Security in WLCG/EGEE. Security – January 15-16 2007 - 2 Requirements Providers of resources (computers, storages, databases, services..) need risks to.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security on Grid Roberto Barbera Univ. of Catania and INFN
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
Security Mechanisms The European DataGrid Project Team
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.
INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Pisa, EGEE 4 th Conference Training Day, 23.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Security APIs in LCG-2 Andrea Sciabà LCG Experiment Integration and Support CERN IT.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
5th EELA TUTORIAL - USERS E-infrastructure shared between Europe and Latin America Authentication and Authorization in gLite Alexandre.
INFSO-RI Enabling Grids for E-sciencE Sofia, 22 March 2007 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Security, Authorisation and Authentication.
Enabling Grids for E-sciencE Authentication & Authorization Assaf Gottlieb Material from: Andrea Sciabà Åke Edlund, JRA3 Manager, KTH David.
INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos MTA SZTAKI With thanks for some slides to.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
EGEE is a project funded by the European Union under contract IST Grid computing Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
INFSO-RI Enabling Grids for E-sciencE Security on Grid: Emidio Giorgio INFN – Catania Singapore, 1st South East Asia Forum -- EGEE.
Authentication Services Grid Security concepts and tools Valeria Ardizzone Istituto Nazionale di Fisica Nucleare Sezione.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
1 Grid Security Jinny Chien Academia Sinica Computing Centre Deployment team.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia 2010, Valencia.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang
Security, Authorisation and Authentication Mike Mineter,
Key management issues in PGP
Authentication, Authorisation and Security
Grid Security.
Authorization and Authentication in gLite
Security, Authorisation and Authentication
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Presentation transcript:

Security in WLCG/EGEE

Security – January Requirements Providers of resources (computers, storages, databases, services..) need risks to be controlled: They are asked to trust users they do not know They trust a VO The VO trusts its members Users need single sign-on: to be able to logon to a machine that can pass the user’s identity to all other resources without further initialization. To trust owners of the resources they are using All that is fulfilled by the Grid Security Infrastructure (GSI) that currently represents the standard for security on all Grid implementations. It enables secure authentication and communication over an open network It relies on public key encryption (PKI), X.509 certificates and…..(see later)

Security – January Basic “grid-security” concepts Principal An entity: a user, a program, or a machine Credentials Necessary data to provide the proof of identity Mechanism software providing data authentication, confidentiality, integrity (e.g. Kerberos, GSI) Authentication Verify the identity of the peer (who wants to use resource?) Authorization Verify the complying of policies and rules (is the peer allowed to access resources?) Mapping Establish rule for converting grid identity/property into local account/capability (how to interpret a given access request?) Confidentiality Encrypt the message so that only the recipient can understand it. Integrity Ensure that the message has not be altered in the transmission Non-repudiation Impossibility of denying the authenticity of a digital signature

Security – January Encryption Symmetric encryption: same key (“secret”) used for encryption and decryption Kerberos, DES / 3DES, IDEA Asymmetric encryption: different keys used for encryption and decryption RSA, DSA Clear text message Encrypted text Clear text message Encryption Decryption Shared key Clear text message Encrypted text Clear text message Encryption Decryption Key A Key B

Security – January PKI: Public Key Infrastructure Provides authentication, integrity, confidentiality, non-repudiation Asymmetric encryption Digital signatures A hash derived from the message and encrypted with the signer’s private key Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust model Keys trusted only if signed by a trusted third party (Certification Authority) A CA certifies that a key belongs to a given principal Certificate Public key + information about the principal + CA signature X.509 format most used PKI used by SSL, PGP, GSI, WS security, S/MIME, etc. Encrypted text Private Key Public Key Clear text message

Security – January X.509 certificates and authentication A B A’s certificate A Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Public key Subject:C=CH, O=CERN, OU=GRID, CN=John Smith 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08: GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

Security – January Certification Authorities Issue certificates for users, programs and machines Check the identity and the personal data of the requestor Registration Authorities (e.g. Ian Neilson) do the actual validation within a CA Manage Certificate Revocation Lists (CRLs) They contain all the revoked certificates yet to expire CA certificates are self-signed LCG-2 recognizes a given set of CAs

Security – January Certificate classification User certificate issued to a physical person DN= C=CH, O=CERN, OU=GRID, CN =John Smith the only kind of certificate good for a client, i.e. to send Grid jobs etc. Host certificate issued to a machine (i.e. a secure web server, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host1.cern.ch Grid host certificate issued to a Grid service (i.e. a Resource Broker, a Computing Element, etc.) request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=host/host1.cern.ch Service certificate issued to a program running on a machine request signed with a user certificate DN= C=CH, O=CERN, OU=GRID, CN=ldap/host1.cern.ch

Security – January Globus Grid Security Infrastructure (GSI) Based on PKI Implements some important features Single sign-on: no need to give one’s password every time Delegation: a service can act on behalf of a person Mutual authentication: both sides must authenticate to the other Introduces proxy certificates The user certificate, whose private key is protected by a password, is used to generate and sign a temporary certificate, called proxy, which is used for the actual authentication and does not have a password. As the possession of the proxy certificate is a proof of identity, the file containing it must be kept readable only by the user and the proxy has, by default, a short lifetime to reduce security risks. (short-lived proxy)

