WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Slides:

Advertisements

Similar presentations

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Advertisements

WP2: Data Management Gavin McCance University of Glasgow.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Data Management Expert Panel - WP2. WP2 Overview.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Security Mechanisms The European DataGrid Project Team

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Introduction on R-GMA Shi Jingyan Computing Center IHEP.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Tony Doyle & Gavin McCance - University of Glasgow ATLAS MetaData AMI and Spitfire: Starting Point.

Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

EDG Security European DataGrid Project Security Coordination Group

WP3 Information and Monitoring Steve Fisher / RAL 23/9/2003.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

Edg-voms-admin European DataGrid Project Security Coordination Group

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

The impact of R-GMA (upon WP1 and WP4). EDG (Paris) 6 Mar James MagowanImpact of R-GMA Grid Monitoring Architecture (GMA) We use it not only for.

Outline Server side Dependencies Installing it Configuring it Client side coding Browser setup.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Plans for D7.7 The Security Report on the Final Project Release Linda Cornwall, RAL.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EGEE is a project funded by the European Union under contract IST R-GMA Security Stephen Hicks UK Cluster Security Middleware Security Group.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.

What to expect in TB 2.0 J. Templon, NIKHEF/WP8. Jeff Templon – AWG Meeting, NIKHEF, WP1 u New resource broker architecture Big potato.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

WP3 Security and R-GMA Linda Cornwall, RAL. WP3 Linda Cornwall, RAL - 02/09/2002Security and R-GMA,DataGrid Workshop, Budapest 2 Current Status Currently,

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

CRIC ・ Authentication & Authorization

R-GMA Security Principles and Plans

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Installation, Configuration, Examples of use

Update on EDG Security (VOMS)

The New Virtual Organization Membership Service (VOMS)

Canonical Producer CP API CP Servlet User Code Files

Presentation transcript:

WP3 Security and R-GMA Linda Cornwall

WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service dn dn + attrs Fine-grained e.g. RepMeC WP2/WP3 Coarse-grained e.g. CE, Gatekeeper WP4 Fine-grained e.g. SE, /grid WP5 Java C authenticate acl

WP3 edg-java-security Provided by WP2 Trustmanager (but no delegation) Authorization service –Course grained – authorization on front of service (I.e. y/n can the person connect) –Fine grained – authorization within a service (Some development on this – no documentation)

WP3 Trustmanager and R-GMA Tried out using the trustmanager on a version of R-GMA prior to re-factoring –Hard-coded changes – rather than proper setup scripts –ServletConnectionTest worked –Tells me what I need to do.

WP3 How to integrate the trustmanager. Install a lot of the globus and edg security related stuff. Modify rgma-config, config-rgma-tomcat.. –To allow choice of http or https connections. –To include all the extra dependences. –To configure tomcat – using trustproperties Create trustproperties configuration files for user and service.

WP3 How to integrate the trustmanager - contd Modify ServletConnection to use trustmanager. (possibly different version for service connecting on and actual end client as each will need different trustproperties files.) –Maybe modify each service that connects on? C and C++ API’s will need modification too. We can (hopefully) find out how to do modify the C and C++ API’s from other WP’s or globus – I think this problem has already been addressed.

WP3 What we will have with the trustmanger The client will authenticate themselves with the service. Servlets with authenticate with one another. No delegation, therefore no authentication between user and service that one servlet connects on to. If a trusts b – a then has to trust everyone b trusts. If b trusts c, a has to trust everyone that b and c trust…….

WP3 Authorization for J+30 Plan to have user’s only seeing their own jobs. Only way to do this in the absence of delegation in the trustmanager is –extract the DN of the user when they connect –Pass this to the next servlet or refuse request if they are asking for info that does not match. –Or does user ALWAYS connect directly to Producer of the job info? Not secure – anyone with an acceptable certificate could get the info – but they would have to write their own code.

WP3 Sensor Code Producer API Application Code Consumer API Registry “Event Dictionary” Consumer Instance Registry API Registry API Producer Instance Schema API Schema If job info –does DN match? Have to trust the consumer to pass on DN

WP3 Rogue Consumer Rogue Consumer has acceptable Certificate. DN DN info matches Without Delegation it is possible to obtain info one is not authorized to see. But it requires a consumer to be hacked or written.

WP3 EDG Security issues For J and beyond, plan to authenticate services using a proxy of a service certificate.

WP3 Authorization beyond J+30 Need proper delegation – end producer needs to authenticate the client. The producer needs to do the authorization otherwise –Confidentiality can be breached. –Fine-grained won’t work. VOMS and edg-java-security tools being developed should give us VO, roles, DN etc. GACL (Grid Access Contol List) is a format for specifying access control. May be able to use this.

WP3 Beyond J+30 contd. If an info service is either available or not to a client – could use the WP2 Authorization service. –Imagine this will be true of some info services, especially canonical producers –Registry for VO won’t work – as separate Registries are virtual, not really separate services

WP3 Authenticated USER Course Grained RGMA Service Authorization decision ACL (DN, Vo, Role) DN, Vo, Role(s) Course grained R-GMA service In future there may be R-GMA services where authorization depends only on the entire service. E.g. a user may read all/none, write all/none, administrate the service. One ACL applies to whole service

WP3 Authenticated USER ACL (DN, Vo, Role) DN, Vo, Role(s) Fine grained R-GMA service In fine grained Authorization a decision must be made within the producer. Each table, even each row of a table will have it’s own ACL ACL (DN, Vo, Role) ACL (DN, Vo, Role)