Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Data Management Expert Panel - WP2. WP2 Overview.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Summer School Certificates Diego Romano & Gilda Team.

11 DICOM Image Communication in Globus-Based Medical Grids Michal Vossberg, Thomas Tolxdorff, Associate Member, IEEE, and Dagmar Krefting Ting-Wei, Chen.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Consorzio COMETA - PI2S2 Project UNIONE EUROPEA SAGE – Storage Accounting for Grid Environments in gLite Fabio Scibilia Consorzio.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

1 Secure Distributed Objects for Grid Applications Laurent Baduel, Arnaud Contes, Denis Caromel OASIS team ProActive

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

E-science grid facility for Europe and Latin America Bridging OurGrid-based and gLite-based Grid Infrastructures Abmar de Barros, Adabriand.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

E-science grid facility for Europe and Latin America LFC Server Installation and Configuration Antonio Calanducci INFN Catania.

E-science grid facility for Europe and Latin America JRA1 – Activity Report and Plans Francisco Brasileiro Universidade Federal de Campina.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) GISELA Additional Services Diego Scardaci

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

Military Technical Academy Bucharest, 2004 GETTING ACCESS TO THE GRID Authentication, Authorization and Delegation ADINA RIPOSAN Applied Information Technology.

E-science grid facility for Europe and Latin America Using Secure Storage Service inside the EELA-2 Infrastructure Diego Scardaci INFN (Italy)

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

The Global Land Cover Facility is sponsored by NASA and the University of Maryland.The GLCF is a founding member of the Federation of Earth Science Information.

E-science grid facility for Europe and Latin America JRA1 – Annual Activity Report Francisco Brasileiro Universidade Federal de Campina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

INFSO-RI Enabling Grids for E-sciencE Introduction Data Management Ron Trompert SARA Grid Tutorial, September 2007.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Grid2Win: Porting of gLite middleware to.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.

INFSO-RI Enabling Grids for E-sciencE University of Coimbra GSAF Grid Storage Access Framework Salvatore Scifo INFN of Catania EGEE.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

The Institute of High Energy of Physics, Chinese Academy of Sciences Sharing LCG files across different platforms Cheng Yaodong, Wang Lu, Liu Aigui, Chen.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

IST E-infrastructure shared between Europe and Latin America The GILDA t-Infrastructure and the GENIUS portal Christian Grunfeld,

FESR Trinacria Grid Virtual Laboratory Grid Industry Day Catania October 2006 Secure Data Storage Into Grid Enviroment Unico Srl :

Enabling Grids for E-sciencE INFN Workshop – May 7-11 Rimini 1 Grid Accounting Status at INFN Riccardo Brunetti INFN-TORINO.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America LFC Server Installation and Configuration.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

Scuola Grid INFN, Trieste, 1-12 Dic Managing Confidential Data in the gLite Middleware – The Secure Storage.

(Exchange Programme to advance e-Infrastructure Know-How) The EPIKH Project Hailong Yang

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

INFSO-RI Enabling Grids for E-sciencE Security needs in the Medical Data Manager EGEE MWSG, March 7-8 th, 2006 Ákos Frohner on behalf.

EGEE Data Management Services

Jean-Philippe Baud, IT-GD, CERN November 2007

AuthN and AuthZ in StoRM A short guide

Authentication, Authorisation and Security

Third Party Transfers & Attribute URI ideas

StoRM: a SRM solution for disk based storage systems

Scuola Grid INFN, Martina Franca, Nov

Accounting at the T1/T2 Sites of the Italian Grid

Grid Training done in/by the Italian Federation in 2007 Roberto Barbera Univ. of Catania and INFN NA3 Partner Review Meeting at EGEE’07 Budapest,

Grid2Win: Porting of gLite middleware to Windows XP platform

Grid Security Jinny Chien Academia Sinica Grid Computing.

