Post on 04-Jan-2016
2002-03-13 Security in DataGrid 1
Security in DataGrid12 Mar 2002
TERENA GRID-AN BoF
David GroepNIKHEF, Amsterdam
based on a presentation by David KelseyCLRC/RAL, UK
2002-03-13 Security in DataGrid 2
The EU DataGrid
• DataGrid: generic Grid middleware and test bed for – High Energy Physics– Earth Observation and ozone modelling– Bio-informatics & bio-medicine
• Middleware components (on top of Globus):– scheduling and accounting– data replication and management– monitoring– data storage– fabric and farm management
2002-03-13 Security in DataGrid 3
Security in DataGrid
• No allocated effort, so groups distributed over WP’s:– CA Coordination (Test bed WP6)
Started before the project (end 2000), well established– Ad-hoc Authorization (Test bed WP6)
Interim solutions for distributing collaboration user lists and “virtual organization directories”.
– Security Coordination (“Networking” WP7)Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development
2002-03-13 Security in DataGrid 4
Start with …
Authentication
2002-03-13 Security in DataGrid 5
WP6 CACG
• 11 DataGrid Testbed1 CA’s– See WP6 web– Much effort to run these – growing number of cert
requests– Several moving to OpenCA
• US DOE ScienceGrid CA– Operational since January 2002– Approved as a DataGrid “trusted” CA (& vice-versa!)– First test of transatlantic authentication last month
• Karlsruhe CA (CrossGrid and HEP Germany)– To be incorporated later
• Seems to attract Grid CA issues that should have gone to GGF!
2002-03-13 Security in DataGrid 6
Authentication (2)
• One of the EDG CA’s (CNRS) acts as a “catch-all” CA– CP/CPS will get explicit statements about RA’s
• Matrix of Trust (work ongoing) – much work!– Feature matrix– Acceptance matrix
(WP6 CA Mgrs check each other against min. requirements)
BUT:• Still another 7 CrossGrid countries with no CA• And many other LHC countries• Scaling problems!
– Automate the feature checking– Continue to work with GGF in the GridCP group
2002-03-13 Security in DataGrid 7
Authentication (3)
DataGrid CA Features matrix
2002-03-13 Security in DataGrid 8
CA Acceptance Matrix
• Detailed reports per CA
• Guidelines for “national” site admins
• To be done: – versioning of CP/CPS – invalidation after CP/CPS updates
2002-03-13 Security in DataGrid 9
And now …
Authorisation
2002-03-13 Security in DataGrid 10
GSI – Grid map file
• Resource Authorization based on access lists• Maps “Grid name” (cert subject DN) → local UID
• In effect after successful authentication
triode:davidg:1002$ cat /etc/grid-security/grid-mapfile
"/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg
"/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn
"/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj
"/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov
"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon
"/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/Email=Piergiorgio.Cerello@to.infn.it" aliprod
2002-03-13 Security in DataGrid 11
mkgridmap and VO’s
• Virtual Organizations (VOs) define user groups“ATLAS”, “LHCb”, “OzoneModelling”, …
• Directory with user lists maintained by VO admin
• Resource owners extract list from “allowed” VOs• optional: AND with one other directory (AUP!)
• periodically generated (once per day)
2002-03-13 Security in DataGrid 12
grid-mapfile generationo=testbed,dc=eu-datagrid, dc=org
CN=Franz Elmer
ou=People
CN=John Smith
mkgridmap
grid-mapfile
VOVODirectoryDirectory
““AuthorizatioAuthorizationn
Directory”Directory”
CN=Mario Rossi
o=xyz,dc=eu-datagrid, dc=org
CN=Franz ElmerCN=John Smith
Authentication
Certificate
Authentication
Certificate
Authentication
Certificate
ou=People ou=Testbed1
ou=???
local users ban list
2002-03-13 Security in DataGrid 13
Entries in VO Directory
• VO Membership listdn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=orgobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: pkiUsersn: Barberacn: Roberto Barberamail: roberto.barbera@ct.infn.itlabeledURI: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate
• (sub) groupsdn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=orgobjectClass: domainobjectClass: organizationalUnitobjectClass: groupofnames. . . .owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org
• VO administrators• sub-group administrators
2002-03-13 Security in DataGrid 14
Authorisation
WP6 Authorisation group (R. Cecchini – INFN)
• Future plans– Evaluation of CAS and PERMIS– Better VO Directory management;– Support of replicas of VO Directories;– Support for users’ attributes in the VO
Directories:• e.g. the AUP signing information (with expiration
date...)
2002-03-13 Security in DataGrid 15
Authorisation (2)
• Globus Community Authorisation Server (CAS)– Long awaited!– Hot news – alpha release by end of next week
• PERMIS (http://www.permis.org)– EU funded project– Univ of Salford (UK) – member of SecureGrid– Policy-based Role-based (XML) Access control
2002-03-13 Security in DataGrid 18
GridMapDir (WP6 - McNab)
• Account sharing mechanism for local UIDs• Modifier version of GSI allows mapping
to ‘account pools’ (à la DHCP)
• nice when VO directories are large and not all users go to all sites
• difficult to recycle accounts (files!)
• sucessfully deployed in EDG TB1
2002-03-13 Security in DataGrid 20
Authorisation issues
• We need more functionality– “Dynamic policy-based Access control”– Users with more than one allowed role– Move away from Unix uid based security (and grid mapfile)– Applicable to all Grid services (and callable from)
• Users may belong to multiple VO’s– Authorisation may need to be based on “joins”
• Global & Local authorisation mechanisms– need to negotiate policy – Global/VO/Local
• We should aim for a limited number of compatible authorisation mechanisms– Job for Architecture group and WP7 Security
• OGSA?
2002-03-13 Security in DataGrid 23
Future plans
• The EU review encouraged us to do more on security– It is already happening!
• WP6 CA group– continue Acceptance matrix and work with GGF
• WP6 Authorisation group– Test and evaluate CAS and PERMIS
• WP7Sec D7.6 (M25) “Security Design and TB2 report”• Work going on in all middleware WP’s on security• WP7Sec & Architecture group need to
– Coordinate activities– Check that mechanisms are “secure”