Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization...

Military Technical Academy Bucharest, 2004

GETTING ACCESSGETTING ACCESSTO THE GRIDTO THE GRID

AuthenticationAuthentication,, AAuthorizationuthorization

and and DelegationDelegation

ADINA RIPOSANADINA RIPOSANApplied Information TechnologyApplied Information Technology

Department of Computer EngineeringDepartment of Computer Engineering

Military Technical Academy BucharMilitary Technical Academy Bucharest, 2004est, 2004

Authentication and Authentication and AAuthorizationuthorization

DelegationDelegation mechanism mechanism


Authentication and Authentication and

AAuthorizationuthorization


Authentication Authentication && AAuthorizationuthorization

In Grid environments, In Grid environments, your hostyour host will become will become a clienta client in some cases, and in some cases, and a a serverserver in other cases. in other cases.

=> Therefore, your host might be required=> Therefore, your host might be required::• to authenticate another hostto authenticate another host and and • be authenticated by the hostbe authenticated by the host at the same time. at the same time.

The mutual The mutual AAuthentication function of GSI:uthentication function of GSI: • It proceeds with the It proceeds with the AAuthentication steps, and uthentication steps, and

changes the direction of hosts and redoes the changes the direction of hosts and redoes the procedure.procedure.

Briefly speaking:Briefly speaking:• AuthenticationAuthentication is the process of sharing public keys is the process of sharing public keys

securely with each other securely with each other • AuthorizationAuthorization is the process that MAPS your DN to a is the process that MAPS your DN to a

local user/group of a remote host.local user/group of a remote host.


Mutual Authentication procedureMutual Authentication procedure



Remote delegation:Remote delegation:

where a user creates a where a user creates a proxy certificateproxy certificate

at a REMOTE machineat a REMOTE machine

Local delegation:Local delegation:

where a user creates a where a user creates a proxyproxy certificatecertificate

at the LOCAL machineat the LOCAL machine


REMOTE DELEGATIONREMOTE DELEGATION

When you make a When you make a proxyproxy to a to a remote machineremote machine, the , the proxy's private keyproxy's private key is on the is on the remote machineremote machine

=> T=> The super-user of that machine can access he super-user of that machine can access your proxy's your proxy's private keyprivate key and conduct business and conduct business under your nameunder your name..

• This delegated credential can be vulnerable to attacks. This delegated credential can be vulnerable to attacks.

• In order to avoid this impersonation, it is recommended that In order to avoid this impersonation, it is recommended that the proxy attain restricted policies from its owner, as in the the proxy attain restricted policies from its owner, as in the case with GRAM, for example.case with GRAM, for example.

(The standardization of this proxy restriction is now going on (The standardization of this proxy restriction is now going on under GSI Working Group of Grid Forum Security)under GSI Working Group of Grid Forum Security)

To distribute jobsTo distribute jobs to to remoteremote grid machines grid machines,, and and LLet them distribute their child jobset them distribute their child jobs to other to other

machines under machines under your security policyyour security policy. .

=> The DELEGATION function of GSI can be used.=> The DELEGATION function of GSI can be used.


Delegation procedure of user’s proxyDelegation procedure of user’s proxy


If you are on the side of host A,If you are on the side of host A,

=> => you can you can create your proxycreate your proxy at host B at host B

=> => to delegateto delegate your authority your authority

This proxy acts as yourself, and This proxy acts as yourself, and submits a submits a requestrequest to host C on your behalf. to host C on your behalf.

The next steps:The next steps:

• the procedure to the procedure to create your proxycreate your proxy

(proxy creation)(proxy creation) at a remote machine, and at a remote machine, and

• the procedure to the procedure to submit a requestsubmit a request to the other to the other remote host on your behalf remote host on your behalf (proxy action)(proxy action)


Proxy creationProxy creation

1. A trusted communication is created between 1. A trusted communication is created between host A and host B.host A and host B.

2. You request host B to create a proxy that 2. You request host B to create a proxy that delegates your authority. delegates your authority.

3. Host B creates the request for your proxy 3. Host B creates the request for your proxy certificate, and send it back to host A.certificate, and send it back to host A.

4. Host A signs the request to create your proxy 4. Host A signs the request to create your proxy certificate using your private key and sends it certificate using your private key and sends it back to host B.back to host B.

5. Host A sends your certificate to host B.5. Host A sends your certificate to host B.


Proxy actionProxy action

1. Your proxy sends your certificate and the 1. Your proxy sends your certificate and the certificate of your proxy to host C.certificate of your proxy to host C.

2. Host C gets your proxy's public key through the 2. Host C gets your proxy's public key through the path validation procedure:path validation procedure:

a.a. Host C gets your subject and your public key from your Host C gets your subject and your public key from your certificate using CA's public key.certificate using CA's public key.

b. Host C gets the proxy's subject and your proxy's public key b. Host C gets the proxy's subject and your proxy's public key from your proxy's certificate using your public key.from your proxy's certificate using your public key.

c. The subject is a Distinguished Name similar to c. The subject is a Distinguished Name similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your name" "O=Grid/O=Globus/OU=itso.grid.com/CN=your name"

The subject of proxy certificate is similar to its owner's The subject of proxy certificate is similar to its owner's (your) subject and is similar to (your) subject and is similar to "O=Grid/O=Globus/OU=itso.grid.com/CN=your "O=Grid/O=Globus/OU=itso.grid.com/CN=your name/CN=proxy"name/CN=proxy"


So in order to validate the proxy certificate, Host C just has to So in order to validate the proxy certificate, Host C just has to check that the words that eliminate the words check that the words that eliminate the words "/CN=proxy""/CN=proxy" from the proxy's subject is just the same as your subject. from the proxy's subject is just the same as your subject.

=> => If it is validated, your proxy is authenticated by host C and If it is validated, your proxy is authenticated by host C and able to act on your behalf.able to act on your behalf.

3. The proxy encrypts a request message using its 3. The proxy encrypts a request message using its private key and sends it to Host C.private key and sends it to Host C.

4. Host C decrypts the encrypted message using 4. Host C decrypts the encrypted message using the proxy's public key and gets the request.the proxy's public key and gets the request.

5. Host C runs the request under the authority of a 5. Host C runs the request under the authority of a local user. local user.

• The user is specified using a mapping file, which The user is specified using a mapping file, which represents the mapping between the grid users (subject) represents the mapping between the grid users (subject) and local users (local user name).and local users (local user name).

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization...

Documents

Transcript of Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization...