Download presentation
Presentation is loading. Please wait.
1
David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk
LCG/GDB Security Update (Report from the LCG Security Group) CERN 13 January 2004 David Kelsey CCLRC/RAL, UK 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
2
D.P.Kelsey, LCG-GDB-Security
Overview LCG Security Officer appointment User Registration/VO management/Authorization workshop Very useful meeting – lots of information exchange, but… No proposal on new procedures at this meeting Expected at a later meeting (March?) Policy documents – status and plans 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
3
D.P.Kelsey, LCG-GDB-Security
LCG Security Officer sent by Ian Bird to GDB on 2nd December Issue came out of LCG Reviews in November Need someone to advise the deployment team on the urgency of security patches Ian Neilson was proposed as “interim” sec officer Subsequent discussion In general, strong support (also Sec Group 3rd Dec) GOC phase 3 (June 2004) – earliest time for them Need to clarify the roles and responsibilities Grid services vs operating system Threat to individual service/site or Grid as a whole Security Policy document should describe the role 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
4
D.P.Kelsey, LCG-GDB-Security
Security Officer Proposed Role (not yet widely discussed) act as point of contact within the Deployment Team for matters related to grid security act as a point of ownership within the Deployment Team for security related problems which impact on grid operation DPK: Does “ownership” imply responsibility and power to act? advise Deployment Team over necessary actions regarding security incidents and required patches active participation in the LCG Security Group monitor security aspects of candidate future grid services liaise with and take advice from others as appropriate 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
5
D.P.Kelsey, LCG-GDB-Security
Workshop Workshop on “LCG User Registration, VO Management and Authorization” CERN, Dec 2003 Agenda and presentations are on the web Attended by LCG Security Group VO managers US and EU experts and reps of other projects LCG deployment team 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
6
D.P.Kelsey, LCG-GDB-Security
Agenda Session 1: User Registration and VO management Overviews of LCG, VOX, VOMS, GUMS Session 2: Discussion – VOMS and VOX details roundtable Session 3: Authorization Overviews of EDG, US CMS, GT3, GGF, EGEE Session 4: Discussion on Authorization issues Session 5: Summaries and conclusions 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
7
D.P.Kelsey, LCG-GDB-Security
User Registration Today in LCG User registers with LCG (accepts user rules) and requests to join one VO This was done in 2003 to distinguish EDG from LCG only LHC expts and DTEAM VO’s are supported Other experiments (e.g. BaBar) wish to use LCG s/w But can’t sign the LCG rules Proposal (not yet fully discussed by Security Group) User registers with VO rather than LCG User accepts User Rules at this point No need to check membership of “guidelines” VO in AuthZ Trust the VO We should produce a standard “HEP-user rules” template Or better still – Grid-User rules To ease negotiation between sites and VO’s 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
8
D.P.Kelsey, LCG-GDB-Security
User Registration (2) User Registration Database Contains personal data about the user One per VO and controlled read-access Site managers should have read access today we send new registrations by Approved list of Institutes per VO (scroll-down list) Ability for user to request addition of missing institute Verification of data and right to join by distributed VO RA’s (defined by VO manager) One RA contact per institute (or whatever VO decides Process must be documented and robust/auditable VO Authorization Database (VOMS) Stores groups/roles of users for AuthZ technology 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
9
D.P.Kelsey, LCG-GDB-Security
User Reg. Issues Many issues still to be solved – some noted here General agreement on need to separate Registration DB and VO AuthZ DB (but not unanimous!) Sensitivity of data held Security and performance concerns Replication of the DB controlled Sites subscribe to notification or have read-access Need to cope with multiple certificates per user Technology choice for Registration DB VOX VOMRS vs VOMS? for the User Registration DB 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
10
D.P.Kelsey, LCG-GDB-Security
Authorization Lots of useful information exchange between EU and US projects Must continue collaboration on these EU LCAS/LCMAPS, US SAZ/LRAS ongoing development and support? GGF activities (XACML etc) Need to work through some VO use cases E.g. production manager needs special queue and larger storage allocation How does VO publish its policy to sites? Attribute list or configuration file? How to merge several policies per site? Translate VO policy for use by site? 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
11
D.P.Kelsey, LCG-GDB-Security
Next steps More discussion in LCG Security Group Write new User Rules (general “Grid User”) Update the User Registration and VO management procedures In parallel with this, continue development of AuthZ technology 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
12
D.P.Kelsey, LCG-GDB-Security
Policy documents Status and plans Security and Availability – top level policy Approved by GDB in October 2003 Needs formal approval by SC2 (or PEB?) Not yet happened? But two mods first perhaps? Describe role of the Security Officer More precise statements on Network connectivity policy Started work on missing guides and procedures SLA Guide, Network Admins Guide, … 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
13
D.P.Kelsey, LCG-GDB-Security
Policy Documents (2) Many of the existing documents were aimed at LCG-1 and operation during 2003 Need reviews and updates e.g. CA approval, User Rules, User Registration… Propose Keep documents in EDMS to allow version control This already started Deadline for review of 2003 documents is 1 year from GDB approval GDB states that policies are “valid until updated” 13-Jan-04 D.P.Kelsey, LCG-GDB-Security
Similar presentations
