Presentation is loading. Please wait.

Presentation is loading. Please wait.

WP4 Security and AA(A) issues For WP4: David Groep

Published byTabitha Hutchinson Modified over 8 years ago

Similar presentations

Presentation on theme: "WP4 Security and AA(A) issues For WP4: David Groep"— Presentation transcript:

1 WP4 Security and AA(A) issues For WP4: David Groep hep-proj-grid-fabric@cern.ch

2 David Groep – WP4 security and AAA issues – 2001.06.06 - 2 WP4 self-organization (1) u Configuration management n What should a system look like, what is installed u Systems Installation n Bootstrapping and installing software packages on 10.000 nodes u Resource Management n Queuing system, task scheduling, quotas ’n budget

3 David Groep – WP4 security and AAA issues – 2001.06.06 - 3 WP4 self-organization (2) u Monitoring n Performance and functional monitoring u Fault Tolerance & Exception Recovery n Detect exceptions using monitoring information and schedule recovery actions, make self-healing nodes u Gridification n Job authorization, credential mapping, information abstraction and network accessibility

4 David Groep – WP4 security and AAA issues – 2001.06.06 - 4 Internal and external AAA u External AAA: interaction of a compute centre with “global” grid → through WP1 (ComputeElement) and WP2 (StorageElement) u Internal AAA: n recognizing trusted components and operators n authorization for jobs and files n access to information services n Protecting jobs and files whilst in the fabric (uid issues)

5 David Groep – WP4 security and AAA issues – 2001.06.06 - 5 A use case for job submission u Accept a job from ComputeElement (the Grid) u Check authorization w.r.t. extra local policies u Assign necessary local credentials u Have the job run on the local fabric

6 David Groep – WP4 security and AAA issues – 2001.06.06 - 6 Gridification of a Compute Centre ComputeElmt GridJob Mediating Serv LRMS Farms Local Credential Mapping Serv User Rep. Job Rep. LCAS AuthZ plugins: QuotaCheck Policy list Fabric-local ID-service Local to the fabric Externally visible Grid Info Serv (WP3) GriFIS GridGATE protocol gateway

7 David Groep – WP4 security and AAA issues – 2001.06.06 - 7 Job life cycle in a fabric u GjMS – Grid-job Mediating Service n Accept jobs from ComputeElement and shuffle them through the AAA chain u LCAS – Local Community Authorization Service n Authorize a job or store request to run on this fabric n Based on community-wide CAS (VO’s) add extra constrains like: budgets, ban lists, wall clock limitations u LCMAPS – Local Credential Mapping Service n Obtain the `usual’ credentials for running (uid/gid) n Issues: additional credentials for AFS, K5, ….

8 David Groep – WP4 security and AAA issues – 2001.06.06 - 8 Gridification of a Compute Centre Grid Info Serv (WP3) GriFIS ComputeElmt GridJob Mediating Serv Fabric-local ID-service Local Credential Mapping Serv LRMS Farms LCAS AuthZ plugins: QuotaCheck Policy list User Rep. Job Rep. Local to the fabric Externally visible GridGATE protocol gateway

9 David Groep – WP4 security and AAA issues – 2001.06.06 - 9 FLIDS (Fabric-local ID service) u within a fabric only a local certifying entity will be sufficiently trusted n Signing authority for LCAS accepted (job) requests n Identify trusted operators for installation of new systems n Identify and certify hosts within a fabric u FLIDS is (a tree of) certification authorities u Some of those “automated” CA ’s n Sign certificates when request is singed by trusted operator

10 David Groep – WP4 security and AAA issues – 2001.06.06 - 10 Information and Configuration u A configuration database exists containing the desired state of the local fabric n Contains sensitive information n Prevent unauthorized read access n Prevent snooping information sent to other hosts n PM9 (and possibly beyond?): web-server XML over HTTPS n Write access limited to special operator interface only

11 David Groep – WP4 security and AAA issues – 2001.06.06 - 11 Another FLIDS application u Adding a new host to a fabric u Possibly in a `hostile’ environment u We have a trusted operator with an install disk u Need to get initial configuration information u Which includes,e.g., a ssh host key Next slide is for your reference only (don’t be baffled by it)

12 David Groep – WP4 security and AAA issues – 2001.06.06 - 12 New host to be installed CFG Configuration Database Secured http server LCA root cert Operator install disk: -kernel and init -CFG https agent -Signed cert of operator -Protected private key of operator -LCA root certificate CFG data ACLs LCA cert and privkey FLIDS engine Automated CA, Will sign when request Approved by `operator’ 1:Operator boots system 2:agent makes https request using operator credentials 3:https server checks CFG data ACL (operator has all rights), can verify ID of operator using LCA root cert 4: sens config data encrypted using session key 5: host generates key pair (but without a passphrase to protecting private part) 6: request sent to FLIDS engine, signed by operator key (in cleartext) (FLIDS hostname known from CFG data) 7: FLIDS checks signature of operator, and signs request with LCA key. Request DN namespace limited. 8: signed host cert back to host (in clear) 9: host checks signature on cert using the LCA root cert on the boot disk 10: https requests to CFG authenticated with new signed host certificate 11: CFG web server can check hostname in cert against requesting IP address and check ACLs

13 David Groep – WP4 security and AAA issues – 2001.06.06 - 13 Issues not (yet) addressed u Information services n Use whatever security framework WP3 chooses n Will likely not publish list of authorized users u Networking issues n WP4 does not envision using network-layer security n IPv6 is being studied, but only for address space issues n GridGATE is not a VPN router and is not doing IPsec

14 David Groep – WP4 security and AAA issues – 2001.06.06 - 14 Gridification of a Compute Centre Grid Info Serv (WP3) GriFIS ComputeElmt GridJob Mediating Serv Fabric-local ID-service Local Credential Mapping Serv LRMS Farms LCAS AuthZ plugins: QuotaCheck Policy list User Rep. Job Rep. Local to the fabric Externally visible GridGATE protocol gateway

Download ppt "WP4 Security and AA(A) issues For WP4: David Groep"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance

DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏

Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google