Presentation is loading. Please wait.

Presentation is loading. Please wait.

SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.

Published byClarissa Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen."— Presentation transcript:

1 SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen

2 What is an SE Control interface – SRM via SOAP via HTTPG Information interface – GLUE via BDII GridFTP

3 Basics Using X.509 certificates for AuC GSI = Globus Security Infrastructure –HTTPG = HTTPS over GSI socket –GSI adds support for delegation –Delegation = of identity, proxy (cf RFC3820)

4 Basics – Data Transfer GridFTP – FTP with Grid extensions, uses GSI –Control channel always authenticated and encrypted –Data channel sometimes not authenticated –Data channel usually not encrypted

5 Basics – Data Transfer Local protocols –RFIO and DCAP have secure versions –DPM uses secure RFIO by default –dCache uses insecure DCAP by default –secure xroot…?

6 Head Node Architecture User (UI) Service Discovery SRM Information Publisher Disk pool data transfer pool to pool transfer (maybe) Secure Sometimes secure Not secure Database

7 Architecture AB User (UI)

8 Authorisation Typically, people are mapped to Unix accounts –Direct mapping DN  uid,gid –Pool account mapping DN  {uid},gid –Map by FQAN (sometimes) Need consistency – SRM, GridFTP, local protocols

9 Authorisation GridMap – you only map to 1st entry –New DN needed for second VO Unix mapping – coarse grained ACL –(Usually) Learn how to set ACLs correctly! (Friday)

10 Higher Security at Higher Level See EGEE biomed use cases –Goes waaaay back to EDG Storing keys in Hydra Encrypted data in SEs

11 Logging Use toolkit for DPM (see Friday’s talk) SSSCs –Storage Security Service Challenges –Get Mingchao to organise one

12 Availability Grid is sometimes not very resilient… DoS attacks possible –Most likely unintentional… –Cf. banning/unbanning user discussion –Cf. reporting who-used-all-our-space to VO

13 Accounting Less a security issue Until people start paying for their allocations… (cf Alice’s accounting system)

14 Firewalls Can’t inspect HTTPS (or G) packets –SOAPful firewalls proposed –Not necessarily a good idea…? PASV available for GridFTP

15 Performance Root CA eSc CA Host Root CA eSc CA User Proxy(ies) Server validates client’s id Client validates server’s “Easy” public exponents, eg 0x11 or 0x10001 2048 bits only make things slower… CA certs MUST be 2048 though

16 Performance For SRM, lots of ways to improve performance There can be (many) other bottlenecks The case for insecurity –RFIO or DCAP without GSI security –RFIO using UID for AuC (16 bit…)

17 Standards …are important! Certificates – X.509, PKIX, IGTF SSL/TLS  GSI –gLite delegation API Standard proxies (or not) – RFC 3820

18 What we don’t do (that others (sometimes) do (with storage)) Access control policies Fine grained access control SAML “Normal” user access, browser, password,

Download ppt "SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.

J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,

DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Academic Technology Services The UCLA Grid Portal - Campus Grids and the UC Grid Joan Slottow and Prakashan Korambath Research Computing Technologies UCLA.

Academic Technology Services The UCLA Grid Portal - Campus Grids and the UC Grid Joan Slottow and Prakashan Korambath Research Computing Technologies UCLA.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Similar presentations

Ads by Google