Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Published byJeffery Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,"— Presentation transcript:

1 EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Fine-grained e.g. RepMeC (EDG WP2/WP3) authentication authorization pre-process (service specific) valid certificate + valid VOMS cred. requested operation, object id./ACL TrustManager Coarse-grained e.g. Spitfire (EDG WP2) authentication authorization mapping valid certificate + valid VOMS cred. dn, attributes (local) id 5.a proxy certificate 5.b proxy certificate once a day Fine-grained e.g. Storage Element, SlashGrid (EDG WP5 & GridPP) authentication authorization pre-process (service specific) valid certificate + valid VOMS cred. requested operation, object id./ACL Globus Security Infrastructure LCAS GACL Coarse-grained e.g. Compute Element, Gatekeeper (EDG WP4) authentication authorization mapping valid certificate + valid VOMS cred. dn, attributes local user 5.d proxy certificate 5.e proxy certificate GridPPSecurityPoster29Aug03.ppt University of Manchester: A. McNab, S. Kaushal CCLRC/Rutherford Appleton Lab: L. Cornwall, J. Jensen, D. Kelsey http://www.gridpp.ac.uk/gridsite/ http://cern.ch/hep-project-grid-scg/ Java Fine-grained e.g. GridSite (GridPP) authentication authorization pre-process (service specific) valid certificate + valid VOMS cred. requested operation, object id./ACL 5.c proxy certificate Authentication EDG Certificate Authorities (CA) Working Group –~20 national certification authorities (including EU CrossGrid, USA, Canada, Taiwan CAs) –policies & procedures  mutual trust –All CA’s trusted by EDG and GridPP sites –users identified by certificates signed by their national Certificate Authority –Including UK eScience CA for GridPP users once a year EDG Virtual Organization Membership Service (VOMS) Provides information on the user’s relationship with his Virtual Organization: allowed groups, roles and capabilities. single sign-on using voms-proxy-init only at the beginning of the session (was grid-proxy-init) expiration time: Authorization is granted for a limited time interval (may be different from the proxy certificate lifetime). backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS- aware services multiple VO's: the user may „log-in” into multiple VO's and create an aggregate proxy certificate, which enables him to access resources in any of them scalable authorization: Authorization does not have to depend on individual identities The service is basically a simple account database, which serves the information in a special format (VOMS credential). The VO manager can administer it remotely using command line tools or a web interface. ALICE ATLAS CMS BaBar LHCb Earth Observation Biomedical GridPP Testbed Tutorial Virtual Organizations Web mod_ssl EDG Java Security EDG TrustManager is a pure Java based solution for GSI style X.509 certificate path checking with Certificate Revocation Lists. Using standard CA certificates, certificate revocation lists (CRL's) and server credentials (certificates) authenticates the server to the user and the user to the server. This can be used for example in Tomcat to secure any web service without changes in the code. Includes changes to X.509 certificate path checking to support Globus proxy certificates (GSI). EDG Authorization Manager: enforcing policies in Java services The AuthorizationManager operates with one or several policies. Each policy has defined an AttributeRepository, which is used to deduce whether a subject can be associated with a given attribute (or role). The AuthorizationManager also has an optional translation phase: after deducing that a subject indeed is authorized (i.e., can be associated with the attribute in question), the attribute name can be translated into another name, understandable by the local application. Thus, one can give the AuthorizationManager the triplet (subject=John,attribute=DataGridMember, policy=localDbAccess) and get the answer "ReadAccessOnTableX" back, an answer that the local database application knows how to handle. Interworking & Collaboration We need to inter-work with many other Grid projects including: CrossGrid, DataTAG, LCG, PPDG, GriPhyN, iVDGL, and GridStart. We achieve this via direct collaboration and active participation in many GGF Security groups. GGF defines standards and best practices. GridPP SlashGrid: a framework for Grid-aware file systems. The dynamic account scheme is a reasonable solution for carrying out processing when there is no need to store data after the processing is complete, but any files created by the pool userid will need to be cleaned up before the account can be re-allocated no good for long term storage, as there is no guarantee that the userid- Grid DN (distinguished name) association will be kept in the long term. The obvious solution is to have a file system, under /grid, where file ownership depends on Grid DNs not temporary userids. The problem was solved by putting a file-system into the kernel and letting the kernel enforce access control restrictions. This construction is potentially as fast as the normal disk access. This special file-system uses a user space daemon for complex operations, such as parsing the proxies and doing remote IO. SlashGrid uses GACL for access control. GridPP SlashGrid: a framework for Grid-aware file systems. The dynamic account scheme is a reasonable solution for carrying out processing when there is no need to store data after the