Security – January More on proxy certificates and delegation Delegation Allowing someone (something) else (eg. a file transfer service) to use my credentials Proxies can be moved over a network Subject identifies the user: User subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968 Proxy subject: /C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968/CN=proxy Full proxy A proxy created from a user certificate or another full proxy with normal delegation Limited proxy A proxy created from a proxy with limited delegation, or from another limited proxy What does that mean? Entities can decide to accept only full proxies. Examples: GridFTP accepts all proxies Globus gatekeeper accepts only full proxies

Security – January Virtual Organizations and authorization WLCG users MUST belong to a Virtual Organization Sets of users belonging to a collaboration List of supported VOs: VOs maintain a list of their members and their capabilities in central DBs. The organization of the VO is then propagated to resources somehow. The whole list of users is downloaded by Grid machines to map user certificate subjects to local “pool” (and not only) accounts Sites decide which VOs to accept... "/C=CH/O=CERN/OU=GRID/CN=Simone Campana 7461".dteam "/C=CH/O=CERN/OU=GRID/CN=Andrea Sciaba 8968".cms "/C=CH/O=CERN/OU=GRID/CN=Patricia Mendez Lorenzo-ALICE".alice "/C=CH/O=CERN/OU=GRID/CN=Roberto Santinelli 7735" lhcbsgm... grid-mapfile

Security – January VOMS: Virtual Organization Membership Service VOMS Extends the proxy info with VO membership, group, role Voms-proxy-init produces a user’s proxy certificate – like grid-proxy-init does – but with the difference that it contains further user info from the VOMS server(s). This info is returned in a structure containing also the credentials both of the user and of the VOMS server and its time validity. All these data are signed by the VOMS server itself. This structure is called “Attribute-Certificate” (or Pseudo-Certificate). Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Authentication Request VOMS pseudo- cert

Security – January Evolution of VO management Before VOMS User is authorised as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs Aggregate rights VO can have groups Different rights Nested groups VO has roles Assigned to specific purposes E,g. system admin, software manager Syncronous update of provilegies. User updated privileges are automatically known to sites VOMS-aware; the site holds only the roles to interpret and map capabilities exposed by user’s certificates (signed by VOMS) voms-proxy-init –voms lhcb:/lhcb/sgm VOMS – now in use on WLCG

Security – January LCAS, LCMAPS Local Centre Authorization Service (LCAS) Checks if the user is authorized (looking at Gridmap file) Checks if the user is banned by the VO (CRL) Checks if at that time window the user wants to access, the site accepts jobs Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.): local fabric resources have any notion of grid-user Recent versions do use VOMS-aware plug-ins that map VOMS group and roles presented by the user via FQANs accordingly group-mapfile It uses the old grid-mapfile mechanism (based only on the certificate subject) as fall-back solution (whenever the FQANs is not found in the list of valid ones) or in certain Grid Services like SEs. "/VO=cms/GROUP=/cms".cms "/VO=cms/GROUP=/cms/prod".cmsprod "/VO=cms/GROUP=/cms/prod/ROLE=manager".cmsprodman

Security – January GSI environment variables User certificate files: Certificate:X509_USER_CERT (default: $HOME/.globus/usercert.pem ) Private key:X509_USER_KEY (default: $HOME/.globus/userkey.pem ) Proxy:X509_USER_PROXY (default: /tmp/x509up_u ) Host certificate files: Certificate:X509_HOST_CERT (default: /etc/grid-security/hostcert.pem ) Private key:X509_HOST_KEY (default: /etc/grid-security/hostkey.pem ) Trusted certification authority certificates: X509_CERT_DIR(default: /etc/grid-security/certificates ) Location of the grid-mapfile: GRIDMAP(default: /etc/grid-security/grid-mapfile )

Security – January Command line interface: certificate and proxy management Get information on a user certificate grid-cert-info[-help] [-file certfile] [OPTION]... Create a proxy certificate grid-proxy-init Destroy a proxy certificate grid-proxy-destroy Get information on a proxy certificate grid-proxy-info Create a voms-proxy and set as primary group the LHCb production and Role lcgadmin Voms-proxy-init –voms lhcb:/lhcb/lcgprod/ROLE=lcgadmin Retrieve information from a voms-proxy Voms-proxy-info –all

Security – January Long term proxy: myproxy Proxy has limited lifetime (default is 12 h) Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: Allows to create and store a long term proxy certificate: myproxy-init -s -s specifies the hostname of the myproxy server myproxy-info Get information about stored long living proxy myproxy-get-delegation Get a new proxy from the MyProxy server myproxy-destroy A service running continuously can renew automatically a proxy created from a long term use proxy and use it to interact with the Grid Examples: automatic job dispatchers (RB, DIRAC,gLite WMS) or data movers (FTS)