Ákos FROHNER – DataGrid Security - 2002-11-18 - n° 1 Security Group TODO

Slides:



Advertisements
Similar presentations
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
DataGrid is a project funded by the European Commission under contract IST WP2 – R2.1 Overview of WP2 middleware as present in EDG 2.1 release.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
WP4 Security and AA(A) issues For WP4: David Groep
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Grid User Management System Gabriele Carcassi HEPIX October 2004.
Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group
AN INTEGRATED FRAMEWORK FOR VO-ORIENTED AUTHORIZATION, POLICY-BASED MANAGEMENT AND ACCOUNTING Andrea Caltroni 3, Vincenzo Ciaschini 1, Andrea Ferraro 1,
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Mine Altunay July 30, 2007 Security and Privacy in OSG.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Grid Authorization Landscape and Futures Von Welch NCSA
OSG AuthZ components Dane Skow Gabriele Carcassi.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
EGEE Data Management Services
R-GMA Security Principles and Plans
GGF OGSA-WG, Data Use Cases Peter Kunszt Middleware Activity, Data Management Cluster EGEE is a project funded by the European.
Update on EDG Security (VOMS)
Presentation transcript:

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Ákos FROHNER – DataGrid Security n° 2 1. CAS/VOMS strategy – open issues u grid-proxy-init –-vo Alice –role admin client application, PAM module?! u Membership administration – admin interface u VOMS: WP1/WP2/CAS implementation u Encoding of the information: XML vs. ASN.1 basically it is an attribute certificate u Format of attributes: group/role/VO /O=Grid/O=Alice/Role=RM-admin u Where to put the extra info: inside or beside the proxy cert? u Libraries for the services (C/Java/?)

Ákos FROHNER – DataGrid Security n° 3 2. ACL syntax and semantics u AND?: yes (multi-VO requirement from WP10) but have only allow xor deny u XML, C, Java and database representation of ACLs u ACL manipulation library API -> Andrew's GACL for C is the current nominee, but we probably need it in Java and Perl as well. u Transport format: probably XML (write grammar!) new: u WP2’s XML syntax for auhtoization u fine grained authz in VOMS and metadata catalog u SAML specification

Ákos FROHNER – DataGrid Security n° 4 3. SE/RM interaction The interaction is as described earlier. u Transport of ACL and metadata: needs common format prefixed to the data or separate mime-part? u Delegation: file transfers between SE nodes – they must act on behalf of the initiator of the transfer see G-HTTPS later u (Checksum on files – signatures?)

Ákos FROHNER – DataGrid Security n° 5 4. SE/MSS interaction Mixed access to files (local and grid) u SE authz to replace and/or emulate existing authorization u Conflict of ownership u Semantical differences in access rights no progress

Ákos FROHNER – DataGrid Security n° 6 5. WP10 confidentality issues Protecting the owner’s identity u In access control lists (protected storage and evaluation) u Log/audit records (different name for audit) u Key to read data (encrypted for the session) See slides from the earlier meeting. u Requirements along contracts – „implement” them as policies!

Ákos FROHNER – DataGrid Security n° 7 6. Accounting user/group/VO level? Granularity of accounting and/or quotas u User level: OK, based on the identity „accounted user” field in file metadata u VO level: OK, in a replica manager files are mixed in an SE – „accounted VO” field? u Group level: ? Group may change over time – „accounted group” field? Extra fields u Do we allow modifications? u Who can modify them (ACL)?

Ákos FROHNER – DataGrid Security n° 8 7. Mutual authorization - client Service can also obtain authorization information from a VOMS. User may configure, which „group of service” is acceptable. u Do we need this? u Semantics of client applications multiple VOMS credentials – see later

Ákos FROHNER – DataGrid Security n° 9 8. CE/LCAS interaction with VOMS VOMS provides group/role info u Mapping identity to local credentials - OK u Mapping group information to local groups? u Enforcement of group level access rights in a CE? see LCAS later

Ákos FROHNER – DataGrid Security n° Multiple vs. single VO - closed u See WP10 requirements -> multiple VOs

Ákos FROHNER – DataGrid Security n° VO LDAP servers VOMS vs. VO-LDAP servers u VO membership information (VOMS, LDAP) u User information (LDAP) u Which is the primary data source? u Updating of user information – site authorities u Tracking of incidents -> plan step-by-step transition

Ákos FROHNER – DataGrid Security n° Auditing Tracking changes for incidents and debugging u Pool of assigned user accounts (who was using N userid at T time?) u Membership information (was X member of group Y at T time?) u Software versions (what version of software W was running at T time?) u Authorization decisions (why user X was allowed to access R resource at T time?)

Ákos FROHNER – DataGrid Security n° GGF presentation u What shall be in the presentation?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.