Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

DOSAR Workshop, Sao Paulo, Brazil, September 16-17, 2005 LCG Tier 2 and DOSAR Pat Skubic OU.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

1 OSG Accounting Service Requirements Matteo Melani SLAC for the OSG Accounting Activity.

10/24/2015OSG at CANS1 Open Science Grid Ruth Pordes Fermilab

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Partnerships & Interoperability - SciDAC Centers, Campus Grids, TeraGrid, EGEE, NorduGrid,DISUN Ruth Pordes Fermilab Open Science Grid Joint Oversight.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

JRA Execution Plan 13 January JRA1 Execution Plan Frédéric Hemmer EGEE Middleware Manager EGEE is proposed as a project funded by the European.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

OSG Storage VDT Support and Troubleshooting Concerns Tanya Levshina.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

1 Open Science Grid: Project Statement & Vision Transform compute and data intensive science through a cross- domain self-managed national distributed.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Parag Mhashilkar Computing Division, Fermilab.  Status  Effort Spent  Operations & Support  Phase II: Reasons for Closing the Project  Phase II:

April 18, 2006FermiGrid Project1 FermiGrid Project Status April 18, 2006 Keith Chadwick.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.

Bob Jones EGEE Technical Director

EGEE Middleware Activities Overview

JRA3 Introduction Åke Edlund EGEE Security Head

Presentation transcript:

Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting Gabriele Garzoglio Computing Division, Fermilab

Jun 18, 20072/26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick Access Control and Privileges Auditing –courtesy Tanya Levshina

Jun 18, 20073/26 Security Policies and Middleware in OSG Gabriele Garzoglio OSG Security OSG Proposal: “We propose to build a cyber- infrastructure that can grow to provide thousands of users effective access to 100,000 CPUs, 10s of PB of storage, located at hundreds of sites and interconnected by multiple 10Gb/s network links.” Technical Basis: –Service-based access to compute and storage services. –A software stack used by experiments to manage their users and their jobs. –The environment interoperates with other similar grid environments LCG, Teragrid, et al.

Jun 18, 20074/26 Security Policies and Middleware in OSG Gabriele Garzoglio OSG Capacity Targets In 2008 we estimate: 53 MSI2K = 26,000 CPUs; 74 MSI2K = 37,000 CPUs;

Jun 18, 20075/26 Security Policies and Middleware in OSG Gabriele Garzoglio Me, My Friends, the Grid

Jun 18, 20076/26 Security Policies and Middleware in OSG Gabriele Garzoglio Grid Security The goal of grid security is establish trust that computing organized along these lines will have appropriate integrity, availability, and confidentiality. OSG cannot bear the security responsibilities of sites or VO’s. Therefore, initially, inter-entity security is conceptually a set of pair-wise agreements. –We have more than a few autonomous parties –Not a small task.

Jun 18, 20077/26 Security Policies and Middleware in OSG Gabriele Garzoglio Illustrative example

Jun 18, 20078/26 Security Policies and Middleware in OSG Gabriele Garzoglio Operational Grid Security Based on NIST model – Controls based on risk, rooted in policy. –Risk = f(vulnerability, threat) –Goal: Achieve acceptable risk Recall -- context is open science. –Means: Controls Management (what did we decide?) Operational (we count on behaviors) Technical (stuff done in HW/SW)

Jun 18, 20079/26 Security Policies and Middleware in OSG Gabriele Garzoglio Some Specifics OSG security seeks to compliment, not replace site and VO security organizations. –Recall Roadmap: O(10 4 ) parties. Now: O(10 3 ) Make the security discussion scalable by standardizing the many elements of the discussion. –Foster a secure software stack for grid services. –Foster communications –Know what’s going on from the perspective of the whole grid

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Scaling Make the discussion standard. –Think of the market in mortgages Many standard terms Model security policies –JSPG: sites, VOs, users. –IGTF: Identity providers. –TBD: Service providers (likely JSPG) Software providers.

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick  Access Control and Privileges Auditing –Courtesy Tanya Levshina

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio VO Services Project Charter The project provides an infrastructure to manage user registration and implement fine-grained authorization to access rights on computing and storage resources. Authorization is linked to identities and extended attributes. Mapping is dynamic and supports pool accounts. Enforcement of access rights is implemented using UID/GID pairs. The infrastructure aims at reducing administrative overhead. Authorization service is central at the site. The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG.

