Download presentation
Presentation is loading. Please wait.
Published byAlberta Andrews Modified over 8 years ago
1
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Authorisation and Authentication Dr. Mike Mineter National e-Science Centre, Edinburgh / UK Dr. Rüdiger Berlich, Forschungszentrum Karlsruhe / Germany Brisbane, 2 February 2006 Slides contributed by EGEE Team
2
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 2 Acknowledgements This presentation includes slides taken from the following talks: –Roberto Barbera at ISSGC05, Vico Equense, July 2005 http://www.dma.unina.it/~murli/GridSummerSchool2005/index.htm http://www.dma.unina.it/~murli/GridSummerSchool2005/index.htm –Richard Sinnott at ISSGC05, Vico Equense, July 2005 –Carl Kesselman, at ISSGC04, Vico Equense, July 2004 http://www.dma.unina.it/~murli/GridSummerSchool2004/index.htm http://www.dma.unina.it/~murli/GridSummerSchool2004/index.htm –David Fergusson at EMBRACE/EGEE Tutorial, Clermont Ferrand, July 2005 http://agenda.cern.ch/fullAgenda.php?ida=a053765http://agenda.cern.ch/fullAgenda.php?ida=a053765 –Joachim Flammer at EMBRACE Tutorial, Clermont-Ferrand, July 2005 Also information from: –Globus Alliance: GT4 Security: Key concepts –http://www.globus.org/toolkit/docs/4.0/security/keyhttp://www.globus.org/toolkit/docs/4.0/security/key
3
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 3 Please download this file from the agendamaker page: Go to www.eu-egee.orgwww.eu-egee.org Follow link to technical site, NA3 (training activity) Choose “events and registration” from menu Select “jump to now” for latest events Select Brisbane event Select transparencies associated with this talk Download talk And return to explore these sites in future! ALL EGEE training talks are (or at least should be!) found here. Material can be re-used – please tell us. There is a searchable archive – from NA3 page (http://egee.nesc.ac.uk/) go to “training material”.http://egee.nesc.ac.uk/
4
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 4 Outline Delegation: building distributed systems dynamically Why Authorisation and Authentication (AA) are the basis of grids Authentication: “AuthN” –“Who are you? Are you who you claim to be?” Authorisation: “AuthZ” –“What are you allowed to do?” MyProxy: management of certificates
5
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 5 Requirements for AuthN and AuthZ Support multiple VOs across –Administrative domains –National borders –Via Internet Single sign-on –Multiple services –Delegation Scalability: –N,000 users –M,000 CPUs –Without M*N million usernames / passwords… Security INTERNET
6
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 6 Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004
7
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 7 Trust Grids by definition have no central control, and connect users to resources where neither has prior knowledge of the other Need to establish trust, so Resource can trust user User can trust the resource The basis: –CAs sign user and resource (site) certificates –Both users and sites trust Certificate Authorities –So users and providers trust each other …and for international collaboration: –CAs trust each other
8
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 8 Authentication and X.509 certificates
9
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 9 AA and Certificates X 509 Digital certificate is the basis of AA in EGEE Certification Authorities (CAs) –~one per country; each builds network of “Registration Authorities” who issue certificates CAs are mutually recognized – to enable international collaboration – International Grid Trust Federation http://www.gridpma.org/http://www.gridpma.org/ For Asia-Pacific region CAs: https://www.apgrid.org/CA/CertificateAuthorities.html https://www.apgrid.org/CA/CertificateAuthorities.html CA issues certificates to –Users: you get a Certificate and use it to access a grid –Sites providing resources Uses Public Key Infrastructure (PKI) –Private key – known only to you –Public key included in your certificate
10
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 10 Use of PKI - overview Basis for authentication, integrity, confidentiality, non-repudiation Certificate: held in two parts –Public key + principal information + CA signature –Private key: only the owner (should) use this Asymmetric encryption Digital signatures –A hash derived from the message and encrypted with the signer’s private key –Signature is checked by decrypting with the signer’s public key –Public key is trusted only because it is signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal Encrypted text Private Key Public Key Clear text message
11
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 11 X.509 Certificates An X.509 Certificate contains: –owner’s public key; –identity of the owner; –info on the CA; –time of validity; –Serial number; –digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate
12
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 12 Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA
13
