Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Slides:



Advertisements
Similar presentations
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Advertisements

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
BaBar MC production BaBar MC production software VU (Amsterdam University) A lot of computers EDG testbed (NIKHEF) Jobs Results The simple question:
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.
Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
EDG Security European DataGrid Project Security Coordination Group
Security monitoring boxes Andrew McNab University of Manchester.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Stephen Burke – Data Management - 3/9/02 Partner Logo Data Management Stephen Burke, PPARC/RAL Jeff Templon, NIKHEF.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
Security Middleware Andrew McNab University of Manchester.
Data Management The European DataGrid Project Team
Author - Title- Date - n° 1 Partner Logo WP5 Status John Gordon Budapest September 2002.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
LHCb Grid MeetingLiverpool, UK GRID Activities Glenn Patrick Not particularly knowledgeable-just based on attending 3 meetings.  UK-HEP.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester
GridSite status Andrew McNab University of Manchester.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen
Classic Storage Element
DJRA3.1 issues Olle Mulmo.
John Gordon EDG Conference Barcelona, May 2003
Stephen Burke, PPARC/RAL Jeff Templon, NIKHEF
Presentation transcript:

Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University of Manchester

Andrew McNab - Security issues - 17 May 2002 Outline u Sysadmin hitlist u Existing VO vs CAS u Pool accounts u SlashGrid u “UID domains”: NFS, PBS etc. u Need for Grid ACLs u XML Grid ACL’s u GACL library u Certfs as native “container” hosting environment

Andrew McNab - Security issues - 17 May 2002 Sysadmin hitlist u Subjective list of things to eliminate, from my experience and admins I’ve talked to: n Administrative work creating / maintaining user accounts. n Files/processes left over/created in unwanted places by jobs - bad enough when local “students” do this: don’t want Student X from University of Z doing this to our kit via the Grid. n NFS - “No File Security” - difficult/impossible to secure unless physical components of the LAN are secure (ie in a locked room) - makes it easier to compromise more machines once have root on one. u I think we now either have foreseeable solutions to all of these...

Andrew McNab - Security issues - 17 May 2002 Existing VO vs CAS u Have already about VO authorisation servers in use: centrally provided authorisation listings. u Provides a list of DN ’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n so an experiment can define the Tau Working Group n but I can ’t define “my friends in the Tau Working Group” myself u However, current system gives the functionality running experiments like BaBar cope with, so ok. u Globus CAS would allow finer grained authorisation. n Do we also need a way for users to define new resources and associate authorisation groups with them? In CAS or locally?

Andrew McNab - Security issues - 17 May 2002 Pool accounts u The other half of removing account creation burden from admins u Widely used by TB1 sites. u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing gridmapdir with NFS (file ops are suitably atomic - but NFS still!) u Existing system works ok for CPU+tmpfile only jobs. u But not really appropriate if users creating long lived files at the site in question. u Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

Andrew McNab - Security issues - 17 May 2002 SlashGrid / certfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: u certfs.so plugin provides local storage governed by Access Control Lists based on DN’s. u Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u (Also, a GridFTP plugin could provide secure replacement for NFS.)

Andrew McNab - Security issues - 17 May 2002 “UID domains” u Each testbed site currently constitutes a “UID domain” in which DN=>UID mappings must be consistent on all machines. n Currently achieved by sharing grid-mapfile or gridmapdir by NFS (or replicating with LCFG) u This arises from two major components: n NFS sharing of disks. n Local batch (usually PBS) by default assumes same UID on front and backend machines. u Would simplify recycling of pool accounts on gatekeeper if didn’t need to maintain this consistency: n gatekeeper would just allocate a pool UID which had no processes already running n if use “gsiftpfs” instead of NFS, then DN=>UID mappings done dynamically on SE etc too n but, would need to configure / modify PBS etc to dynamically allocate a UID on backend node and copy proxy?

