Presentation is loading. Please wait.

Presentation is loading. Please wait.

2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define."— Presentation transcript:

1 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define security services/components for M9 How to handle security in the future Listen to what is happening elsewhere

2 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop2 Issues for WP1 Use GSI –job submission to LRMS –between community scheduler and Condor-G –Between user and scheduler (but may also be a web portal based on `plain’ PKI) Credentials should be valid for long time (days or weeks) –For re-submission and while waiting for a cluster –Might use MyProxy service (operates like `quasi CA’) Information needed (from WP4) –Which clusters may be used (M9: publishing grid-mapfiles in GIS?) –(aggregate or approx.) accounting needed for scheduling policy (possible not needed for M9, later definite `yes’)

3 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop3 Issues for WP2 Will co-exist with existing uid/gid mechanisms Replica Manager will get you the files locally and use uid/gid's from there The Replica Mngr needs more permissions, but there are only few Will need access control on Replica Catalogue Replica Manager DataMover Storage Elements Problem with all objects in one file (Objectivity)

4 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop4 Issues for WP3 Some of the information is personal → legal requirement to protect: –Accounting information –Grid map file

5 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop5 Issues for WP4 See presentation of Lionel for details Some key points: Host certs for nodes (secure logging/auditing/configure) makes for O (10 5 ) host certificates Mapping of grid to local credentials maybe automatically generated but persistent uid’s? Should cert- or authorization revocation kill job? User ban lists, propagated through DataGrid? Site regulations: who is liable for a break-in? NAT and process access to the outside world

6 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop6 Issues for WP5 WAN access to storage only via Replica Manager No remote user access from programs this triggered Ingo who wants jobs to access object databases and remote CEs and SEs from within a job and not specify anything in the JDL! Will use uid/gid in local fabric (again) Can use grid map file but will not manage it (maybe except for Replica Manager entries)

7 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop7 Issues for Applications Want single sign-on and authentication once Authorization, accounting and quota per role –Via experiment secretariat for HEP –people migrate, also physically Want to apply policies (per role): –e.g. data not to be copied to other side for privacy (bio) Encryption of job submission (biologists are paranoid) Encryption of data optional Marking data read-only QoS commitments and trust (also in face of local changes) Light-weight access for O (10 5 ) biologists

8 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop8 Application status of LHCb MC Currently 19 different accounts for production Need manual intervention to get access to resrcs Special for current situation: Web server and servlets to do job submission need write access to local storage web server should be accessible Log job info to htdocs directory in central place Long-lived credentials (>72hrs)

9 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop9 Plans for M9 Authentication –1 cert per user issues by national CA –Host certs also from national CA –No more Globus certs –Policy checks by CA group –Tools for automatic CA configuration (incl. CRLs) –No support for K5/K4/AFS –Renewal of credentials needed (MyProxy?) –Light-weight access for BioMed

10 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop10 Plans for M9 Authorization –GSI more or less OK –Via Grid map file –No group accounts –Groups and roles are required in some way Globus CAS will not be ready –Access and accounts: via WP management and WP6 Auditing –Auditing must be there –Write to syslog –Need to keep audit trail

11 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop11 Plans for M9 Incident monitoring –WP6 will (should?) provide the DataGrid CSIRT Accounting –Shared task of WP4 and WP1 Information services –Secure MDS from Globus (not critical) –List of allowed clusters needed for scheduling expose map file??

12 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop12 Plans for M9 Storage –WAN access to files only by Replica Manager –Experiments (LHCb) want AFS like access, but mean a exp. software install on worker nodes –HEP applications was to update remote DBs from within a job Firewalls and NAT –Ports should preferably be static

13 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop13 Authorization tools INFN LDAP grid map management –User and group info in directory, used by local admins to generate the grid map file –User DNs associated with groups and domains –OU manager access still problem (standardization!) gridmapdir patch to Globus –Works like DHCP leases from account pools –Supports multiple pools or groups –Expiry of leases is challenging! –http://www.hep.grid.ac.uk/gridmapdir

14 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop14 Agreed Long Term Statements Local control should always be retained Authorization and its revocation is key problem A policy language is needed –Including conditional authorization, e.g. from 9am-5pm Accounting and auditing infrastructure needed Aware of firewalls & NAT and of attack risks

15 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop15 Aaaarch Research Task Force Next Generation AAA Architecture based on mesh of interconnected AAA servers RFCs 2903 – 2906 & drafts Provide nice overview of different architectures: –Agents query service to allow user access –Service pulls info from UHO AAA server –UHO AAA pushes tokens for user to access service Working on policy language http://www.aaaarch.org/

16 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop16 Some Open Issues Need all channels encryption or integrity? Does the scheduler need authentication itself (does the scheduler have more rights than its end-user?) Authorization service universal problem –Who managers authorization information –Revocation of authorization –How often do you check this Scalability –Access permissions on user or group level (which group)

17 2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop17 More Open Issues Files vs. Objects (all data in Objectivity owner by one uid) DataGrid will not bring more security to insecure solutions Are jobs to use other services than `Grid’ services? Or: how to prevent this! Attacks, cracking, DDoS, … How to secure the security infrastructure

Download ppt "2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
A Computation Management Agent for Multi-Institutional Grids

A Computation Management Agent for Multi-Institutional Grids
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Workload Management Workpackage Massimo Sgaravatto INFN Padova.

Workload Management Workpackage Massimo Sgaravatto INFN Padova.
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Similar presentations

Ads by Google