May 4, 2006Dane Skow Managing (Dis)Honorable Guests -- A Role for Grid Security Dane Skow University of Chicago and Argonne National.

Slides:



Advertisements
Similar presentations
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Advertisements

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Li Xiong CS573 Data Privacy and Security Access Control.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.
TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.
The EDGI project receives Community research funding 1 EDGI Brings Desktop Grids To Distributed Computing Interoperability Etienne URBAH
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
G53SEC 1 Access Control principals, objects and their operations.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
AN INTEGRATED FRAMEWORK FOR VO-ORIENTED AUTHORIZATION, POLICY-BASED MANAGEMENT AND ACCOUNTING Andrea Caltroni 3, Vincenzo Ciaschini 1, Andrea Ferraro 1,
Virtual Workspaces Kate Keahey Argonne National Laboratory.
Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
Mine Altunay July 30, 2007 Security and Privacy in OSG.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Grid Authorization Landscape and Futures Von Welch NCSA
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.
Privilege Management Chapter 22.
Role Based Access Control In oneM2m
Computer Security: Principles and Practice
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Access Control Model SAM-5.
Resource Management in OGSA
OGF PGI – EDGI Security Use Case and Requirements
Protection and Security
Chapter 14: System Protection
Open Science Grid Consortium Meeting
Grid Security.
Global Grid Forum GridForge
R-GMA Security Principles and Plans
Azure Identity Premier Fast Start
A user-friendly approach to grid security
Active Directory Administration
THE STEPS TO MANAGE THE GRID
University of Technology
Update on EDG Security (VOMS)
Chapter 14: Protection.
CE Operating Systems Lecture 21
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
UNIX System Protection
GRUBER: A Grid Resource Usage SLA Broker
Global Grid Forum (GGF) Orientation
Access Control What’s New?
Preventing Privilege Escalation
Access Control and Site Security
NSF Middleware Initiative: GridShib
Presentation transcript:

May 4, 2006Dane Skow Managing (Dis)Honorable Guests -- A Role for Grid Security Dane Skow University of Chicago and Argonne National Laboratory

May 4, 2006Dane Skow Glossary  Identity  A unique identifier for a grid actor.  Most commonly the DN (but implies agreements among CAs)  Authentication (AuthN)  Proof that the requestor is legitimately associated with the identify.  Most commonly possession of the private key  Authorization (AuthZ)  Permission to have the request granted

May 4, 2006Dane Skow Glossary (cont)  Audit (Troubleshooting)  Associating an action with the requests that caused it to happen  May have to survive in the face of attempts to thwart this association  Groups  Collections of identities all of whom have similar characteristics  Roles  A collection of privileges which one wishes to assert  Always within the context of a particular group

May 4, 2006Dane Skow Grid Interoperation Now (GIN)  Begun its work in GGF17 in Athens in February  Approved as GGF Community Group in March Pledged to Contribute Effort:  H. Jin - China Grid  M. Mazzucato - Italian Grid  A. Wu - Taiwan National Grid  W. Gentzsch - D-Grid  R. Davies - APAC  R. Lee - Korean National Grid Intending to Collaborate (testing, use cases, evaluation)  S. Moralis - GridCC  P. Kunszt - Swiss Grid  B. Ugolotti - NEES  T. Sasaki - Japanese HEP Grid  D. Kelsey - GridPP Already Contributing Effort:  C. Catlett – TeraGrid  S. Matsuoka - NAREGI  E. Laure – EGEE  M. Green - OSG  V. Alessandrini - DEISA  P. Arzberger – PRAGMA  N. Geddes- UK NGS  O. Sminova - NorduGrid

May 4, 2006Dane Skow GIN agreements in Security  IGTF Identity space for interoperation  X509 authentication (RFC 3820, 3280)  VOMS proxy transport of group/role authorization

May 4, 2006Dane Skow Defining Roles by Privileges  Roles useful for implementing principle of least privilege  Privilege often expressed as “credit limit”  Hard for RP to implement  Generically privileges have to be individually assigned  Scales as the number of objects (files/directories, jobs)  General grammar difficult  Need a common ontology  Enumeration of the privileges tedious

May 4, 2006Dane Skow Reversing the Problem  What sets of privileges do we implement for a resource ?  Scales as # groups ( * # resources)  User  Common privileges to use a resource (within the permission of the group)  Delegated User (user privileges but restricted to a single context/resource)  Would this be useful ?  Can it be defined with current technology ? (e.g. no ability to delegate ?)

May 4, 2006Dane Skow Resource Admin Roles  Group Resource Administrator  Privilege to reassign resource within the group  Resource Administrator  Full privileges to administer the resource  (should we have this ? Equiv. “root”)

May 4, 2006Dane Skow Authorization  Use Lease concept  privilege management outsourced to the lessee.  “night desk” just checks the guest list  Resource provider must retain ability to “change the locks” if lease is breached.

May 4, 2006Dane Skow In Teragrid:  Project PIs  have ability to add/remove users to their project (VO)  Ability to request additional resources  Project members  Ability to make requests against the project quotas  May request information about remaining quota  Grid Developers  Act either as Project PIs or members

May 4, 2006Dane Skow Teragrid Roles (cont’d)  Resource administrators  Typically don’t use grid interfaces other than to test  Grid administrators  Ability to monitor resource usage  User Support  Ability to reproduce reported errors

May 4, 2006Dane Skow Compute  User  Submit jobs drawing on group resources  Protection of local execution environment from other user jobs  Ability to act upon ones own job (stop, kill, reorder, restart,..)  Group Code Admin  Ability to configure the Group software base (service instances)  Group Resource Admin  User +  Ability to act upon any jobs authorized by the group  Configure the group execution environment  Resource Administrator  Is this needed ? Local methods only ?

May 4, 2006Dane Skow Data  Take parallel from Unix filesystem permissions  Owner, Group, World  Base permission set  Read  Write  Change permissions  Delete (a subset of write ?)  List  Execute

May 4, 2006Dane Skow Data Roles  User  Read from group spaces  Full control of user’s own files  Group Data Admin  Full control of all group spaces  Resource Admin

May 4, 2006Dane Skow Hierarchy of Scope  Subgroups within groups. Grids containing groups  Roles throughout VO, grid, resource

May 4, 2006Dane Skow Dishonorable Guests  Who Does the enforcement ?  RP  Have to distribute ACL admin  VO  Have to identify authority decisions

May 4, 2006Dane Skow Open items  How are VOMS registered/namespace ?  What protection needed for execution environment ?  May jobs be multiplexed onto single UID (exposure of credentials, etc.) ?  How should we express/implement priority ?

May 4, 2006Dane Skow VOMS expression  Formal definition of the protocol now a GGF draft.  Is there a need for roles restricted to a single resource ?  Are roles merely another form of subgroup ? Do we need them ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.