DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003

Grid Security forSite Authorization in EDGVOMS, Java Security and LCMAPS

David Groep, NIKHEFdavidg@nikhef.nl

EDG Security CoordinationA. Frohner – CERND. Kouril -   CESNETF. Bonnassieux - CNRSR. Alfieri, R. Cecchini, V. Ciaschini, L. dell'Agnello, A. Gianoli , F. Spataro - INFNO. Mulmo – KDC D.L. Groep, M. Steenbakkers, W. Som de Cerff, O. Koeroo, G. Venekamp – NIKHEFL. Cornwall, D. Kelsey, J. Jensen – RALA. McNab – University of ManchesterP. Broadfoot, G. Lowe – University of Oxford

http://hep-project-grid-scg.web.cern.ch/

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 2

Talk Outline

Introduction

Authorization requirements

VO Membership Service

Java Security for Hosted Environments

Native Mechanisms (LCAS, LCMAPS)

Conclusions  

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 3

Authentication – only the first step

EDG security infrastructure based on X.509 certificates (PKI)

Authentication Needs “trusted third parties”: 16 national certification authorities

Policies and procedures mutual thrust

Users identified with “identity” certificates signed by a national CA

See also next talk by Dave Kelsey…

Authorization Several entities involved

Resource Providers (e.g. computer centres, storage providers, NRENs) Virtual Organizations (e.g. LHC experiments collaborations)

Cannot decide Authorization for grid users only on local site basis

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 4

User’s Authorization in Globus

useruser serviceservice

grid-mapfile

authentication info

user cert(long life)

proxy cert(short life)

CA CA CA

crl update

low frequency

high frequency

host cert(long life)

grid-proxy-init

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 5

User’s Authorization in EDG 1.4.x

VO-LDAP

useruser serviceservice

grid-mapfile

authentication info

user cert(long life)

proxy cert(short life)

VO-LDAP

VO-LDAP

VO-LDAP

CA CA CA

mkgridmap

crl update

low frequency

high frequency

host cert(long life)

registration

grid-proxy-init

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 6

VOMS Overview

Provides info about the user’s relationship with his VO(’s)

groups, “compulsory” groups, roles (admin, student, ...), capabilities (free form string), temporal bounds

Features single login: voms-proxy-init only at the beginning of the session (replaces grid-

proxy-init);

expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself);

backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services;

multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate;

security: all client-server communications are secured and authenticated.

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 7

User’s Authorization in EDG 2.x

VO-VOMS

useruser serviceservice

authentication & authorization info

user cert(long life)

VO-VOMS

VO-VOMS

VO-VOMS

CA CA CAlow frequency

high frequency

host cert(long life)

authz cert(short life)

proxy cert(short life)

voms-proxy-init

crl update

registration

service cert(short life)

authz cert(short life)

registration

LCASLCMAPS

edg-java-security

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 8

Pseudo-Certificate Format

/C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it

/C= IT/O=INFN/CN=INFN CA

/C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it

/C=IT/O=INFN/CN=INFN CA

VO: CMS URI: http://vomscms.cern.ch

TIME1: 020710134823ZTIME2: 020711134822ZGROUP: montecarloROLE: administratorCAP: “100 GB disk”

SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A...

The pseudo-cert is inserted in a non-critical extension of the user’s proxy

1.3.6.1.4.1.8005.100.100.1

It will become an Attribute Certificate

One for each VOMS Server contacted

user’s identity

server identity

user’s info

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 9

VOMS Architecture

DBJDBC

GSI

https

Tomcat & java-secTomcat & java-sec

axisaxisVOMSimpl

VOMSimpl

servletservlet

vomsdvomsd

Perl CLI

Web interface

voms-proxy-init

mkgridmapApache & mod_sslApache & mod_ssl

voms-httpdvoms-httpd

DBI

https

VOMS server

soap + SSL

MySQL db – with history and audit records

User query server and client (C++)

Java Web Service based administration interface

Perl client (batch processing)

Web browser client (generic administrative tasks)

Web server interface for mkgridmap

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 10

Authorization

User VOMS

service

authr

map

pre-proc

authr

LCAS

LCMAPS

pre-proc

LCAS

Coarse-grainede.g. Spitfire

service

dn

dn + attrs

Fine-grainede.g. RepMeC

Coarse-grainede.g. CE, Gatekeeper

Fine-grainede.g. SE, /grid

Java C

authenticate

ACL ACL

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 11

Authorization for Web Services

Java TrustManager can secure both web sites and web services

Based on Apache Tomcat Catalina servlet container SOAP client, as an extension of the Axis SocketFactoryFactory

HTTP client, as an API that creates HTTPS connections.

