EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SE Security Rémi Mollon, Ákos Frohner EGEE'08,

Slides:



Advertisements
Similar presentations
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Advertisements

DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,
Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
DPM CCRC - 1 Research and developments DPM status and plans Jean-Philippe Baud.
CERN, 29 August 2006 Status Report Riccardo Zappi INFN-CNAF, Bologna.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.
LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
WLCG Grid Deployment Board, CERN 11 June 2008 Storage Update Flavia Donno CERN/IT.
INFSO-RI Enabling Grids for E-sciencE Experiences with LFC and comparison with RNS Erwin Laure Jean-Philippe.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Derek Ross E-Science Department DCache Deployment at Tier1A UK HEP Sysman April 2005.
INFSO-RI Enabling Grids for E-sciencE Introduction Data Management Ron Trompert SARA Grid Tutorial, September 2007.
Enabling Grids for E-sciencE EGEE-II INFSO-RI Medical Data Manager 1 Dicom retrieval : overview of the DPM One command line to retrieve a file:
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America SRM + gLite IO Server install Emidio Giorgio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE SRMv2.2 in DPM Sophie Lemaitre Jean-Philippe.
Security aspects of the WLCG infrastructure: clients and services Maarten Litmaath CERN.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
WLCG Grid Deployment Board CERN, 14 May 2008 Storage Update Flavia Donno CERN/IT.
SRM-2 Road Map and CASTOR Certification Shaun de Witt 3/3/08.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite configuration (plans) Robert Harakaly.
INFSO-RI Enabling Grids for E-sciencE Enabling Grids for E-sciencE Storage Element Model and Proposal for Glue 1.3 Flavia Donno,
EGEE is a project funded by the European Union under contract IST Data Management Data Access From WN Paolo Badino Ricardo.
1 SRM v2.2 Discussion of key concepts, methods and behaviour F. Donno CERN 11 February 2008.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Architecture of LHC File Catalog Valeria Ardizzone INFN Catania – EGEE-II NA3/NA4.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
Enabling Grids for E-sciencE EGEE-II INFSO-RI Status of SRB/SRM interface development Fu-Ming Tsai Academia Sinica Grid Computing.
Bologna, March 30, 2006 Riccardo Zappi / Luca Magnoni INFN-CNAF, Bologna.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Security recommendations DPM Jean-Philippe Baud CERN/IT.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
Enabling Grids for E-sciencE INFN Workshop – May 7-11 Rimini 1 Grid Accounting Status at INFN Riccardo Brunetti INFN-TORINO.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Enabling Grids for E-sciencE INFSO-RI Virtual Ids and VOMS integration DPM supports virual Ids and VOMS : –each user/group is internally mapped.
EGEE Data Management Services
CASTOR: possible evolution into the LHC era
Jean-Philippe Baud, IT-GD, CERN November 2007
AuthN and AuthZ in StoRM A short guide
Classic Storage Element
StoRM: a SRM solution for disk based storage systems
Status of the SRM 2.2 MoU extension
The lightweight Grid-enabled Disk Pool Manager (DPM)
Ákos Frohner EGEE'08 September 2008
The INFN Tier-1 Storage Implementation
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
INFNGRID Workshop – Bari, Italy, October 2004
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SE Security Rémi Mollon, Ákos Frohner EGEE'08, Istanbul, September 2008

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 2 gLite SE Authorization Background: EGEE-II/MJRA1.7: gLite Authorization VOMS Attributes Posix file permissions –Virtual user and group ids Permissions on spaces Implementations –DPM/LFC –Castor –Dcache –StoRM

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 3 Identity Identity and group information User ID = X509 certificate DN /DC=ch/DC=cern/.../CN=652521/CN=Remi Mollon Groups = VOMS FQANs: –VOMS group: /biogrid, /biogrid/analysis –VOMS role: /biogrid/H5N10/Role=production VOMS generic attributes (key, value pairs) not used

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 4 gLite SE Authorization VOMS Attributes Posix file permissions –Virtual user and group ids Permissions on spaces Implementations –DPM/LFC –Castor –Dcache –StoRM

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 5 Basic permissions POSIX style file and directory permissions owner = DN of the creator group = first VOMS FQAN of the creator basic read/write/execute permissions for user/group/others Exact match: any of the user's DN or VOMS FQANs has to match exactly one of the permissions on a file. $ dpns-mkdir /dpm/cern.ch/home/dteam/rmollon $ dpns-chmod 0755 /dpm/cern.ch/home/dteam/rmollon $ dpns-getacl /dpm/cern.ch/home/dteam/rmollon # file: /dpm/cern.ch/home/dteam/rmollon # owner: /DC=ch/DC=cern/.../CN=Remi Mollon # group: dteam user::rwx group::r-x #effective:r-x other::r-x

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 6 Access Control List POSIX access control list (ACL): –Access ACLs: set permissions for other users and groups –Default ACLs on directories: they are inherited by each entry created within. $ dpns-setacl -m d:u::rwx,d:g::r-x,d:o:- /dpm/cern.ch/home/dteam/rmollon $ dpns-setacl -m 'g:biomed:r-x,m:rwx' /dpm/cern.ch/home/dteam/rmollon $ dpns-setacl -m \ 'u:/DC=ch/DC=cern/.../CN=Akos Frohner:rwx,m:rwx' /dpm/cern.ch/home/dteam/rmollon $ dpns-getacl /dpm/cern.ch/home/dteam/rmollon... user:/DC=ch/DC=cern/.../CN=Akos Frohner:rwx #effective:rwx group:biomed:r-x #effective:r-x mask::rwx other::r-x default:user::rwx default:group::r-x default:other::---

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 7 Extra Details Set-group behavior: –Client's FQANs creating a new file: /dteam –Directory's group without 'set-gid': /dteam/sam New file's group: /dteam – inheriting the client's first FQAN –Directory's group with 'set-gid': /dteam/sam New file's group: /dteam/sam – inheriting the directory's group Secondary groups: all VOMS attributes are considered –File's permission: user: /DC=ch/.../CN=Remi Mollon group: /dteam/sam –Client's FQANs: /dteam, /dteam/sam, /dteam/sam/Role=...

