Presentation is loading. Please wait.

Presentation is loading. Please wait.

WLCG security landscape in EGI and beyond Maarten Litmaath CERN v1

Published bySamantha Poole Modified over 5 years ago

Similar presentations

Presentation on theme: "WLCG security landscape in EGI and beyond Maarten Litmaath CERN v1"— Presentation transcript:

1 WLCG security landscape in EGI and beyond Maarten Litmaath CERN v1
WLCG security landscape in EGI and beyond Maarten Litmaath CERN v1.1 (updated Oct 3, 2017)

2 Outline How it all should work today Proxies Incoherence
Security model examples User suspension a.k.a. banning Argus Pilot jobs Data security Other services Cloud resources Federated identities Conclusions and outlook

3 How it all should work today (1)
Users and services have digital certificates signed by trusted certificate authorities (CAs) Certificate lifetime usually is 1 year (up to 400 days) Users are members of virtual organizations (VOs) WLCG: alice, atlas, cms, lhcb, dteam, ops Users need to re-sign AUP every year Sites decide which VOs to support at which QoS Services are rarely made members of a VO It would be desirable to some extent A service could prove that it is trusted by the VO Instead rely on static information system per experiment

4 How it all should work today (2)
Users create short-lived proxies for grid access Long-lived proxies are only found on MyProxy servers VOBOXes may have their own robot certificates Proxies are delegated to services as needed Some services can retrieve or renew proxies via MyProxy Services interpret proxies consistently There should be good reasons for different services to apply different criteria User jobs and data are protected as needed Services log security-related information consistently Users can easily be suspended as needed

5 Where we want to be

6 Where we were

7 Where we are

8 Proxies (1) Plain grid proxies VOMS proxies
ALICE users get tokens via plain proxies Otherwise rarely used in WLCG these days? VOMS proxies Plain grid proxies + sets of attributes signed by VOMS server Attributes: groups and/or roles Mapping can be based on attributes and/or the DN Attributes usually taken into account DNs in grid-mapfiles are harvested from those same VOMS servers Different subsets can be mapped differently

9 Proxies (2) Proxy lifetime should be “short”
Cf. AFS/Kerberos token lifetime Default 12 hours, 24 hours probably OK Current practice: LHC experiments use multi-day proxies to avoid potential problems with proxy renewal Long jobs need their proxy renewed before it expires A hassle that is “nicely” avoided today Long-lived proxies can be stored on a MyProxy server Trusted services can retrieve or renew short-lived proxies MyProxy server currently is a single point of failure RFE: upload proxies to multiple servers, try all of them for downloading proxies as needed – never got implemented

10 Incoherence Different services may treat proxies differently
Libraries Mapping VOMS attributes and/or DN Logging Suspension a.k.a. banning Used to be not possible on certain services – better now? Testing/debugging/forensics tools Wiki pages! In EMI  EGI this was supposed to be made more consistent through CANL – the Common AuthN Library Implemented by a number of services Argus, CREAM, dCache, VOMS, … Support situation depends on the language binding CANL-C: only used by GridSite; only critical fixes CANL-C++: only used by ARC CANL-Java: widest adoption; maintained outside our community We may need to provide our own pull requests

11 Security model examples
ARC CE, CREAM Support for DN and VOMS mappings LCMAPS, Argus, … Disk Pool Manager Virtual IDs are used internally VOMS mappings by default Legacy plain proxy mapping for other VOs dCache gPlazma – various plugins DN and VOMS mappings through vorolemap file StoRM LCMAPS, Argus ACLs on cluster file system for data access by jobs

12 User suspension a.k.a. banning
Services have different ways to support that ARC CE, CREAM, dCache, DPM, StoRM, … Argus was supposed to make this consistent and easy Also can import a grid-wide ban list Some services have support for it Many sites still do not run this service at all… Despite the “wish lists” of EGI and WLCG Experiments can easily suspend users in their computing frameworks Argus could also be used there

