Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, 12-15 May 2003.

Slides:



Advertisements
Similar presentations
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Advertisements

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
Edg-voms-admin European DataGrid Project Security Coordination Group
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS Server Giuseppe La Rocca INFN EGEE Tutorial Rome November 2005.
EGEE is a project funded by the European Union under contract IST Gap Analysis JRA3 12/7/2015
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
OSG AuthZ components Dane Skow Gabriele Carcassi.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
WP7: Security Coordination Group (SCG)
R-GMA Security Principles and Plans
Update on EDG Security (VOMS)
Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
The GENIUS Security Services
Presentation transcript:

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003

Overview of the New Security Model - n° 2 Overview MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request focus is on VOMS details are in D7.6 Security Design

Overview of the New Security Model - n° 3 User’s Authorization in EDG 1.4.x VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

Overview of the New Security Model - n° 4 User’s Authorization in EDG 2.x VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration LCAS edg-java-security

Overview of the New Security Model - n° 5 VOMS Overview  Provides info about the user’s relationship with his VO(‘s) n groups, roles (admin, student,...), capabilities (free form string), temporal bounds  Features n single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); n expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); n backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; n multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; n security: all client-server communications are secured and authenticated.

Overview of the New Security Model - n° 6 VOMS Architecture DB JDBC GSI https Tomcat & java-sec axis VOMS impl servlet vomsd Perl CLI Web interface voms-proxy-init mkgridmap DBI https VOMS server soap + SSL MySQL db – with history and audit records  User query server and client (C++)  Java Web Service based administration interface n Perl client (batch processing) n Web browser client (generic administrative tasks)  Web server interface for mkgridmap

Overview of the New Security Model - n° 7 Migration to VOMS VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 0. VOMS userservice proxy (voms) grid-mapfile phase 2. VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 1. VOMS userservice phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS-aware services VO-LDAP grid-proxy-init edg-mkgridmap voms-proxy-init edg-mkgridmap voms-proxy-init

Overview of the New Security Model - n° 8 Auth/Authz in Services  GSI based or compatible authentication  grid-mapfile or VOMS based authorization (can be both)  policy or ACL based access control n coarse and fine grained solutions n access control description’s syntax is not standard  implemented alternatives: n edg-java-security for Java web services n GSI/LCAS/LCMAPS for native C/C++ services n mod_ssl/GACL for Apache based web services n (Slahgrid for transparent filesystem ACLs)

Overview of the New Security Model - n° 9  Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s authorization decisions based on proxy user certificate and job specification; s supports grid-mapfile mechanism. n Plug-in framework (hooks for external authorization plugins) s allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db) s plugin for VOMS (to process authorization data)  Local Credential Mapping Service (LCMAPS) n provides local credentials needed for jobs in fabric n mapping based on user identity, VO affiliation, local site policy Local Site Authorization

Overview of the New Security Model - n° 10 edg-java-security  Trust manager n GSI compatible authentication n Adapters to HTTP and SOAP n Currently deployed for Tomcat4  Authorization Manager n Authorization and mapping for Java services n Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file n Handles VOMS attributes

Overview of the New Security Model - n° 11 TODO  Test the pieces in the Testbeds  Implement the missing pieces and Discarding the unused  Common syntax and semantics for access control configurations  Substitution of VOMS certificates by Attribute Certificates (RFC3281)  Support for time cyclic/bound permissions and roles  Database replication  Use the security model -> get real life use cases

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.