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 8 Space protection Space definition: logical view of online storage area, orthogonal to the namespace, characterized by storage attributes (i.e. disk/tape, guaranteed size, owner) Access control eventually foreseen: –Owner – DN, ACL entities – VOMS FQANs/DNs –Operations: release, update, read-from, write-to, stage-to, replicate-from, purge-from, modify-acl, query Still under discussion: –Secondary groups (i.e. all client FQANs are used for authz.) –Negative ACL (i.e. /dteam/sam, except /.../CN=Remi Mollon) –Wild card matching (i.e. /dteam/prod*) Use case: tape recall by production manager to a VO space

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 9 pool selection exact match based on the first FQAN match pool with enough space otherwise match with the generic pool /dtea m /dtea m/Gro up=Pr oducti on (gene ric) SE ` /d te a m /d te a m / G ro u p = P ro d u ct io n ` /d te a m / G ro u p = P ro d u ct io n /d te a m ` /b io m e d Pool selection when creating a new file in the SE

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 10 SE Implementations VOMS Attributes Posix file permissions –Virtual user and group ids Permissions on spaces Implementations –DPM/LFC –Castor –Dcache –StoRM

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 11 DPM/LFC (see the examples before) X509 (or Kerberos 5) based authentication Support for secondary groups on files gridmap-file: if the client does not have VOMS AC, the VO/group is determined via an SE specific gridmap-file Space permission: –write permission for a single group (ie. VOMS FQAN) –list of groups, with secondary group support in the next release

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 12 DPM/LFC: virtual uid and gid DN: /DC=ch/DC=cern/.../CN=Remi Mollon DPNS daemon DPNS DB no need to create pool accounts no need to change the /etc/passwd file faster check on ACL than with string/pattern matching on DN/FQAN Mapping multiple DNs (Krb5 principals) into the same uid Does this DN exists in Cns_userinfo? No -> create it! Does this FQAN exists in Cns_groupinfo? No -> create it! DPNS DB Cns_userinfo 101 /DC=ch/DC=cern/../CN=Remi Mollon Cns_groupinfo 103 dteam $ voms-proxy-init -voms dteam $ dpns-ls /dpm/cern.ch/home/dteam/rmollon drwxr-xr-x /dpm/cern.ch/home/dteam/rmollon

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 13 Castor specialties Client authn/authz is primary goal –back-end services are in a controlled environment, so authn/authz of administrative actions comes later X509 or Kerberos5 –every CERN user has Kerberos principal –speed of Kerberos5 is better than X509 Virtual UID/GID – not yet –stager scheduler requires real uid/gid –every internal user is already in the CERN user DB Secondary groups – not yet –passing secondary group information needs lot of changes –How to add secondary group information in Kerberos?

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 14 Castor Authentication principal/ username DN VOMS FQANs gids uid gid stager, CNS and rfio currently uses uid/gid authn –first goal is to improve this authentication SRM and GridFTP use X509 with pool accounts –effective permissions are at group level –goal is to map individual DNs into individual uids –shortcut: CERN DN contains the username

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 15 Castor Authorization Name Service –current authorization is by Posix uid/gid numbers –mapping from Kerberos and X509 to uid/gid(s) solves the problem –non-CERN users are problematic... Stager and SRM –checks in the name service the file permissions –stores the uid/gid(s) with the request I/O protocols (rfio, gridftp) –one-time services are started for each request –requests are granted with a one-time token –the authenticated and mapped uid/gid is compared with the one in the request too xrootd –authz. in the redirector, granted as a one-time token

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 16 StoRM X509 based authentication –Mapping DN and VOMS FQANs to uid/gids via LCMAPS –Uses system uid/gid File permissions using the underlying file system –Just-in-time: temporary ACL for the time of the access (SRM request) –Ahead-of-time: ACL in the file system according to the authorization policy, when the file is created –Any local file system with ACL support Can apply a set of ACL entries on new files –Authorization policy is configurable at system level Space permissions –Per VO access for a storage area –Planned: flexible per user/group permissions

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 17 dCache Supported authentication methods: –X509 –Kerberos 5 –SAML based grid VO role mapping –GUMS VOMS support considering the first FQAN Implementation via virtual uid/gid Work in progress (for the 1.9.x series): NFS 4.1 style ACL –includes set-group directory and default ACL Permission on spaces Secondary groups

Enabling Grids for E-sciencE EGEE-II INFSO-RI SE Security, EGEE'08, Istanbul 18 Further reading EGEE-II/MJRA1.7: gLite Authorizationhttps://edms.cern.ch/document/887174/1https://edms.cern.ch/document/887174/1 VOMS Attributes Posix file permissions –Virtual user and group ids Permissions on spaces Implementations –DPM/LFC –Castor –Dcache –StoRM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.