EGEE is a project funded by the European Union under contract IST-2003-508833 R-GMA Security Stephen Hicks UK Cluster Security Middleware Security Group.

Slides:



Advertisements
Similar presentations
21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.
Advertisements

GT 4 Security Goals & Plans Sam Meder
Clique/Trust Solution Suitable for Level 2 Grid. Trusted Host Database Remote database of IP addresses, port ranges etc. Accessible by firewall administrators.
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.
Chapter 5 Database Application Security Models
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
Introduction on R-GMA Shi Jingyan Computing Center IHEP.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Information System (IS) Valeria Ardizzone.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
Planning: Hardening the rabbit Steve Fisher / RAL 5/3/2004 WP3.
MobileMAN Internal meetingHelsinki, June 8 th 2004 NETikos activity in MobileMAN project Veronica Vanni NETikos S.p.A.
Lecture # 3 & 4 Chapter # 2 Database System Concepts and Architecture Muhammad Emran Database Systems 1.
EGEE is a project funded by the European Union under contract IST Outstanding design issues Stephen Hicks 23/06/04
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve.
Shibboleth: An Introduction
1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
CLRC and the European DataGrid Middleware Information and Monitoring Services The current information service is built on the hierarchical database OpenLDAP.
EGEE is a project funded by the European Union under contract IST R-GMA: Production Services for Information and Monitoring in the Grid John.
Security Considerations Steve Perry
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
INFSO-RI Enabling Grids for E-sciencE
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA gLite Information System Pedro Rausch IF.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance.
Status and Plans EGEE data management team Middleware Security Meeting 4 EGEE is a project funded by the European Union under.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America gLite Information System Claudio Cherubino.
INFSO-RI Enabling Grids for E-sciencE Information System Valeria Ardizzone INFN EGEE NA4 Generic Applications Meeting Catania,
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
EGEE is a project funded by the European Union under contract IST Introduction to Web Services 3 – 4 June
EGEE is a project funded by the European Union under contract IST Information and Monitoring Services within a Grid R-GMA (Relational Grid.
FESR Trinacria Grid Virtual Laboratory Relational Grid Monitoring Architecture (R-GMA) Valeria Ardizzone INFN Catania Tutorial per Insegnanti.
INFSO-RI Enabling Grids for E-sciencE R-GMA Gergely Sipos and Péter Kacsuk MTA SZTAKI Credit to Valeria Ardizzone.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using R-GMA.
INFSO-RI Enabling Grids for E-sciencE gLite Information System: R-GMA Tony Calanducci INFN Catania gLite tutorial at the EGEE User.
DataTAG is a project funded by the European Union International School on Grid Computing, 23 Jul 2003 – n o 1 GridICE The eyes of the grid PART I. Introduction.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
EGEE is a project funded by the European Union under contract IST The UK Cluster Steve Fisher / RAL JRA1 meeting at Cork, 19/ April
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Relational Grid Monitoring Architecture (R-GMA)
WP3 Security and R-GMA Linda Cornwall, RAL. WP3 Linda Cornwall, RAL - 02/09/2002Security and R-GMA,DataGrid Workshop, Budapest 2 Current Status Currently,
EGEE is a project funded by the European Union under contract IST Integration of RGMA and Service Discovery in WMS Enzo Martelli INFN Milano.
Information System Valeria Ardizzone INFN
R-GMA Security Principles and Plans
R-GMA Security Stephen Hicks UK Cluster Security
The New Virtual Organization Membership Service (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
X-Road as a Platform to Exchange MyData
Information and Monitoring System
Canonical Producer CP API CP Servlet User Code Files
Information Services Claudio Cherubino INFN Catania Bologna
Presentation transcript:

EGEE is a project funded by the European Union under contract IST R-GMA Security Stephen Hicks UK Cluster Security Middleware Security Group Meeting, 06/05/04

Middleware Security Group Meeting, 06/05/ Contents Overview Authorization rules Security in the API Implementation issues External dependencies

Middleware Security Group Meeting, 06/05/ Overview Interactions involving  Users  R-GMA components Consumers Producers Registry Schema High level security  Is this service legitimate?  Can this user access this service?  Can service X access service Y? Application level  Is this user allowed to read data from this table?  Is this user allowed to write to this table? Consumer Service Producer Service Registry Service User Schema Service

Middleware Security Group Meeting, 06/05/ Authorization rules GACL: probably inappropriate for R-GMA  Can't define authorization on an item  Need parameterization: security details are part of the application data Not simply: persons X, Y and Z can access table T But: persons X, Y and Z can access data in table T where the GROUP column matches their group Fine-grained authorization based on a view of the database One rule contains  SQL SELECT statement  User credentials Both can contain parameters

Middleware Security Group Meeting, 06/05/ Authorization rules: examples Example table: Job  Columns: JobID, State, Owner, OwnersGroup SELECT * FROM Job : VO=‘ourVO’  A user (via a consumer) can access all data in table Job if it is a member of VO ourVO. SELECT * FROM Job WHERE Owner=[DN] : DN=[DN]  A user can access all rows of data in Job where he/she is the owner. SELECT JobID, State, Owner FROM Job WHERE OwnersGroup=’ABModel’ : GROUP=’ABModel’ OR GROUP=‘Xdata’  A user can access columns JobID, State and Owner of all rows in Job where the owner’s group for the row is ABModel and the user is in group ABModel or Xdata.

Middleware Security Group Meeting, 06/05/ Authorization rules Defined when a table is created Authorization defined by:  User via API  Preloading into schema for statically defined tables Details stored in Schema:  Table description (CREATE TABLE …)  Authorization rules One Schema per VO

Middleware Security Group Meeting, 06/05/ Security in the API Each Producer/Consumer created with a list of VOs  ProducerFactory.createPrimaryProducer(…, voNames)  ConsumerFactory.createConsumer(…, voNames) createTable(CreateTableStatement, TableAuthorization)

Middleware Security Group Meeting, 06/05/ Implementation issues Where is authorization decision made?  Producer Could be achieved by passing credentials between trusted services But ultimately requires delegation  Consumer Unnecessary passing of information, but no delegation needed Registry & Schema  Mutual trust between services or delegation? Secondary producers High level security handled by:  Web Service protocols  Transport protocols

Middleware Security Group Meeting, 06/05/ External dependencies R-GMA authorization depends on VOMS (or similar) VOMS needs to issue credentials both to users and R-GMA hosts. Eventually VOMS should be able to sign a specification of  which hosts they trust to carry out R-GMA roles  access control rules for that VO. R-GMA depends on Edg-Java-Security or its successor for  Authentication using the trust manager  Checking VOMS credentials  Extracting credentials within R-GMA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.