1. Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester mcnab@hep.man.ac.uk

2. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Why we need GSI u EDG Testbed has ~300 users at ~20 European sites u Jobs typically submitted from site A to broker at B which uses Replica Catalog at C and sends job to site D which replicates output to site E u So users need a “portable” testbed wide identity... u … and need to be able to delegate this identity from site to site

3. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Authentification / CA management u Since GSI built on X509, somehow need to get CA certificates for every CA to each site u EDG software, including bug fixes, distributed as binary packages u Information about Certificate Authorities part of this process n eg RPM for Linux that installs into /etc/grid-security/certificates CA ’s own certificate n Policy file and optional cert request configuration n Location of CRL: automatically found and used by fetcher run from cron u For a CA to be distributed as part of EDG software, it’s CPS must be accepted by EDG CA group. n Sites can still add other CA’s if they trust them

4. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Virtual Organisation membership u GSI provides a testbed-wide identity, but sites need lists of identities to accept u Manually, would have to email ~20 sites with new names every day u EDG currently uses VO authorisation servers: centrally maintained authorisation listings n published via LDAP (~300 users in ~10 VO ’s) n mkgridmap: automatically builds grid-mapfile with local choice of VO ’s. n GUI tools allow VO managers to manage VO membership u Users must also join Acceptable Use Policy VO by signing AUP n AUP defines relationship between all sites and all users in a single place

5. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Mapping GSI identity to local Unix ID u Not only need a list of GSI ID’s, also mapping to local Unix ID u Manually, site admins would have to create new accounts every day u Instead, pre-create pools of accounts for VO’s and allocate these to users when they request access n eg atlas001, atlas002, atlas003, … n implemented as a patch to gridmap.c, used by Globus Gatekeeper, Grid FTP etc n lock files store mapping: multiple connections with same identity receive same pool account n auditing possible since all GSI ID=>UID mappings recorded in log files. u Ok for jobs that use CPU but don’t make long-lived files locally n Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

6. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 GSI ID vs Unix ID file ownership u GSI gives testbed-wide identity, but local Unix ID still owns files u SlashGrid allows “Grid-aware” filesystems n different types of filesystem provided by plugins. u certfs.so plugin provides local storage governed by Access Control Lists based on GSI ID’s, VO groups, Globus CAS or VOMS. u Since new ACL’s just have creator’s GSI ID, this is equivalent to file ownership by GSI ID rather than UID. n solves admin worries about long lived files owned by pool accounts. u HTTP/HTTPS plugin (curlfs) ultimately aims to provide NFS/AFS- like functionality, again governed by Grid ACL’s.

7. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 GridSite - Grid/Web crossovers u Since have invested in GSI identities for users, also want to use in web security u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers u Grid ACL’s control level of read and write access n Write access either by HTML forms (interactive) or HTTP PUT (programmatic) u Website admins can define groups of users with specific rights n Can delegate administration of that group to one or more members. n Group membership can also be published in EDG VO LDAP format. u GridSite used by EDG Testbed website, and GridPP and e-Science support websites in the UK.

8. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Other EDG systems built on GSI u EDG WP2 (Data Management) has built a set of Java security modules n this includes modules for verifying GSI proxies, and enforcing ACL and grid-mapfile access control n can provide security handling for other Grid services n filtering of both plain HTTP and SOAP requests, and queries from service itself during processing u EDG WP4 (Fabric Management) site access system n LCAS - provides site-specific callouts to check authorisation based on user identity, what is requested, quotas, free-slots in batch system etc n LCMAPS - manages current mappings of Grid to local identities n similar to recent Globus proposal for authorisation callouts

9. Andrew McNab - EDG Access Control - 14 Jan 2003 GridPP / EDG / WP6 Summary u GSI is the security system that ties the EU DataGrid together u Implementing a grid using GSI requires mechanisms for: n distributing CA info to sites n distributing VO info to sites n managing GSI to local account mapping u EDG has demonstrated applying GSI security to filesystems and websites u GSI also provides the basis of Java information and LCAS site policy security systems u See http://www.gridpp.ac.uk/authz/ for links to source code and details of all tools mentioned in this talk