2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep...

2002-03-13 Security in DataGrid 1

Security in DataGrid12 Mar 2002

TERENA GRID-AN BoF

David GroepNIKHEF, Amsterdam

based on a presentation by David KelseyCLRC/RAL, UK


The EU DataGrid

• DataGrid: generic Grid middleware and test bed for – High Energy Physics– Earth Observation and ozone modelling– Bio-informatics & bio-medicine

• Middleware components (on top of Globus):– scheduling and accounting– data replication and management– monitoring– data storage– fabric and farm management


Security in DataGrid

• No allocated effort, so groups distributed over WP’s:– CA Coordination (Test bed WP6)

Started before the project (end 2000), well established– Ad-hoc Authorization (Test bed WP6)

Interim solutions for distributing collaboration user lists and “virtual organization directories”.

– Security Coordination (“Networking” WP7)Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development


Start with …

Authentication


WP6 CACG

• 11 DataGrid Testbed1 CA’s– See WP6 web– Much effort to run these – growing number of cert

requests– Several moving to OpenCA

• US DOE ScienceGrid CA– Operational since January 2002– Approved as a DataGrid “trusted” CA (& vice-versa!)– First test of transatlantic authentication last month

• Karlsruhe CA (CrossGrid and HEP Germany)– To be incorporated later

• Seems to attract Grid CA issues that should have gone to GGF!


Authentication (2)

• One of the EDG CA’s (CNRS) acts as a “catch-all” CA– CP/CPS will get explicit statements about RA’s

• Matrix of Trust (work ongoing) – much work!– Feature matrix– Acceptance matrix

(WP6 CA Mgrs check each other against min. requirements)

BUT:• Still another 7 CrossGrid countries with no CA• And many other LHC countries• Scaling problems!

– Automate the feature checking– Continue to work with GGF in the GridCP group


Authentication (3)

DataGrid CA Features matrix


CA Acceptance Matrix

• Detailed reports per CA

• Guidelines for “national” site admins

• To be done: – versioning of CP/CPS – invalidation after CP/CPS updates


And now …

Authorisation


GSI – Grid map file

• Resource Authorization based on access lists• Maps “Grid name” (cert subject DN) → local UID

• In effect after successful authentication

triode:davidg:1002$ cat /etc/grid-security/grid-mapfile

"/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg

"/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn

"/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj

"/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov

"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon

"/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/[email protected]" aliprod


mkgridmap and VO’s

• Virtual Organizations (VOs) define user groups“ATLAS”, “LHCb”, “OzoneModelling”, …

• Directory with user lists maintained by VO admin

• Resource owners extract list from “allowed” VOs• optional: AND with one other directory (AUP!)

• periodically generated (once per day)


grid-mapfile generationo=testbed,dc=eu-datagrid, dc=org

CN=Franz Elmer

ou=People

CN=John Smith

mkgridmap

grid-mapfile

VOVODirectoryDirectory

““AuthorizatioAuthorizationn

Directory”Directory”

CN=Mario Rossi

o=xyz,dc=eu-datagrid, dc=org

CN=Franz ElmerCN=John Smith

Authentication

Certificate

Authentication

Certificate

Authentication

Certificate

ou=People ou=Testbed1

ou=???

local users ban list


Entries in VO Directory

• VO Membership listdn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=orgobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: pkiUsersn: Barberacn: Roberto Barberamail: [email protected]: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate

• (sub) groupsdn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=orgobjectClass: domainobjectClass: organizationalUnitobjectClass: groupofnames. . . .owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org

• VO administrators• sub-group administrators


Authorisation

WP6 Authorisation group (R. Cecchini – INFN)

• Future plans– Evaluation of CAS and PERMIS– Better VO Directory management;– Support of replicas of VO Directories;– Support for users’ attributes in the VO

Directories:• e.g. the AUP signing information (with expiration

date...)


Authorisation (2)

• Globus Community Authorisation Server (CAS)– Long awaited!– Hot news – alpha release by end of next week

• PERMIS (http://www.permis.org)– EU funded project– Univ of Salford (UK) – member of SecureGrid– Policy-based Role-based (XML) Access control


GridMapDir (WP6 - McNab)

• Account sharing mechanism for local UIDs• Modifier version of GSI allows mapping

to ‘account pools’ (à la DHCP)

• nice when VO directories are large and not all users go to all sites

• difficult to recycle accounts (files!)

• sucessfully deployed in EDG TB1


Authorisation issues

• We need more functionality– “Dynamic policy-based Access control”– Users with more than one allowed role– Move away from Unix uid based security (and grid mapfile)– Applicable to all Grid services (and callable from)

• Users may belong to multiple VO’s– Authorisation may need to be based on “joins”

• Global & Local authorisation mechanisms– need to negotiate policy – Global/VO/Local

• We should aim for a limited number of compatible authorisation mechanisms– Job for Architecture group and WP7 Security

• OGSA?


Future plans

• The EU review encouraged us to do more on security– It is already happening!

• WP6 CA group– continue Acceptance matrix and work with GGF

• WP6 Authorisation group– Test and evaluate CAS and PERMIS

• WP7Sec D7.6 (M25) “Security Design and TB2 report”• Work going on in all middleware WP’s on security• WP7Sec & Architecture group need to

– Coordinate activities– Check that mechanisms are “secure”

2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep...

Documents

Transcript of 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep...