2006 VOMRS 7 PRIMA/SAML PRIMA PRIMA is an implementation of the Globus authorization callout. Allows message exchange between Globus and Authorization Service using SAML protocol Extracts proxy information from the certificate Retrieves mapping information from Authorization Service PRIMA provides for the grid layer management and delegation of privileges on a user - to - user and administrator-to-user basis. The holder of privileges can selectively provide individual privileges to grid resources when requesting access. This enables least privilege access to resources and ensures that the user has fine- grained control over resource usage of requested services.. The user-supplied privileges are combined with the administrator- provided policies to render a dynamic authorization decision.

9/24/2006 APAC 2006 VOMRS 8 gPlazma Goal: gPlazma (Grid-aware PLuggable AuthoriZation MAnagement)Plazma provides the authorization decision and site-specific user information relevant to user’s credential when requested by storage cells (gridFtpdoor, SRM) Supports the use of plugins which implement various selectable authorization methods. One of the methods uses Prima Java SAML libraries to form a SAML query and contacts Storage Auth Service that  retrieves username from GUMS by providing user’s DN and FQAN  retrieves storage-privilege set {uid,gid, permitted storage area, r/w permissions} form Storage Meta Data Service  returns a User Authorization Record (a SAML response format) to gPlazma

9/24/2006 APAC 2006 VOMRS 9 SAZ Goal: SAZ (Site Authorization Service ) allows securitySAZ authorities of the grid site to impose sitewide policy and to control access to the site. Allows administrators to control user access to the site resources Provides means to retrieve the information about users and their access Authorizes user by checking  user’s certificate chain  status of VO FQAN provided in extended certificate  user’s access status Provides centralized maintenance of Certificate Revocation Lists (CRL)

9/24/2006 APAC 2006 VOMRS 10 Future Directions (slide from G. Garzoglio’s presentation at HPDC Workshop)presentation Publication of role-based privilege policies Simplify / Aggregate architecture  Streamline gPlazma infrastructure (direct connection to GUMS)  Reorganization of PDP services (GUMS talking to SAZ)  Update communication protocols (from extended SAML v1.1 to SAML v2.0)  Improve PRIMA build process Extend privilege enforcing to network management Long term directions  Investigate direct DN rights enforcement (no UID mapping)  Integrate Privilege Project with Policy Discovery Services  Extend privilege enforcing to include privacy  Executable integrity

9/24/2006 APAC 2006 VOMRS 11 Contacts, etc… Project leader: G. Garzoglio   On the web at GUMS: developed G. Caracassi (BNL), currently supported by J. Hover (BNL)  On the web: PRIMA/SAML callouts: developed by M. Lorch, currently supported by I. Sfiligoi  On the web: gPlazma: developed by A. Rana, currently supported by T. Hesselroth  On the web: SAZ: developed by V. Sekhri, currently supported by V.Sergeev  On the web: (old)