2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep...
-
Upload
austin-lang -
Category
Documents
-
view
215 -
download
0
Transcript of 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep...
![Page 1: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/1.jpg)
2002-03-13 Security in DataGrid 1
Security in DataGrid12 Mar 2002
TERENA GRID-AN BoF
David GroepNIKHEF, Amsterdam
based on a presentation by David KelseyCLRC/RAL, UK
![Page 2: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/2.jpg)
2002-03-13 Security in DataGrid 2
The EU DataGrid
• DataGrid: generic Grid middleware and test bed for – High Energy Physics– Earth Observation and ozone modelling– Bio-informatics & bio-medicine
• Middleware components (on top of Globus):– scheduling and accounting– data replication and management– monitoring– data storage– fabric and farm management
![Page 3: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/3.jpg)
2002-03-13 Security in DataGrid 3
Security in DataGrid
• No allocated effort, so groups distributed over WP’s:– CA Coordination (Test bed WP6)
Started before the project (end 2000), well established– Ad-hoc Authorization (Test bed WP6)
Interim solutions for distributing collaboration user lists and “virtual organization directories”.
– Security Coordination (“Networking” WP7)Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development
![Page 4: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/4.jpg)
2002-03-13 Security in DataGrid 4
Start with …
Authentication
![Page 5: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/5.jpg)
2002-03-13 Security in DataGrid 5
WP6 CACG
• 11 DataGrid Testbed1 CA’s– See WP6 web– Much effort to run these – growing number of cert
requests– Several moving to OpenCA
• US DOE ScienceGrid CA– Operational since January 2002– Approved as a DataGrid “trusted” CA (& vice-versa!)– First test of transatlantic authentication last month
• Karlsruhe CA (CrossGrid and HEP Germany)– To be incorporated later
• Seems to attract Grid CA issues that should have gone to GGF!
![Page 6: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/6.jpg)
2002-03-13 Security in DataGrid 6
Authentication (2)
• One of the EDG CA’s (CNRS) acts as a “catch-all” CA– CP/CPS will get explicit statements about RA’s
• Matrix of Trust (work ongoing) – much work!– Feature matrix– Acceptance matrix
(WP6 CA Mgrs check each other against min. requirements)
BUT:• Still another 7 CrossGrid countries with no CA• And many other LHC countries• Scaling problems!
– Automate the feature checking– Continue to work with GGF in the GridCP group
![Page 7: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/7.jpg)
2002-03-13 Security in DataGrid 7
Authentication (3)
DataGrid CA Features matrix
![Page 8: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/8.jpg)
2002-03-13 Security in DataGrid 8
CA Acceptance Matrix
• Detailed reports per CA
• Guidelines for “national” site admins
• To be done: – versioning of CP/CPS – invalidation after CP/CPS updates
![Page 9: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/9.jpg)
2002-03-13 Security in DataGrid 9
And now …
Authorisation
![Page 10: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/10.jpg)
2002-03-13 Security in DataGrid 10
GSI – Grid map file
• Resource Authorization based on access lists• Maps “Grid name” (cert subject DN) → local UID
• In effect after successful authentication
triode:davidg:1002$ cat /etc/grid-security/grid-mapfile
"/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg
"/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn
"/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj
"/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov
"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon
"/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/[email protected]" aliprod
![Page 11: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/11.jpg)
2002-03-13 Security in DataGrid 11
mkgridmap and VO’s
• Virtual Organizations (VOs) define user groups“ATLAS”, “LHCb”, “OzoneModelling”, …
• Directory with user lists maintained by VO admin
• Resource owners extract list from “allowed” VOs• optional: AND with one other directory (AUP!)
• periodically generated (once per day)
![Page 12: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/12.jpg)
2002-03-13 Security in DataGrid 12
grid-mapfile generationo=testbed,dc=eu-datagrid, dc=org
CN=Franz Elmer
ou=People
CN=John Smith
mkgridmap
grid-mapfile
VOVODirectoryDirectory
““AuthorizatioAuthorizationn
Directory”Directory”
CN=Mario Rossi
o=xyz,dc=eu-datagrid, dc=org
CN=Franz ElmerCN=John Smith
Authentication
Certificate
Authentication
Certificate
Authentication
Certificate
ou=People ou=Testbed1
ou=???
local users ban list
![Page 13: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/13.jpg)
2002-03-13 Security in DataGrid 13
Entries in VO Directory
• VO Membership listdn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=orgobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: pkiUsersn: Barberacn: Roberto Barberamail: [email protected]: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate
• (sub) groupsdn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=orgobjectClass: domainobjectClass: organizationalUnitobjectClass: groupofnames. . . .owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org
• VO administrators• sub-group administrators
![Page 14: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/14.jpg)
2002-03-13 Security in DataGrid 14
Authorisation
WP6 Authorisation group (R. Cecchini – INFN)
• Future plans– Evaluation of CAS and PERMIS– Better VO Directory management;– Support of replicas of VO Directories;– Support for users’ attributes in the VO
Directories:• e.g. the AUP signing information (with expiration
date...)
![Page 15: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/15.jpg)
2002-03-13 Security in DataGrid 15
Authorisation (2)
• Globus Community Authorisation Server (CAS)– Long awaited!– Hot news – alpha release by end of next week
• PERMIS (http://www.permis.org)– EU funded project– Univ of Salford (UK) – member of SecureGrid– Policy-based Role-based (XML) Access control
![Page 16: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/16.jpg)
2002-03-13 Security in DataGrid 18
GridMapDir (WP6 - McNab)
• Account sharing mechanism for local UIDs• Modifier version of GSI allows mapping
to ‘account pools’ (à la DHCP)
• nice when VO directories are large and not all users go to all sites
• difficult to recycle accounts (files!)
• sucessfully deployed in EDG TB1
![Page 17: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/17.jpg)
2002-03-13 Security in DataGrid 20
Authorisation issues
• We need more functionality– “Dynamic policy-based Access control”– Users with more than one allowed role– Move away from Unix uid based security (and grid mapfile)– Applicable to all Grid services (and callable from)
• Users may belong to multiple VO’s– Authorisation may need to be based on “joins”
• Global & Local authorisation mechanisms– need to negotiate policy – Global/VO/Local
• We should aim for a limited number of compatible authorisation mechanisms– Job for Architecture group and WP7 Security
• OGSA?
![Page 18: 2002-03-13Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.](https://reader036.fdocuments.us/reader036/viewer/2022082711/56649f185503460f94c2ef41/html5/thumbnails/18.jpg)
2002-03-13 Security in DataGrid 23
Future plans
• The EU review encouraged us to do more on security– It is already happening!
• WP6 CA group– continue Acceptance matrix and work with GGF
• WP6 Authorisation group– Test and evaluate CAS and PERMIS
• WP7Sec D7.6 (M25) “Security Design and TB2 report”• Work going on in all middleware WP’s on security• WP7Sec & Architecture group need to
– Coordinate activities– Check that mechanisms are “secure”