Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on EDG Security (VOMS)

Published byStefanie Baert Modified over 5 years ago

Similar presentations

Presentation on theme: "Update on EDG Security (VOMS)"— Presentation transcript:

1 Update on EDG Security (VOMS)
European DataGrid Project Security Coordination Group

2 Registration CA user VO-VOMS user cert (long life) registration
low frequency high frequency user user cert (long life) VO-VOMS registration web denied deny VO membership request (user) address confirmation (user) create user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. allow new confirmed accepted done (VO admin) to the administrator: new request notification to the requestor: address confirmation to the requestor: request is accepted/denied

3 Multi-VO registration
CA low frequency high frequency user user cert (long life) VO-VOMS registration VO administration operations create/delete (sub)group/role/capability add/remove member of g/r/c get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member VO-VOMS VO-VOMS user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO-VOMS

4 proxy cert (short life) authz cert (short life)
“Login” CA low frequency high frequency user user cert (long life) VO-VOMS voms-proxy-init proxy cert (short life) user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. edg-voms-proxy-init -voms iteam /tmp/x509_up<UID> (normal proxy location) backward compatible proxy format authz cert (short life)

5 proxy cert (short life) authz cert (short life)
Multi-VO “Login” CA low frequency high frequency voms-proxy-init -voms iteam -voms wp6 single proxy certificate is generated each VO provides a separate VOMS credential first one is the default VO each VOMS credential contains multiple group/role entries first one is the default group user user cert (long life) VO-VOMS VO-VOMS voms-proxy-init VO-VOMS proxy cert (short life) user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO-VOMS authz cert (short life)

6 Old-style Service CA service crl update mkgridmap GSI VO-VOMS VO-VOMS
low frequency high frequency host cert (long life) service crl update VO-VOMS VO-VOMS Old-style services still use the gridmap-file for authorization gridftp EDG 1.4.x services EDG 2.x service in compatibility mode no advantage, but everything works as before... mkgridmap VO-VOMS user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. gridmap-file VO-VOMS GSI

7 Replica Management RM user authentication & authorization info
low frequency high frequency host cert information system RM user 1. VO affiliation user cert 2. service URI(s) for VOs in authz? proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO authz 3. calling the service (URI) edg-java- security authentication & authorization info

8 1. VO affiliation (AccessControlBase)
Job Submission low frequency high frequency host cert information system CE user 1. VO affiliation (AccessControlBase) user cert 4. CEs for VOs in authz? WMS 3. job submission proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO authz MyProxy server 2. cert upload

9 authentication & authorization info
Running a Job LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups default VO = default UNIX group other VO/group/role = other UNIX group(s) host cert MyProxy server CE cert (long term) voms-proxy-init WMS proxy user requests a certificate (once in every two-three years) user sends the requests to the CA, which sends back the signed certificate conversion to browser digestable PKCS12 format registration in the EDG LDAP-VO (once for the lifetime of the VO – you may change the certificate keys!) generats a proxy certificate (24 hours lifetime) host/service requests a certificate host/service sends the requests to the CA, which sends back the signed certificate retrival of the trusted CA certificates and their CRLs (automatically updated every night/week) generating a gridmap file from the LDAP database for authorization and mapping (automatically updated every night/week) user contacts a service: they exchange their certificates to authenticate each other; the service bases its authorization decision on the gridmap file (... currently) Real life example: The traveller goes to the destination country and shows up his passport at the border. The officer checks its validity by comparing it to the example passport from the issuing country. He also looks at the list of revoked passports (coming from the originating country) and the visa, which allows the traveller to enter the country. The traveller may also ask the officer to identify itself, so the authentication is also symmetric in the real life. VO 2. job start authz 1. cert download authentication & authorization info LCAS/ LCMAPS

10 VOMS FAQ No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration)

Download ppt "Update on EDG Security (VOMS)"

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group

EDG Security European DataGrid Project Security Coordination Group
Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.

Association with the Gilda Virtual Organization Certificate,VO membership, and MyProxy Server usage.
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

Similar presentations

Ads by Google