Storage Element Security Jens G Jensen, WP5 Barcelona, 12-16 May 2003.

Slides:

Advertisements

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

Advertisements

1 WP2: Data Management Paul Millar eScience All Hands Meeting September

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

HEPiX Storage, Edinburgh May 2004 SE Experiences Supporting Multiple Interfaces to Mass Storage J Jensen

J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.

Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The GridSite Security Framework Andrew McNab University of Manchester.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.

Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

EDG Security European DataGrid Project Security Coordination Group

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

SRM & SE Jens G Jensen WP5 ATF, December Collaborators Rutherford Appleton (ATLAS datastore) CERN (CASTOR) Fermilab Jefferson Lab Lawrence Berkeley.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

Securing the Linux Operating System Erik P. Friebolin.

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.

Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

Security Middleware Andrew McNab University of Manchester.

Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.

Author - Title- Date - n° 1 Partner Logo WP5 Status John Gordon Budapest September 2002.

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

SRM-2 Road Map and CASTOR Certification Shaun de Witt 3/3/08.

SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.

Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Security recommendations DPM Jean-Philippe Baud CERN/IT.

GridSite status Andrew McNab University of Manchester.

J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen

Jean-Philippe Baud, IT-GD, CERN November 2007

AuthN and AuthZ in StoRM A short guide

Third Party Transfers & Attribute URI ideas

StoRM: a SRM solution for disk based storage systems

R-GMA Security Principles and Plans

John Gordon EDG Conference Barcelona, May 2003

Stephen Burke, PPARC/RAL Jeff Templon, NIKHEF

Update on EDG Security (VOMS)

INFNGRID Workshop – Bari, Italy, October 2004

Presentation transcript:

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003

Contents Current Implementation File level access control User id in Mass Storage

Current implementation Apache path Uses standard Apache with mod_ssl …except for a GSI patch… …which doesn’t work with all proxies Web service path Uses Tomcat/Axis with Trustmanager plugin

The Copy problem (SRM)Copy copies a file from one SE to another: Copy('se.rl.ac.uk/moob/bazoink', 'se.cern.ch/fazop') –3 rd party copying –Creates the file in the target SE –Copies ACLs and other relevant metadata This does not (yet) exist! Requires delegation Of course we can steal the user’s proxy. But…

The Apache proxy problem If the root CA certificate is version 3 and has all the “right” extensions, then mod_ssl never sees the proxy-user-root certificate chain This is a problem with OpenSSL rather than something that can be fixed in mod_ssl Solutions… Application (SE core) Apache mod_ssl OpenSSL

Proxy problem, solutions… Use Globus GSI libraries? –Tricky, must be done in Apache where the socket is handled…? Rewrite the SSL verify callback? An “SSL-agent” which, similar to ssh-agent, stores the SSL context in a daemon that runs as the user + Can be used with any normal SSL server Secure, but need to modify clients (obviously) +/- Cannot be forwarded -Cannot be used from scripts

File level access control Need to authorise based on individual files: –permission(USER, SFN, operation)  {yes,no} Currently we use GACL –Permissions are {list, read, write, admin} We have an implementation but it is not yet integrated into the TB2.0 SE (it was written some time ago)

Multiple VOs Each VO has a separate namespace Everybody talks to the same port/endpoint Each user belongs to exactly one VO (pre- VOMS) The VO membership information is stored in a user profile (not a scalable solution) This information is usually generated from the gridmap file

A word about VOMS Bad news: VOMS may take some effort to support Good news: we expect others to do (most of) this work for us! If Trustmanager validates the VOMS proxy, the AUZ mgr must parse it and make the information avaliable to the core so the core can perform the authorisation If GACL handles the remaining tasks then it should be easy…? TRUST AUZ mgr (parse only) SE CORE GACL

Access and replication “Proper” model: –RM “owns” replicas, delegates permission to users Current model: –RM runs using the user’s credentails, so replicas are owned by that user… –What are ACLs on replicas? Presumably, Either RM must replicate ACLs along with the data (OK because users have admin permissions on the files they create) Or must use Copy() which automatically copies ACL However, Copy() doesn’t yet exist – needs delegation

User id in mass storage “Unfortunately”, users must be able to access files in MSS via non-SE (and non-Grid) paths This means: –MSS specific solutions (StFN, anyone?) –SE must run individual handlers as different local user ids (so need setuid root) –Local user id is picked from the gridmap pool –Group id is default group for the user

setuid root? A specific setuid wrapper wraps the handler that needs to run as a non-SE local user/group Wrapper is very small and does not depend on external libs (uses McNab’s gridmap code) DN is picked from environment! But… The wrapper refuses to run unless: –It is installed in the SE handler directory –It is installed using specific names (SE handler naming scheme) –It is run by the SE user only –SE user has no login shell [can be swicthed off at compile time] –It is run by a daemon [also compile time switch]

setuid root? When user uploads file to SE’s disk cache they typically write the file as a mapped local user (because the GridFTP server is not integrated into the SE, i.e. it runs as a separate application on the SE host) So we may need a setuid handler to chown to “se” How do we protect the SE’s disk cache? Non- integrated tools can write into cache, or modify files in cache Filenames in the cache are generally not human readable (guessable); files are generally world readable.

setuid root? Example from integration with WP2 software: Web service runs as user ‘tomcat4’ SE runs as user ‘se’ This is an integration problem – ideally everything should run as the same user Quick and dirty fix: Set permissions on edg_se_rmanman (common entry point into the core) to 4755: if run with effective uid root it immediately drops root privs by switching all user ids to ‘se’

VO production (subgroup) problem Some people in a VO must have write access to a directory, everybody else in the VO has read-only access. Gridmap file /PROD1/cmsprod1 /PROD2/cmsprod2 /USER1/cms001 /USER2/cms002 /USER3/cms003 /etc/passwd cmsprod1  w cmsprod2  w cms001  r cms002  r cms003  r Users with a “production DN” get mapped to a “VO” which in turn maps to a local user who has write permission in the MSS. The “normal” VO members get mapped to local read-only users.