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 13 The Grid Security Infrastructure (GSI) every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CA’s; every Grid transaction is mutually authenticated: 1. A sends his certificate; 2. B verifies signature in A’s certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Based on X.509 PKI: VERY IMPORTANT Private keys Private keys must be stored only: protected in protected placesAND encrypted in encrypted form
14
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 14 The Grid Security Infrastructure (GSI) - continued Default: message integrity checking –Not private – a test for tampering. For private communication: –Encrypt all the message (not just hash) - Slower After A and B authenticated each other, for A to send a message to B: A B Generate hash from message Message + Encrypted hash Decrypt with A’ s public key Compare with decrypted hash Encrypt hash with A’ s private key Further encrypt hash with B’ s public key Decrypt with B’ s private key Generate hash from message
15
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 15 To use the EGEE grid Get an internationally recognised certificate –From a local RA – you will need to see them personally, bringing passport or other identification Contact the VO manager Accept the VO and the EGEE conditions of use to register with both EGEE and the VO Upload your certificate to a “User Interface” machine We are continuing the practical from this stage We have training certificates on the GILDA testbed
16
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 16 Using GILDA If you are new to Linux – or if you prefer – work in pairs Logon to glite-tutor.ct.infn.it –Username brisbaneXX where XX is 03-30 –Password GridBRIXX If you don’t yet have access work with someone who does until lunchtime.
17
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 17 The GILDA project (https://gilda.ct.infn.it)
18
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 18 The GILDA Test-bed (https://gilda.ct.infn.it/testbed.html) 15 sites in 3 continents ! GILDA is coordinated by Roberto Barbera and colleagues at the University of Catania and INFN.
19
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 19 Preliminary :.globus directory.globus directory contains your personal public / private keys Pay attention to permissions ! [ glite-tutor ] /home/giorgio > ls -l.globus total 8 -rw-r----- 1 giorgio users 1613 Oct 4 19:30 usercert.pem -r-------- 1 giorgio users 1914 Oct 4 19:30 userkey.pem
20
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 20 Verify your certificate openssl x509 -in.globus/usercert.pem –noout -text Certificate: Issuer: C=IT, O=GILDA, CN=GILDA Certification Authority Validity Not Before: Oct 11 14:54:35 2005 GMT Not After : Oct 31 14:54:35 2005 GMT Subject: C=IT, O=GILDA, OU=Personal Certificate, L=TENERIFFE, CN=TENERIFFE20/Email=kornmayer@iwr.fzk.de Subject Public Key Info:…. To get information on your certificate, run NOTICE THE ISSUER AND THE SUBJECT
21
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 21 Grid Security Infrastructure - proxies de facto standard for Grid middleware Based on PKI To support…. –Single sign-on: to a machine on which your certificate is held –Delegation: a service can act on behalf of a person –Mutual authentication: both sides must authenticate to the other ….GSI introduces proxy certificates –Short-lived certificates signed with the user’s certificate or a proxy –Reduces security risk, enables delegation
22
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 22 Authentication, Authorisation: pre- VOMS Authentication –User certificate signed by CA –Connects to UI by ssh –Downloads certificate –Invokes Proxy server –Single logon – to UI - then Grid Security Infrastructure identifies user to other machines Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by CE –gridmapfile maps user to local account UI CA VO mgr Personal/ once VO database Gridmapfiles on CE GSI VO service Daily update LCG
23
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 23 “Compute element” “Worker nodes” Local resource management system: Condor / PBS / LSF master Globus gatekeeper Job request Info system Logging gridmapfile I.S. Logging
24
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 24 Building on AuthN Authorisation… What are you allowed to do? … and how is this controlled?? In EGEE the answer is VOMS Virtual Organisation Management System –“second generation” of VO management
25
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 25 Evolution of VO management Before VOMS User is authorised as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs –Aggregate rights VO can have groups –Different rights for each Different groups of experimentalists … –Nested groups VO has roles –Assigned to specific purposes E,g. system admin When assume this role Proxy certificate carries the additional attributes voms-proxy-init VOMS – now in both the production (LCG) and pre-production (gLite) middleware
26
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 26 Introduction to VOMS VOMS Features –Single login using (proxy-init) only at the beginning of a session Attaches VOMS attributes to user proxy –Expiration time The authorization information is only valid for a limited period of the time as the proxy certificate itself –Multiple VO User may log-in into multiple VOs and create an aggregate proxy certificate, which enables him/her to access resources in any one of them –Backward compatibility The extra VO related information is in the user’s proxy certificate User’s proxy certificate can be still used with non VOMS-aware service –Security All client-server communications are secured and authenticated
