Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Kelsey CCLRC/RAL, UK

Published byCorey Blake Modified over 6 years ago

Similar presentations

Presentation on theme: "David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk
LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) NIKHEF 13 October 2004 David Kelsey CCLRC/RAL, UK 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

2 D.P.Kelsey, LCG-GDB-Security
Overview Joint (LCG/EGEE) Security Group meetings 18 Aug, 7 Sep, 6 Oct 2004 Next meetings: 2 Nov 2004 and 25 Nov 2004 (EGEE workshop – The Hague) Name and Membership of Group Security concerns from ATLAS Data Management User Registration Task Force Operational Security User Rules/AUP Site and VO registration procedures 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

3 D.P.Kelsey, LCG-GDB-Security
Name & Membership Was “Joint Security Group” Joint in sense of LCG & EGEE (& OSG members) Some in EGEE found this confusing JRA3 (Ake Edlund) is the main activity Renamed to Joint Security Policy Group (JSPG) Responsible for Policy and Procedures Reports to LCG GDB EGEE ROC Managers also need to agree policy New members Miguel Cárdenas (Spain) Bio-medical person (soon) 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

4 Security Activities in EGEE
CA Coordination NA4 NA4 NA4 NA4 Solutions/Recommendations Req. JRA3 JRA1 Req. Req. Req. Middleware Security Group Joint Security Policy Group Req. “Joint Security Policy Group” defines policy and procedures For LCG/GDB and EGEE/SA1 (Cross Membership of OSG) Req. SA1 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

5 Security concerns ATLAS data management
Miguel Branco – CHEP talk (see JSPG agenda - 4 Oct) Very interesting and honest! (useful for input to JRA3 etc) Users don’t like certificates (and are confused) Using user certificate for services (clients) Lots of clashes between 3 different ATLAS VOs LCG, Grid3, NorduGrid MyProxy credential renewal (single point failure) No security on LCG replica catalogue Using atlassgm (s/w mgr) to run production jobs We need VOMS, and LCAS/LCMAPS! Experiments need help to develop secure applications Security of DB resident data 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

6 User Registration and VO Membership Management
Requirements document (V2.7) approved by GDB in May 2004 Task force created to propose the solution TF Membership Maria Dimou (LCG Registrar, DTeam VO manager) Joni Hahkala (VOMS Admin development leader) Tanya Levshina (VOX leader) Ian Neilson (LCG Security Officer) – Task Force leader DPK Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … Recent Meeting at CERN on September, 2004 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

7 The Registration and VO Data/Databases
ORGDB No direct read access at all, except via link from AuthN/VODB As maintained by CERN HR/User Office/Experiment Secretariats User fields required here: Family Name, Given Name, Institute Name, Phone Number, address And contract, experiment participation end dates Authentication part of VODB Authorised read access possible (site admins) Live link to record in ORGDB (via db key) User’s DN(s) from certificate and DN of signing CA Registration and Expiry dates Authorisation part of VODB Used by AuthZ technology (attribute authority) Groups, Roles, attributes assigned by VO manager Suspension status flag 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

8 D.P.Kelsey, LCG-GDB-Security
Process (1) Every user (4 LHC expts) must register in ORGDB first Already true for the majority Advantages of using existing procedures No duplication of effort or personal data External users (e.g. people never coming to CERN) and short-term users (e.g. summer students) Needs a simple, speedy and robust procedure Non-VO people, e.g.testers/experiment independent people must register in ORGDB (e.g. via LCG/IT) Eventual aim is to use the experiment participation end-date in ORGDB to trigger immediate suspension from the VO 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

9 D.P.Kelsey, LCG-GDB-Security
Process (2) VODB expiry date Not exceeding 1 year from date of VO registration Less if institute-contract/ORGDB-registration expires before then Care to be taken with transition to avoid large number of renewals at the same time Personal User Data will only reside in ORGDB There is no automatic membership of VODB. User has to complete a form and the VO manager has to approve 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

10 D.P.Kelsey, LCG-GDB-Security
Process (3) When VODB expiry date is reached, the VO membership is immediately suspended Advance warning will be sent to the user There will be other possible reasons for suspension E.g. following security problems 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

11 Technical Solution agreed
15-17 Sep meeting decisions: The Authentication part of VODB (reg database) Will be US CMS VOX - VOMRS component Subject to FNAL agreement VOMRS needs development to meet new requirements CERN is working on VOMRS interconnection to the Oracle DB (ORGDB) Non-LHC VO’s may use the VOMS admin component Time to implement not yet fixed Aim for early next year 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

12 D.P.Kelsey, LCG-GDB-Security
Operational Security Incident Response OSG document A good document We (LCG/EGEE) should base our incident response on this JSPG to set policy, OSCT to define procedures EGEE OSCT Operational Security Coordination Team Presented to ROC Managers (by Ian Neilson) ARM2 Bologna – 5th October Each ROC to nominate a person Adds to the existing CSIRT procedures (does not replace) Propose Incident Response procedures And security service challenges 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

13 D.P.Kelsey, LCG-GDB-Security
Acceptable Use Policy Current LCG User Rules Very LCG specific (actually LCG-1 specific!) Very much “draft” quality Based on old EDG security policy Has lots of site rules as well We need a new version! EU eInfrastructure Reflection Group tackling AUP now DPK to chair parallel session on this (18 Nov) New draft zero already exists (too early to discuss) Concentrating on defining Acceptable Use What is allowed What is not (e.g. personal use, for-profit use) Work with OSG, NRENs, National Grids Acceptable to all (keep it short and simple) We are already bound by the network AUPs To be accepted at registration in a VO May need a separate document on User Rules? 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

14 Site and VO registration
Too many of both to handle informally Two documents being written Defines procedures to join LCG/EGEE infrastructure Forms (web) need to be filled We need all the contact details Approval required Site: ROC, VO: EGEE NA4 After registration Sites need write access to CVS Today needs a CERN AFS account CERN security not so happy (investigate alternatives) Sites subsequently join testzone and then the BDII 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

15 D.P.Kelsey, LCG-GDB-Security
Summary Not asking for formal GDB approvals today Hope to have various documents before Dec 2004 meeting But all feedback very welcome Important message We need to deploy and use VOMS and LCAS/LCMAPS as soon as possible We need to offer “roles” Lets get a simple use-case working Waiting for gLite is too late 13-Oct-04 D.P.Kelsey, LCG-GDB-Security

Download ppt "David Kelsey CCLRC/RAL, UK"

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
INFSO-RI-508833 Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.

INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK

10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,

13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK

9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK

Similar presentations

Ads by Google