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Stakeholders Stakeholders giving requirements: US CMS and US ATLAS. Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG since 2003 Different institutions are responsible for the maintenance of different components Core software distributed via VDT

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio VO Services Architecture GUMS server maintains identity / attribute mapping for all the gateways at a site gPlazma server enhances UID/GID mapping with service-specific parameters (e.g. root path for SE). SAZ checks black/white lists Periodically, GUMS synchronizes with VOMS users/groups User identity and attributes are maintained in VOMS through VOMRS Users interact with VOMS to get attribute-enhanced credentials Gateway software (CE and SE) performs –identity mapping call-out through the PRIMA module –access control call-out through the SAZ module

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Deployment on OSG The authorization system (GUMS) has been deployed at O(10) sites –US CMS T2 centers and T1 at FNAL –US ATLAS T2 centers and T1 at BNL –FermiGrid (includes SAZ) et al. US CMS, US ATLAS, and DZero have defined roles that are implemented using VOMS. Sites configure GUMS (PDP) to implement local identity mapping

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Closing Project Phase II Deliverable of Phase II are due in the time scale of OSG V0.8.0 release (Aug 07): Document current use of credential attributes GUMS v1.2 LIGO Authentication Requirements gLExec deployment for CDF/CMS –Being packaged in VDT. gPlazma –Deployment underway. Further development and maintenance part of dCache project. –Storage role/access requirements part of Phase III VOMRS 1.3. Part of VDT release in May –CERN (01/07), Fermilab (04/07), APAC (11/06)

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Goals for Phase III ? (1) Interface/integrate/migrate OSG AuthZ components more into emerging standards. Set path for less effort in the future Prepare for use of new AuthN mechanisms (ie Shiboleth). VOMRS –Interface to Shib; Use more standard workflow engine, persistency, UI technology Accounting integration : Interface roles GRAM-Auditing and Gratia

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Goals for Phase III ? (2) Support finer-grain access to Storage –SRM/dCache does not manage privileges directly via X509 credential attributes. UID, GID, Root Path, … mappings are required. –Stakeholders are interested in supporting combinations of read / write accesses to files / directories by VO, VO groups, and group roles. Improve software stack validation and regression tests across releases. Ongoing OSG - EGEE AuthZ interoperability. Already started: –Globus develops the common library (based on XACML2/SAML2): prototype version in collaboration w/ IBM on Apr 07. –Understanding and feeding back OSG and EGEE requirements: implementation of some key features estimated for July 07 –Holding regular meetings (Oct 06, Feb 07, Mar 07, Apr 07, Jun 07)

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio What about Policy ? Currently no mechanism to define VO authorization policies and apply them consistently across sites. –SBIR Phase I grant approved –GPBox ? More maintainable authentication management by implementing certificate validation service site-centralized.

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Overview OSG Security –courtesy Don Petravick Access Control and Privileges  Auditing –Courtesy Tanya Levshina

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Motivations The nature of the Grid cyberspace security vulnerabilities provides a motivation for creation of centralized service for real-time automated security assessment and forensic analysis. The usage patterns across the Grid may reveal adverse intentions while similar behavior may seem legitimate to any particular grid site or VO specific service. Use Cases: –should be able to determine if a specific, presumed to be stolen credential has been used to access Grid Sites or VO services –find out if there was an attempt to enter a site or service by scanning

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Goals Provide a global level auditing service to the OSG Community. The global auditing service is necessary to assess the overall security condition of the OSG across OSG sites and VO’s specific services. Offer a real-time automated security assessment and forensic analysis tools that will satisfy the security requirements of OSG Staff, VO’s, and sites participating in the OSG. Provide flexible query interfaces needed to ad hoc security investigations at the grid level. Interface OSG Information Management Project in order to notify the appropriate officials in case of discovery of unusual or suspicious gird usage. Complement the existing site security processes and help drive further development of auditing collection software used by Grid Sites. Focus on integration and analysis of the, possibly diverse and multiple-format, information.

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Grid Site with Log Search Service CE SE Grid application VO Spec application Syslog-ng Log Search Service OSG Central Facility Auditing Service Auditing Service Client Syslog-ng Log Search Service SE VO Spec application Grid application Syslog-ng CE Grid Site without Log Search Service Catch-All Log Search Service Host Central Repository Security Officer Site Central Log Monitoring Host Auditing Project Architecture VO Resource Site VO Services Host Gratia probes Gratia probes Gratia probes VO Spec application Syslog-ng site cluster host application log repository auditing data repository flow of data request flow of data storage Legend

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Auditing Project Context Diagram Auditing Service Active Storage Grid operation environment Gratia’s probes Auditing probes Globus Datagram Auditing Data Management MS Grid Configuration AAA Data Log Storage Query Executor Automaton Grid Security team Incident respondent Security assessor Suspected vulnerability Suspected incident OSG Security Information Service

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Project Deliverables Provide a review of the of auditing projects within OSG, EGEE, CEDPS Troubleshooting project, and Globus Auditing (started) Provide a evaluation summary the auditing tools currently in use and/or available through Open Source (started) Provide the evaluation summary of usability of the raw data collected by Gratia’s probes for auditing post- mortem analysis (started) Determine the information model for service log files, investigate log format transformations and log analysis capabilities Achieve community consensus on the proposal and encourage community collaboration on this project Provide high level design of Auditing Service (started)

Jun 18, /26 Security Policies and Middleware in OSG Gabriele Garzoglio Conclusion Security work in OSG is currently tackling both Policy and Middleware Policy work focuses on Management, Operation, and Technical controls to mitigate risk Middleware projects address User Registration, Access Authorization, Accounting (Gratia), and Auditing We want to collaborate with our European partners to achieve interoperations and share ideas