27
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 27 Groups The number of users of a VO can be very high: –E.g. the experiment ATLAS has 2000 members Make VO manageable by organizing users in groups: –VO BIOMED-FRANCE Group Paris Sorbonne University oGroup Prof. de Gaulle Central University Group Lyon Group Marseille Groups can have a hierarchical structure Group membership is added automatically to your proxy when doing a voms-proxy-init
28
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 28 Groups rights Assign rights to certain members of the groups –using Access Control Lists (ACL) like in a file system Allow / Deny Create user Delete user Get ACL Set ACL List user Remove ACL –Specifying unit for entry: The local database administrator A specific user (not necessarily a member of this VO) Anyone who has a specific VOMS attribute FQAN Anyone who presents a certificate issued by a known CA (Including host and service certificates) Absolutely anyone, even unauthenticated clients
29
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 29 Roles Roles are specific roles a user has and that distinguishes him from others in his group: –Software manager –Administrator –Manager Difference between roles and groups: –Roles have no hierarchical structure – there is no sub-role –Roles are not used in ‘normal operation’ They are not added to the proxy by default when running voms-proxy-init But they can be added to the proxy for special purposes when running voms-proxy-init Example: –User Yannick has the following membership VO=BIOMED-FRANCE, Group=Paris, Role=SoftwareManager –During normal operation the role is not taken into account, e.g. Yannick can work as a normal user –For special things he can obtain the role “Software Manager”
30
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 30 gLite VOMS Authz DB is a RDBMS (both MySQL and Oracle are currently supported).
31
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 31 Try to use the grid without a proxy! hostname.jdl is a simple job description file. –It will be explained this afternoon To see which CEs can run this job we would use the command: glite-job-list-match hostname.jdl Please try this command!!
32
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 32 VOMS proxy creation voms-proxy-init --voms gilda Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it Enter GRID pass phrase for this identity: [insert your certificate passphrase] Creating temporary proxy..... PEM PASSPHRASE : BRISBANE Ignore “directory/file missing..vomses” message You could set this up to simplify aggregation of VO rights, for example.
33
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 33 Try to use the grid with a proxy Retry: glite-job-list-match hostname.jdl The result is a list of the CEs (batch queues) where this job can be run… more later! Creating a proxy certificate is your logon to the grid
34
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 34 Whats in your proxy?? voms-proxy-info Principal options : --all prints all proxy options --file specifies a different location of proxy file voms-proxy-info --all Compare the proxy’s issuer to that which you saw in your certificate. What’s different?? (The first issuer is that of the proxy. Subsequent issuers are associated with VOMS attributes)
35
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 35 Verify obtained credentials [giorgio@glite-tutor:~]$ voms-proxy-info --all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u513 timeleft : 20:59:53 VO : gildav subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=cert-voms- 01.cnaf.infn.it attribute : /gildav/Role=NULL/Capability=NULL timeleft : 20:58:28
36
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 36 voms-proxy-init : options Main options -voms command syntax is :/ /group for group specify (default none) command syntax is :/ /Role= for Role choice (default none) Multiple –voms can be set to aggregate rights -valid x:y, create a proxy valid for x hours and y minutes -vomslife x, create a proxy with AC valid for x hours (max 24 h) voms-proxy-init –-voms gildav:/gildav/Role=VO-Admin voms-proxy-init --voms gildav:/gildav/tutors
37
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 37 The main commands Create a VOMS proxy: voms-proxy-init Display information: voms-proxy-info Destroy the proxy: voms-proxy-destroy And note: voms-proxy-… -help
38
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 38 “MyProxy” You may need: –To interact with a grid from many machines And you realise that you must NOT, EVER leave your certificate where anyone can find and use it…. Its on a USB drive only. –To use a portal, and delegate to the portal the right to act on your behalf (by logging in to an account that can make a proxy certificate for you) –To run jobs that might last longer than the lifetime of a short-lived proxy Solution: you can store a long-lived proxy in a “MyProxy repository” and derive a proxy certificate when needed.