13 Argus (1) Argus was foreseen to give all secure site services in EGI a consistent authZ model It allows authZ decisions to be taken centrally per site A single place to pull the plug It can import remote policies from an Argus hierarchy Regional, national, project, … It can give priority to local/national/… users Banning of DNs, e.g. grid-wide Policies can affect DNs or VOMS attributes Argus can coexist with legacy services They can share a common gridmapdir

14 Argus (2) Argus is a generic policy engine
Not tied to X509 Can be used with new AAI paradigms 1.7.x releases have thus been developed under the aegis of INDIGO-DataCloud 1.7.0 – major updates of dependencies, plus bug fixes and enhancements for scalability 1.7.1 – support added for LoA profiles “Lower-quality” CAs can be allowed for communities with strong processes for user vetting (like WLCG)

15 Pilot jobs Production managers run VO workload for most/all users through pilot jobs Typically using a special VOMS role (e.g. “pilot”) gLExec or Singularity may then be used for sandboxing the user payload If the payload does not use its own proxy, the pilot will essentially own all the user data The payload then might be able to tamper with data of other users in the VO Users may be able to run their own jobs E.g. to get priority at their institute, in their project, or in their country

16 Data security (1) Production managers are responsible for the vast majority of a VO’s data volume (99%) Only they have write access to specific resources used in managing production data Reserved sub-trees in the catalog name space Reserved disk pools and access to tape They may also own all user data on SEs If user jobs run with the pilot proxy If the pilot handles output data upload itself All the remaining resources may effectively be group-writable Depends on the experiment, site configuration and/or storage technology Different groups can be shielded from each other

17 Data security (2) Fine-grained permissions per user are possible
At least in the experiment catalog May be awkward or expensive on an SE ALICE achieve such functionality through access envelopes (cf. bearer tokens) Presented instead of X509 proxy to Xrootd service Lists which file(s) can be accessed how until when Signed by central services based on catalog info ALICE SEs have the corresponding public key

18 Other services Information system Monitoring Accounting Insecure LDAP
Anyone can search for vulnerable hosts No integrity validation beyond schema compliance Any site can claim it supports any VO Experiments mainly use their own, static information systems Monitoring If secure, often viewable for any DN from a trusted CA Coming under more scrutiny because of increasing EU privacy regulations Accounting Secure Privacy OK

19 Cloud resources An increasing number of EGI sites participate in the EGI Federated Cloud Set up in particular for other communities Some sites also support 1 or more LHC experiments Typically seen as opportunistic computing resources Security works differently compared to the grid VOMS(-Admin) still used to determine who has what kind(s) of access to resources at such sites Users run their own services … and may get hacked … and may get the hosting site in trouble

20 Federated identities New AAI service: EGI CheckIn
Developed in collaboration with AARC Get X509 through RCAuth.eu online CA Mainly for other communities Currently supported by GGUS and GOCDB

21 Conclusions and outlook
Security aspects of WLCG clients and services on EGI and beyond used to imply a jungle of libraries, configurations and features Things have improved over the years through increased use of CANL and Argus MW coverage could still grow Argus deployment should still grow! Key areas for development New AAI paradigms Data protection? Privacy regulations!

Download ppt "WLCG security landscape in EGI and beyond Maarten Litmaath CERN v1"

Similar presentations

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.

New VOMS servers campaign GDB, 8 th Oct 2014 Maarten Litmaath IT/SDC.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
EDG Security European DataGrid Project Security Coordination Group

EDG Security European DataGrid Project Security Coordination Group
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB, 2013-02-12.

Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB,
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
EMI INFSO-RI-261611 Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Security aspects of the WLCG infrastructure: clients and services Maarten Litmaath CERN.

Security aspects of the WLCG infrastructure: clients and services Maarten Litmaath CERN.

Similar presentations

Ads by Google