The New Virtual Organization Membership Service (VOMS)

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

Lousy Introduction into SWITCHaai

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

Grid Security. Typical Grid Scenario Users Resources.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

Chapter 10: Authentication Guide to Computer Network Security.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

SharePoint Authentication and Authorization

Trust Profiling for Adaptive Trust Negotiation

WLCG Update Hannah Short, CERN Computer Security.

Web Applications Security Cryptography 1

Stop Those Prying Eyes Getting to Your Data

Federated Identity Management at Virginia Tech

Authentication, Authorisation and Security

OGF PGI – EDGI Security Use Case and Requirements

AARC Update What’s been happening in AARC which matters for GÉANT

NFD Tunnel Authentication

Practicals on VOMS and MyProxy

Grid accounting system

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Tweaking the Certificate Lifecycle for the UK eScience CA

THE STEPS TO MANAGE THE GRID

Update on EDG Security (VOMS)

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

NSF Middleware Initiative: GridShib

AARC Blueprint Architecture and Pilots

X-Road as a Platform to Exchange MyData

Liang Fang, Dennis Gannon Indiana University Frank Siebenlist

A Grid Authorization Model for Science Gateways

Grid Computing Software Interface

Presentation transcript:

The New Virtual Organization Membership Service (VOMS) Krasimira Kapitanova

Outline VOMS and why do we care (or do we?) The problem The standards Checkpoint The bigger problem Conclusions

Unite and conquer! (what is a VOMS) Every user of a grid system should be able to identify themselves by presenting the proper authorization credentials. Is that actually feasible? What do we want from VOMS? Decrease the number of credentials issued by the grid system If a user wants to run a job on a grid they should be able to prove that: They are who they are claming to be They are allowed to perform the task they are trying to However, it is not really feasible to give personalized authorization credentials to each user In a grid environment, VOs tend to be extremely large and change frequently Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies It is not scalable to manage them by hand

… and it looks like this… We can have both different levels and different roles Organize users into groups and grant them roles Also add other general-purpose attributes

…or like this Client and server mutually authenticate themselves and establish a secure communication channel; The client sends the request to the server The server checks the correctness of the request and sends back the requited info (signed by itself) The client checks the validity of the info received Steps 1-4 are repeated for every server the client needs to contact The client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Server – the server is essentially a front end to a RMDB where all info about the user is kept

The problem VOMS was developed in 2002 Current grid web-services standards: WS-Trust (March 2007) WS-Federation (December 2006)

What do the standards require (Security Token Service) An STS is a generic service that issues/exchanges security tokens using a common model and set of messages. As such, any web service, itself, be an STS simply by supporting the [WS-Trust] specification. One possible function of an STS is to provide digital identities – an Identity Provider (IP). This is a special type of security token service that, at a minimum, performs authentication and can make identity (or origin) claims in issued security tokens. In many cases IP and STS services are interchangeable.

The result

However… Getting the source code of a VOMS implementation turned out to be a NP-hard problem

Conclusions and future work It is reasonable and possible to build a VOMS so that it’s compliant with the standards It will just require including the necessary security servers (which can conveniently be on the same machine as the VOMS server) Actually implement the standardized VOMS

Questions