Authorization Mngr gives attributes based on userDN and VOMS extensions

For web services Service uses proxy of host

For browser interaction Must use long-lived host cert

to be TLS compliant

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 12

Services secured by EDG-Java-Sec

Spitfireuniform access to SQL database services (MySQL, DB/2, Oracle)

Replica Location Service, RepMeC, Giggle – metadata and replica information services

VOMS server

R-GMARelational Grid Monitoring Architecture – Information System

Basis for new OGSA/WebServices components

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 13

Authorization for Native Environments

All systems for running Grid jobs and storing files are UNIX based

Need for interface between Grid rights and local rights

Two-phase process Authorization of users: LCAS

Acquiring and enforcing local (UNIX-style) credentials: LCMAPS

Why the split? Authorization decisions may be applied for more than single resources

Credential mapping may be time-consuming and “heavy”

Internal service securitycredential mapping needs root privileges, authorization can do without

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 14

LCAS: Local Centre AuthZ Service

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo

-cert

GateKeeper

exec=/bin/catarguments=/etc/passwd

GateKeeper

GridFTPServer

LCAS Service

Job Manager

NodeNodeNodeNodeNodeNode

NodeNodeNode

Authorization using:

• Authentication + VO data

• Job description

• Site policy

Authorization using:

• Authentication + VO data

• Job description

• Site policy

other clusters

Plug-in frameworkcurrently shipping modules

• Allowed-users list

• Banned-users list

• wall-clock limitations

Plug-in frameworkcurrently shipping modules

• Allowed-users list

• Banned-users list

• wall-clock limitations

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 15

LCMAPS – Local Credential MAPping

Provides local credentials needed for jobs within the fabric

Plug-in framework, driven by (site specific) policy

Mapping based user identity

VO affiliation, groups and roles

site-local policy

Supports multiple credential types: Traditional POSIX:

in-process & LDAP, via fixed or PoolAccounts*

AFS tokens

true Kerberos5

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo-cert

Job Managerfork+exec args, submit script

LCMAPS open, learn,&run:

… and return legacy uid

LCMAPS open, learn,&run:

… and return legacy uid

LCAS authZ call out

GSI AuthN

accept

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 16

LCMAPS – new functionality

Local UNIX groups based on VOMS group membership and roles

More than one VO and group/role per grid user

No pre-allocation of pool accounts to specific groups

New mechanisms: groups-on-demand

support for central user directories (primarily LDAP)

Why do we continue to need LCAS? Centralized site decisions on authorized users for multiple fabrics

Coordinated access control across multiple CEs and SEs

(and save on ‘expensive’ account allocation mechanisms in LCMAPS)

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 17

Conclusions EDG provides extensive Grid authorization infrastructure today

LCAS* and Java-security already deployed VOMS and LCMAPS ready for deployment (confirmed for June ’03) Updates for various services in October ’03

User Side

Support for large, fast-changing user community

Roles and groups within the experiment VOs

Multiple affiliations and roles per user

Resource Side

Minimal effort on resource provider side

More smooth integration in Grid computing at large

Retains tracability and auditability at all levels

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 18

More InformationEDG Security Coordination Group

Web site http://hep-project-grid-scg.web.cern.ch/

VOMS

Web site http://grid-auth.infn.it/

CVS site http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/

Developers’ mailing list sec-grid@infn.it

PoolAccounts

Web site http://www.gridpp.ac.uk/authz/gridmapdir/

LCAS-LCMAPS

Web site http://www.dutchgrid.nl/DataGrid/wp4/

CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/

http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/

Maillist hep-proj-grid-fabric-gridify@cern.ch

EDG Java Security

Web site http://edg-wp2.web.cern.ch/edg-wp2/security/