processing is complete, but any files created by the pool userid will need to be cleaned up before the account can be re-allocated no good for long term storage, as there is no guarantee that the userid- Grid DN (distinguished name) association will be kept in the long term. The obvious solution is to have a file system, under /grid, where file ownership depends on Grid DNs not temporary userids. The problem was solved by putting a file-system into the kernel and letting the kernel enforce access control restrictions. This construction is potentially as fast as the normal disk access. This special file-system uses a user space daemon for complex operations, such as parsing the proxies and doing remote IO. SlashGrid uses GACL for access control. kernel a real (ext2) disk open() read() stat() SlashGrid read() write() open() stat() /dev/cfs0/var/spool/slashgrid/fcache ordinary directory /grid/... User process GridPP GACL: Grid Access Control List library Fine-grained access control to files and file- like resources Authorization based on Grid certificate names (DN) and/or VOMS credentials Each ACL has one or more entries (XML) –admin: can modify ACL –write: can write/create files –list: can get a directory listing –read: can read a named file –ACL consists of lines: Also authuser and anyuser SlashGrid uses the same format ACL’s as the GridSite website management system. To be extended to support additional AuthZ credential formats and languages recommended by GGF GridPP GACL: Grid Access Control List library Fine-grained access control to files and file- like resources Authorization based on Grid certificate names (DN) and/or VOMS credentials Each ACL has one or more entries (XML) –admin: can modify ACL –write: can write/create files –list: can get a directory listing –read: can read a named file –ACL consists of lines: Also authuser and anyuser SlashGrid uses the same format ACL’s as the GridSite website management system. To be extended to support additional AuthZ credential formats and languages recommended by GGF GridPP GridSite: a web and file server Most websites today implement Access Control via cumbersome mechanisms –E.g. simple username and/or password X.509 certificates widely used in HTTPS for authentication of web servers to users All Grid users have a certificate so use these to control access to web servers! GridSite is a website management tool –Flexible for easy use by other projects Uses GACL for access control Loadable module for dynamic linking into Apache webserver All technologies supported by web server are available (static and dynamic content) GridSite server can simultaneously operate as an efficient file server, web server and Grid Services host GridPP GridSite: a web and file server Most websites today implement Access Control via cumbersome mechanisms –E.g. simple username and/or password X.509 certificates widely used in HTTPS for authentication of web servers to users All Grid users have a certificate so use these to control access to web servers! GridSite is a website management tool –Flexible for easy use by other projects Uses GACL for access control Loadable module for dynamic linking into Apache webserver All technologies supported by web server are available (static and dynamic content) GridSite server can simultaneously operate as an efficient file server, web server and Grid Services host EDG VO LDAP (before VOMS) Each VO maintains AuthZ info in a LDAP server mkgridmap tool extracts lists of users from VO db’s and creates grid mapfiles Static mapping GridPP dynamic Pool accounts (gridmapdir) A pool of UNIX accounts is created at each site per VO, e.g. babar001, babar002, babar003, … We use a patched version of the Globus gatekeeper and the grid ftp-server to associate users to a leased Unix userid from the pool. Locking retains one to one mapping EDG VO LDAP (before VOMS) Each VO maintains AuthZ info in a LDAP server mkgridmap tool extracts lists of users from VO db’s and creates grid mapfiles Static mapping GridPP dynamic Pool accounts (gridmapdir) A pool of UNIX accounts is created at each site per VO, e.g. babar001, babar002, babar003, … We use a patched version of the Globus gatekeeper and the grid ftp-server to associate users to a leased Unix userid from the pool. Locking retains one to one mapping mcnab@hep.man.ac.uk d.p.kelsey@rl.ac.uk LCMAPS Web Services Authorization Framework EDG LCAS: enforcing local policies at every site To ensure the autonomy of the resources that compose the DataGrid, each site can use an authorization hook to ensure local policies. LCAS, which stands for Local Centre Authorization System, is a site-local service to ensure that local policies are respected. EDG LCMAPS: integrating Grid users in an existing infrastructure Operating systems to date have no specific knowledge of "Grid Users". Therefore it is needed to translate the idea of a grid user into that of a local user. And since there are many different implementations of local users, even within the same site, a flexible credential "mapping service" is needed: LCMAPS, or the Local Credential MAPping Service. Credentials supported are: - UNIX user and group ID's - Pool Accounts from the gridmapdir system - individual accounts - AFS and Kerberos EU funding for DataGrid under contract IST-2000- 25182 is gratefully acknowledged

Download ppt "EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,"

Similar presentations

DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Similar presentations

Ads by Google