GSAF Grid Storage Access Framework

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

Grid Engine Diego Scardaci (INFN – Catania)

Presentation transcript:

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci INFN (Italy) EELA-2 First Conference Bogota, Columbia,

Bogota, EELA-2 Conference, The Insider Abuse Problem The Secure Storage Service for the gLite Middleware: –Main Functionalities –Data Access Policy based on VOMS attributes Outline

Bogota, EELA-2 Conference, Insider Abuse: Problem A grid user could store sensitive data in a Storage Elements managed by external organizations. Storage Elements Administrators could access data (but the data are sensitive!). For this reason data MUST be stored in an encrypted format. Data Encryption/Decryption MUST be performed inside user secure environment (for example inside the user’s organization).

Bogota, EELA-2 Conference, SE Key Repository SE USER (VIRTUAL) ORGANIZATION Key File Encryption /Decryption Encrypted File Insider Abuse: A Solution SECURE ENVIRONMENT

Bogota, EELA-2 Conference, The Secure Storage service Provides gLite users with suitable and simple tools to store confidential data in storage elements in a transparent and secure way. The service is composed by the following components: Command Line Applications: commands integrated in the gLite User Interface to encrypt/upload and decrypt/ download files. Application Program Interface: allows the developer to write programs able to manage confidential data. Keystore: a new grid element used to store and retrieve the users’ keys. It is identified by an host X.509 digital certificate and all its Grid transactions are mutually authenticated and encrypted according to GSI model.

Bogota, EELA-2 Conference, Command Line Applications and API Secure Storage provides a new set of commands and API on the gLite User Interface: –Like lcg-utils commands and API, but they work on encrypted data. –Encryption and decryption process are transparent to the user. These commands and API allow to make the main Data Management operations: –lcg-scr: Copy data/file on Storage Elements –lcg-scp: Read data/file from Storage Elements –lcg-sdel: Delete data/file on Storage Elements –…. API like GFAL (encrypt and decrypt block of data): –allows developers to work to encrypted remote file as local files in clear format.

Bogota, EELA-2 Conference, lcg-scr: Encryption and Storage GSI AUTHENTICATED CHANNEL OWNER DN DN1 DN2 FQAN1 FQAN2 … ACL Access authorized to: DN1, DN2, FQAN1, FQAN2, … A FQAN AUTHORIZED TO ACCESS THE FILE CAN REPRESENT A WHOLE VO OR A VO GROUP ETC.

Bogota, EELA-2 Conference, lcg-scp: Retrieval and Decryption OWNER DN DN1 DN2 FQAN1 FQAN2 … ACL THE KEYSTORE PROVIDES USERS WITH THE KEY ONLY IF USER’S DN OR ONE OF THE VOMS ATTRIBUTES INCLUDED IN HIS PROXY MATCHES ONE ENTRY OF THE ACL GSI AUTHENTICATED CHANNEL

Bogota, EELA-2 Conference, The Keystore (1) The Keystore is a new grid element used to store and retrieve the users’ key in a secure way. The Keystore: is identified by an host X.509 digital certificate; all its Grid transactions are mutually authenticated and encrypted as required by the GSI model; should be placed in a trusted domain and should be appropriately protected by undesired connections; is a black box with a single interface towards the external world. This interface accepts only GSI authenticated connections;

Bogota, EELA-2 Conference, The Keystore (2) Authorization process performed by the Keystore: the user requests a key through a mutually authenticated and encrypted channel (according to GSI infrastructure): the keystore extracts user’s DN and VOMS extension from the user X509 proxy certificate; the keystore checks if the client is a member of a enabled users list only and/or it belongs to an enabled Virtual Organization or to a specific Virtual Organization Group. The request is discarded in any other cases; the keystore checks if user’s DN and VOMS extension matches one of the entry of the ACL associated to the requested key. If the user is authorized, the keystore provides the key otherwise the request is discarded.

Bogota, EELA-2 Conference, Any questions ?