Andrew McNab - Security issues - 17 May 2002 Need for “Grid ACL’s” u Initial idea of SlashGrid/certfs was to replace ownership by UID to ownership by DN via an ACL. u For simplicity, would want to use same ACL format for gsiftpfs etc. u Current prototype is plain text, per-directory ACL in.grid-acl u As a file, this can be stored in directories, copied via unmodified http, gsiftp channels and easily manipulated by scripts and applications. u Implementing ACL’s could also solve some other issues to emerge with TB1: n eg per-UID tape storage: could store all tape files with one UID but associate ACL with the file and use that. u Sysadmins want disk filesystem ACL’s on same physical disk as files if possible.

Andrew McNab - Security issues - 17 May 2002 Grid ACL vs CAS (or fine-grained VO) u CAS provides ACL-like feature of specifying what action (eg write) is permissible on an object (eg tau-wg-montecarlo). u (If using lots of subgroups within a VO, could achieve much the same thing: eg define a group of people in tau-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to setup a new entry on the central CAS machine to control this. u The two systems should be seen as complementary n when you create some tau Monte Carlo, put it somewhere the ACL gives write access for people with “tau-wg-montecarlo write.”) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

Andrew McNab - Security issues - 17 May 2002 XML Grid ACL? u Several variations of XML Grid Access Control Lists have been suggested. u XML-based format an obvious choice, since: n (a) have XML parsers around already for other things n (b) many protocols and metadata formats going to XML so could easily include a Grid ACL n (c) XML is extensible so we don’t need to predict the future so much. u For files, most seem to be based on about 4 levels: read, list, write and admin (cf AFS.) u Then associate these with combinations of personal DN’s, CAS objects and LDAP VO groups.

Andrew McNab - Security issues - 17 May 2002 Just one example XML Grid ACL format... ldap://ldap.abc.ac.uk/ ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcCAS Can-read- /O=Grid/DN=Andrew

Andrew McNab - Security issues - 17 May 2002 GACL library u XML ACL format not decided but want to write code that needs it now (GridSite in production for GridPP; SlashGrid to be in EDG 1.3.) u ACL may change again in the future; may need to understand different (ugh!) ACL’s from other Grid projects. u Insulate G-S and S-G from this by moving existing ACL handling functions into a standalone library, and make this understand XML. u Handles ACL’s in a reasonably general way, packs C structs with their contents and provides access functions to manipulate the structs as new types: n GACLlevel - read, list, write, admin... n GACLcred - a DN, VO group or CAS object. n GACLentry - several credentials, plus Allow and Deny for Levels. n GACLacl - several entries.

Andrew McNab - Security issues - 17 May 2002 GACL library (2) u Currently uses libxml to do basic XML parsing n can read from files or from strings in memory. u Functions like GACLnewCred(int type, char *issuer, char *name) provided to build up new ACL’s in memory, and manipulate or evaluate existing ones. u Working version of GridSite using GACL exists; SlashGrid next. u Intend to provide file and directory utility functions: n “read in the ACL for file /dir1/dir2/xyz” looks in /dir1/dir2/.gacl-xyz for a file ACL, then /dir1/dir2/.gacl, /dir1/.gacl … n but don’t limit functionality to files (ACL’s on metadata? queues? RB’s?) u Currently, implements XML format from earlier slide. u See for source and API description of version.

Andrew McNab - Security issues - 17 May 2002 Certfs as container hosting environment u Some of the OGSA discussions make distinction between simple (eg native Linux) and container (eg Java or.NET) hosting environments. u The original motivation for “in a box” environments is security. u OGSA interest is in creating new services dynamically: this is easier if services are “in a box” to start with. u Certfs is motivated by desire to keep users from making long lived UID-owned files. u However, it is also a step towards the kind of dynamic environments OGSA talks about. u Is the answer to our concerns about security and our desire for flexible, dynamic services, to make Unix UID’s as transitory as Process Group ID’s?

Andrew McNab - Security issues - 17 May 2002 Summary u Most of the concerns of admins are being addressed to some extent. u Current VO system is probably sufficient, but CAS would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs intended to provide solution to this. u Defining a Grid ACL format deals with other issues too. u Do this in XML: what format? u GACL library provides API for handling whatever is decided. u How far can we go towards make UID’s purely transitory?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.