Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Published byἈράμ Φωτόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Grid Security M. Jouvin / C. Loomis (LAL-Orsay)"— Presentation transcript:

1 Grid Security M. Jouvin / C. Loomis (LAL-Orsay) jouvin@lal.in2p3.fr
Grid Administration Training LAL, Orsay, September 2008, 15-19

2 Grid Security - M. Jouvin
Agenda Requirements and Constraints Different Components Certificates Virtual Organizations Proxies Grid Security - M. Jouvin 27/11/2018

3 Security Requirements
Grid is a massively distributed system: More than 5000 users belonging to many different communities More than 250 sites around the world Bi-lateral relationships don’t scale, trust relationships must exist between: Sites and site administrators Users (e.g. privacy) Site administrators and users Security infrastructure must generation trust between all the actors for the grid to work Grid Security - M. Jouvin 27/11/2018

4 Main Features Required
Authentication Who is the user ? Authorization Check right to do an action Auditing Who did what and when ? Traceability of actions is critical for trust in case of problem Accounting Identify resources used by a user Grid Security - M. Jouvin 27/11/2018

5 Grid Security - M. Jouvin
Constraints Must be flexible, scalable and evolutive: Nobody can know everybody else Performance must be reasonable Must allows controlled access from any country Usage must be “simple” : If not, nobody will use it Tradeoffs required between security and simplicity Must allow right delegation (e.g. to a service) Grid Security - M. Jouvin 27/11/2018

6 Grid Security Infrastructure (GSI)
De-facto standard for grid middleware Developped by Globus project (U.S.A.) Used by almost all production grids Based on a « Public Key Infrastructure » Every entity has both a public key and a private key Only one key can match the other Format : X509v3 Main features : Single sign-on : password protecting private key is entered once for a certain period of time Delegation : a person or a service may authorize another service to act on his behalf Allow another entity to use one’s authentication and authorization Mutual authentication : originator and recipient both authenticate other party Grid Security - M. Jouvin 27/11/2018

7 Grid Security - M. Jouvin
Certificate… A grid-compliant (x509v3) certificate may be issued for: A physical person (personal certificate) A machine (host certificate) An application (service certificate) Not yet used Public key (certificate) Signed by an authority after checking who is the owner Publicly available, published on the network Private key Stored on user’s machine Encrypted, must be password protected A certificate is an identity card: doesn’t give any specific right Used to identify owner of a right by services Grid Security - M. Jouvin 27/11/2018

8 Grid Security - M. Jouvin
… Certificate Main informations in certificate: Subject or DN : unique identifier of certificate owner Replace username in grid world Validity duration of certificate : generally 1 year X509v3 extensions What the certificate can be used for Owner’s 2 different formats usable with grid: PKCS12 : 1 file containing both private key and public key PEM : 2 files, 1 for private key, 1 for public key All Globus and gLite tools can use PKCS12 but they use a different file name…!!! usercert.p12 for gLite, usercred.p12 for Globus The easiest is to symlink one to the other Grid Security - M. Jouvin 27/11/2018

9 Who Signs Certificates?
Certification Authority (CA) Is responsible for checking entity identity before issuing certificate 1 per country or sometimes a group of country (~35) Establish trust relationships with other CAs Coordinate security activities in its country In France, only « GRID-FR » certificates are accepted on EGEE : Load « AC Certificates » then request a personal certificate Policy Management Authority (PMA) Define minimul rules a CA must adhere to to be valid on grid CA auditing and accreditation International Grid Trust Federation ( EUGridPMA ( Grid Security - M. Jouvin 27/11/2018

10 Virtual Organizations
Virtual Organizations (VOs) Group of people with common goals VO members organized in groups and subgroups A VO member may also have a role in its group/subgroup VO membership determines what resources can be used Groups and roles may modify access right to resources Several criteria for VO membership: Experiment or disciplinary based: biomed, alice, atlas, esr, … Laboratory or institute : vo.lal.in2p3.fr, vo.u-psud.fr, vo.ucad.sn, … Projects : embrace, gridpp, auvergrid, … Others : dteam, ops, … 1 utilisateur may belong to several VOs CIC Portal allow to list all registered VOs: New VO must normally be registered… Grid Security - M. Jouvin 27/11/2018

11 Grid Security - M. Jouvin
Authorization Actors VO Administrator: Decide who may be a member of the VO Organize members in groups and sub-groups Define roles A VO may have several administrator Site administrator: Responsible for deciding which VO can use the site resources Define resource access control based on VO requirements VOMS Service (VO Membership Service) allow VO administrators to manage their members. Grid services use VOMS to check group and roles (FQANs) and decide access rights Grid Security - M. Jouvin 27/11/2018

12 Grid Security - M. Jouvin
Delegation Users cannot authorize every transaction in the grid: To many jobs Jobs are not necessarily local 1 job may involve several service Requires to delegate access rights to jobs and grid services Private key is a too sensitive information, with a long lifetime to be transmitted to grid services and jobs A “proxy” is created from the certificate and transmitted to services Grid Security - M. Jouvin 27/11/2018

13 Grid Security - M. Jouvin
« Proxy » New certificate derived from user’s certificate: Signed by user’s certificate Similar process as user’s certificate signed by the issuing CA Very short period of validity By default, ~1/2 day Includes all VO, groups, role (FQANs) the user have Stored in a file sent with job and to services Short life proxy (around 12 heures) voms-proxy-init (--voms), -info, -destroy Long life proxy myproxy-init, -info, -destroy, -get-delegation Required a valid VOMS proxy (short lived) Grid Security - M. Jouvin 27/11/2018

14 Grid Security - M. Jouvin
Other Services  Grid services logs their action to allow auditing Understand who is doing what, where and when Understand global behaviour of the system Accounting Central database containing per VO view of used resources No quota currently available in the middleware Grid Security - M. Jouvin 27/11/2018

15 Grid Security - M. Jouvin
Summary EGEE security is based on Globus GSI + VOMS Authentication A network of CAs sign entity’s certificate (person, host or service) Certificate is a “grid passeport” for the user Authorization Based on virtual organizations (VO) Site administrators are responsible for configuring authorization, based on VO requirements « Proxies » Contain information about VO, groups and role of a user at one point in time Allow to delegate access rights to grid services and jobs Grid Security - M. Jouvin 27/11/2018

16 Grid Security - M. Jouvin
Useful Links Man pages for voms-proxy-xxx and myproxy-xxx commands GRIF gLite tutorial: Grid Security - M. Jouvin 27/11/2018

Download ppt "Grid Security M. Jouvin / C. Loomis (LAL-Orsay)"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Security, Authorisation and Authentication.

Security, Authorisation and Authentication.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org The GILDA training infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Similar presentations

Ads by Google