Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security and VO Management Andrew McNab University of Manchester.

Published byHelen Morton Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Security and VO Management Andrew McNab University of Manchester."— Presentation transcript:

1 Grid Security and VO Management Andrew McNab University of Manchester

2 13 December 2005Grid Security Outline ● Defining VOs ● VO Pull vs Push ● Pool Accounts ● VOMS ● GridSite components ● Web service support ● VO practicalities

3 13 December 2005Grid Security Perspective ● GridPP is the UK's High Energy Physics grid project – 15 university sites + RAL – largest is a 2000 processor farm at Manchester ● Participates in deployment of LHC Computing Grid – ~160 sites worldside, led by CERN ● Contributes to EGEE middleware development – info system, data management and security ● I co-ordinate the GridPP security middleware work – this is principally the GridSite system

4 EGEE/LCG-2 grid: 160 sites, 36 countries (35 sites in UK&Ireland cluster) >15,000 processors, ~5 PB storage Other national & regional grids: ~60 sites, ~6,000 processors Country providing resources Country anticipating joining LCG/EGEE Grid Sites : September 2005

5 13 December 2005Grid Security Virtual Organisations ● Within LCG/EGEE, VOs are essentially authorization domains: – access rights to resources and datasets owned by a group of people ● So the central “VO problem” becomes how to prove individuals are members of that VO, subgroup etc ● There are two classic ways of doing this: – Pull and Push

6 13 December 2005Grid Security VO by Pull ● EU DataGrid developed a way of publishing lists of VO members – Authentication based on X.509 DNs: ie VO = “DN List” – LDAP(S) used, but can also be done by HTTPS ● Sites subscribe to VO lists and pull them periodically – daily or every few hours ● Advantage is that user's software doesn't need to know ● Disadvantage is that hundreds of service machines need to pull lists of thousands of users several times a day

7 13 December 2005Grid Security Pool accounts ● The other half of the EU DataGrid system was Pool Accounts, developed in Manchester – Unix accounts created and assigned to users as they submit jobs, access files on that site. – Local copy of VO membership list decides whether a mapping can be created – May direct user to a special pool of accounts for their VO ● Now used by LCG and UK NGS ● Surprisingly successful for a “temporary” fix!

8 13 December 2005Grid Security VO by push ● LCG and EGEE are now deploying VOMS – Users are given short-lived X.509 Attribute Certificates which prove their VO and group membership ● Users then present these ACs to services, currently in the form of extensions to GSI Proxy certificates ● Advantages: no need for sites to pull all VO lists; users can choose which group/role to use. ● Disadvantages: clients need to be aware of VOMS; need to add X.509 AC support to services' SSL/TLS.

9 13 December 2005Grid Security Access Policies ● “DN Lists” (eg grid-mapfile) are simplest access policies ● LCG/EGEE also uses references to VOMS groups, and XML policy files: both GridSite's GACL and XAMCL ● GridSite GACL/XACML policy files support: – multiple credential types: individual DN, DN List, VOMS AC and DNS domain – AND + OR of conditions – Read, List, Write, Exec, Admin permissions ● Allows “virtualisation” of access: not just tied to a (pool) unix account, and easy to dynamically manage

10 13 December 2005Grid Security GridSite components ● libgridsite C/C++ toolkit provides utility functions – based on OpenSSL, libxml2, gSOAP – parse GSI Proxies and VOMS X.509 attribute certs – evaluate GACL and XACML access policies – generate new GSI Proxies ● mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache ● htcp, htls, htdelegate,... provide command line tools

11 13 December 2005Grid Security Module architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP CGI Web Services (gsexec) HTTP grst-admin.cgi: page editing, file upload, GACL editing etc. mod_gridsite: PUT, MOVE and DELETE Apache/GridSite mod_gridsite: GSI / VOMS OpenSSL callback wrappers

12 13 December 2005Grid Security Web Service support ● GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services ● We also provide the C/C++ implementation of the GridSite / EGEE Delegation portType – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem ● Allows sharing between different CGI languages

13 13 Decmber 2005Grid Security suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● Start as root, process as apache, CGI as joeuser ● We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the cert in the client program determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user

14 13 December 2005Grid Security suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● X.509, GSI Proxy, VOMS, DN List credentials ● We can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy their C/C++/Perl/Python services remotely

15 13 December 2005Grid Security GRACE ● In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids ● This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs

16 13 December 2005Grid Security Deployment Issues ● Panel question: “How can we deploy a Grid security infrastructure that is scalable, hierarchical, capable of dynamic VOs and easy to use?” ● I think that practical Grid infrastructures will follow most of the established patterns of practical Web infrastructures – Many lessons already learnt on the Web – Also, users/admins are already familiar with the Web ● Key lession is to be as loosely-coupled as possible – Use clearly defined interfaces and avoid reinvention

17 13 December 2005Grid Security Software Issues ● Most significant security issue for existing internet services is patching vulnerabilities – “Keeping up to date” has resulted in automated update services for major operating systems – The more you deviate from off-the-shelf software, the more of this you have to do yourself for your users ● So want to reuse Apache, OpenSSL etc as much as possible, ideally without making own versions, to benefit from OS updates

18 13 December 2005Grid Security Authentication ● This is largely dealt with by the CAs, and the international CA co-ordination bodies (EUgridPMA and now the IGTF) ● However, users are very aware of authentication (“I forgot my password!” etc) and so it has a large impact on ease of use of the whole system ● Can already use X.509 certs in browsers as simple single- signon to HTTPS websites (GridSite, GridSiteWiki etc) ● But X.509 handling is itself cumbersome for some users – May need to go to online CAs, merging CAs and university Shibboleth infrastructures etc

19 13 December 2005Grid Security Authorization ● Creation of VOs, subgroups, roles etc – assigning users to these groups/roles – binding credentials to resources, dataset rights etc ● Scalability drives design decisions – Can't keep asking VO if a local operation is permitted ● Pull and Push models already cover most use cases – Dynamic VOs are a natural extension of current systems – Static CA infrastructure means trust can be described by dynamic policies in terms of certificate identities

20 13 December 2005Grid Security Local enforcement ● Can easily be the Cinderella of a grid security architecture – easy to implement shiny new authorization systems in purely Grid software that your project is creating – but what about file access, SQL database queries, execution of native binaries? ● Either use virtual machines (Java etc) ● Or map grid identity to local identity (Unix pool account, MySQL user etc) and then grant it rights derived from grid policies ● Getting this right has significant performance advantages

21 13 December 2005Grid Security More information ● www.gridsite.org is the GridSite project website – Open Source, bug tracker, CVS, links to LCG/EGEE ● Includes the new GridSiteWiki – Derived from MediaWiki but uses X.509 instead of usernames / passwords – www.gridpp.ac.uk is the largest site using GridSite – and includes it's own Wiki, which is pulling in info ● You can also find GridSites at NGS, GOC, CERN, LCG, TCD.IE,... by searching for GridSite with Google!

22 13 December 2005Grid Security Summary ● LCG/EGEE have deployed multiple VOs to 160+ sites using Pull, and are moving to Push via VOMS ● Pool accounts allow a simple way of using Unix accounts ● Access policies tie VOs & Authorization to resources ● GridSite provides libgridsite Grid security toolkit for C/C++ ● mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache ● We can now build secured Web Services for Grids as CGI programs

Download ppt "Grid Security and VO Management Andrew McNab University of Manchester."

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Similar presentations

Ads by Google