1. Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign

2. Teragrid Security Working Group Security-WG –Members of Security Teams at TG sites What we do –Review/formulate TG wide security policies –Security related implementation issues Software, services, policy Security-WG guides –TG sites ( Resource providers ) –Users Contact information Security-wg@teragrid.org

3. RP’S and Gateways Account creation http://www.teragrid.org/programs/sci_gateways/apply/ https://repo.teragrid.org/wg/Gateways Approval and setup –Done at each RP level

4. Portal AAA Requirements Portals may have a mix of community users and standard users (e.g. a LEAD portal may have LEAD community users and Kelvin) ･ Must keep time accurate audit logs of their users and be able to map actions back to specific identities Must have contact information for community users; at a minimum an email address ･ Should provide a common interface to all TG resources and sites. Must document how it authenticates portal users and how it maps portal users to TeraGrid usage. https://repo.teragrid.org/wg/Gateways/aaa-requirements.html

5. Portal requirements Estimated maximum number of processors/nodes a job could use Estimated maximum run time a job could use Estimated short-term storage requirements per user per job Estimated long-term storage requirements per user (if non-dynamic) Logging of requester's IP, date stamp, and username on the portal Names and paths to each script on the RP cluster that can be run by IP of the portal machine, especially if portal is on TG network

6. RP requirements Restricted shell Chrooted environment Restrictions on account's job submissions (job size/run time) Securing Globus job submissions via GUMS/WSGRAM sudo Using OS tools such as PAM, access.conf, limits.conf, etc. Restricting trust of portal machine Restricting interactive portal logins on RP login machines

7. Security concerns prevailing Community accounts –Tracking users and job submissions –Auditing and accouting issues are addressed Process script & executions Storage Data confidentiality & integrity

8. Security practices Account registrations Data validations Passwords (setup/reset etc ) Lock down portals

9. Comm shell & gateways account lock down Shared accounts are security problem To mitigate the potential of absue by placing restrictions on what an account can execute Applications are restricted to directory goverend by a conf file Uses another adminstrative account to add/modify applications More details http://security.ncsa.uiuc.edu/research/commaccts/docs/howto.php

10. Questions References –http://grid.racf.bnl.gov/GUMS/guide_introduction.htmlhttp://grid.racf.bnl.gov/GUMS/guide_introduction.html –http://www.globus.org/toolkit/docs/4.0/execution/wsgram/admin- index.html#s-wsgram-admin-configsudo –http://security.ncsa.uiuc.edu/research/commaccts/docs/howto.phphttp://security.ncsa.uiuc.edu/research/commaccts/docs/howto.php –http://www.teragrid.org/programs/sci_gateways/apply/ –https://repo.teragrid.org/wg/Gatewayshttps://repo.teragrid.org/wg/Gateways –Aashish Sharma ( aashish@ncsa.uiuc.edu)aashish@ncsa.uiuc.edu –Security-wg ( security-wg@ncsa.uiuc.edu )security-wg@ncsa.uiuc.edu