39
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 39 Grid authentication with MyProxy UI Local WS MyProxy Server GENIUS Server (UI) voms-proxy-init myproxy-init any grid service myproxy-get-delegation output the Grid execution WEB Browser
40
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 40 Upload a proxy to MyProxy Server myproxy-init -s grid001.ct.infn.it -s specifies the MyProxy server Use “BRISBANE” as your myproxy pass phrase… Usually it should be different from your passphrase but we’ve already got a lot to remember today!
41
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 41 GENIUS portal – a quick practical In a browser go to https://grid-tutor.ct.infn.it/https://grid-tutor.ct.infn.it/ (When asked: Accept for this session only) Enter your brisbaneXX username and the MyProxy pass phrase (BRISBANE) Select “Set VO/VOMS” and confirm you are acting in the GILDA VO by “set” Choose job service- job submission –single job Enter /home/brisbane01/hostname.jdl Allow the resource broker to choose Submit the job
42
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 42 GENIUS Can be tailored to suit a particular VO and its applications Allows Grid jobs to be run from any browser MyProxy enables this by issuing the portal server with a proxy on your behalf Many VOs are not physicists who like to code! –Need to be provided with an easy interface Provided by the University of Catania and NICE
43
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 43 Has your job run? Choose “single job” then “job queue” If it has completed, retrieve the output file. You can return to this later. After the tutorial you have access to “grid-demo”: https://grid-demo.ct.infn.it/
44
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 44 MyProxy Consists of a server and a set of client tools that can be used to delegate and retrieve credentials to and from a server. MyProxy Client commands: myproxy-init myproxy-info // myproxy-info -s -d myproxy-destroy myproxy-get-delegation // myproxy-get-delegation -s -d –t -o -a myproxy-change-pass-phrase The myproxy-init command allows you to create and send a delegated proxy to a MyProxy server for later retrieval; in order to launch it you have to assure you’re able to execute the voms-proxy-init command. myproxy-init -s -t -d –n The myproxy-init command stores a user proxy in the repository specified by (the –s option). Default lifetime of proxies retrieved from the repository will be set to (see -t) and no password authorization is permitted when fetching the proxy from the repository (the -n option). The proxy is stored under the same user-name as is your subject in your certificate (-d).
45
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 45 Summary The EGEE multi-VO grid is built on –Authentication based on X.509 digital certificates Issued by CAs that are internationally recognised (enabling international collaboration) With proxies –Authorisation provided by VOMS VOMS supports multiple groups, roles within a VO Aggregation of rights by a user who is a member of several VOs MyProxy –Secure storage of long-lived proxy certificates –Delegation so services can create and use a proxy on your behalf
46
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 46 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a proxy for longer than your current task needs. If your certificate or proxy is used by someone other than you, it cannot be proven that it was not you.
47
Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication, Brisbane, January 2006 47 References VOMS on EGEE: User Guide available at http://glite.web.cern.ch/glite/documentation/default.asp http://glite.web.cern.ch/glite/documentation/default.asp VOMS Available at http://infnforge.cnaf.infn.it/voms/http://infnforge.cnaf.infn.it/voms/ Alfieri, Cecchini, Ciaschini, Spataro, dell'Agnello, Fronher, Lorentey, From gridmap-file to VOMS: managing Authorization in a Grid environment Vincenzo Ciaschini, A VOMS Attribute Certificate Profile for Authorization GSI Available at www.globus.orgwww.globus.org A Security Architecture for Computational Grids. I. Foster, C. Kesselman, G. Tsudik, S. Tuecke. Proc. 5th ACM Conference on Computer and Communications Security Conference, pp. 83-92, 1998. A National-Scale Authentication Infrastructure. R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, J. Volmer, V. Welch. IEEE Computer, 33(12):60-66, 2000. RFC S.Farrell, R.Housley, An internet Attribute Certificate Profile for Authorization, RFC 3281
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.