2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
A Computation Management Agent for Multi-Institutional Grids
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Workload Management Workpackage Massimo Sgaravatto INFN Padova.
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep
Globus activities within INFN Massimo Sgaravatto INFN Padova for the INFN Globus group
Security Mechanisms The European DataGrid Project Team
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Introduction to Active Directory December 10th, pm Daniels 407.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
3 Sept 2001F HARRIS CHEP, Beijing 1 Moving the LHCb Monte Carlo production system to the GRID D.Galli,U.Marconi,V.Vagnoni INFN Bologna N Brook Bristol.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
WP4 Security and AA(A) issues For WP4: David Groep
Summary from CA coordination and Security working group meeting WP4 workshop
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK
DataGrid Fabric Management (WP4) Gridification of Large Farms, a very brief overview David Groep, NIKHEF
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
WP1 WMS rel. 2.0 Some issues Massimo Sgaravatto INFN Padova.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
Status of Globus activities Massimo Sgaravatto INFN Padova for the INFN Globus group
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
SAM architecture EGEE 07 Service Availability Monitor for the LHC experiments Simone Campana, Alessandro Di Girolamo, Nicolò Magini, Patricia Mendez Lorenzo,
Core and Framework DIRAC Workshop October Marseille.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Update on EDG Security (VOMS)
Presentation transcript:

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define security services/components for M9 How to handle security in the future Listen to what is happening elsewhere

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop2 Issues for WP1 Use GSI –job submission to LRMS –between community scheduler and Condor-G –Between user and scheduler (but may also be a web portal based on `plain’ PKI) Credentials should be valid for long time (days or weeks) –For re-submission and while waiting for a cluster –Might use MyProxy service (operates like `quasi CA’) Information needed (from WP4) –Which clusters may be used (M9: publishing grid-mapfiles in GIS?) –(aggregate or approx.) accounting needed for scheduling policy (possible not needed for M9, later definite `yes’)

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop3 Issues for WP2 Will co-exist with existing uid/gid mechanisms Replica Manager will get you the files locally and use uid/gid's from there The Replica Mngr needs more permissions, but there are only few Will need access control on Replica Catalogue Replica Manager DataMover Storage Elements Problem with all objects in one file (Objectivity)

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop4 Issues for WP3 Some of the information is personal → legal requirement to protect: –Accounting information –Grid map file

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop5 Issues for WP4 See presentation of Lionel for details Some key points: Host certs for nodes (secure logging/auditing/configure) makes for O (10 5 ) host certificates Mapping of grid to local credentials maybe automatically generated but persistent uid’s? Should cert- or authorization revocation kill job? User ban lists, propagated through DataGrid? Site regulations: who is liable for a break-in? NAT and process access to the outside world

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop6 Issues for WP5 WAN access to storage only via Replica Manager No remote user access from programs this triggered Ingo who wants jobs to access object databases and remote CEs and SEs from within a job and not specify anything in the JDL! Will use uid/gid in local fabric (again) Can use grid map file but will not manage it (maybe except for Replica Manager entries)

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop7 Issues for Applications Want single sign-on and authentication once Authorization, accounting and quota per role –Via experiment secretariat for HEP –people migrate, also physically Want to apply policies (per role): –e.g. data not to be copied to other side for privacy (bio) Encryption of job submission (biologists are paranoid) Encryption of data optional Marking data read-only QoS commitments and trust (also in face of local changes) Light-weight access for O (10 5 ) biologists

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop8 Application status of LHCb MC Currently 19 different accounts for production Need manual intervention to get access to resrcs Special for current situation: Web server and servlets to do job submission need write access to local storage web server should be accessible Log job info to htdocs directory in central place Long-lived credentials (>72hrs)

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop9 Plans for M9 Authentication –1 cert per user issues by national CA –Host certs also from national CA –No more Globus certs –Policy checks by CA group –Tools for automatic CA configuration (incl. CRLs) –No support for K5/K4/AFS –Renewal of credentials needed (MyProxy?) –Light-weight access for BioMed

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop10 Plans for M9 Authorization –GSI more or less OK –Via Grid map file –No group accounts –Groups and roles are required in some way Globus CAS will not be ready –Access and accounts: via WP management and WP6 Auditing –Auditing must be there –Write to syslog –Need to keep audit trail

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop11 Plans for M9 Incident monitoring –WP6 will (should?) provide the DataGrid CSIRT Accounting –Shared task of WP4 and WP1 Information services –Secure MDS from Globus (not critical) –List of allowed clusters needed for scheduling expose map file??

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop12 Plans for M9 Storage –WAN access to files only by Replica Manager –Experiments (LHCb) want AFS like access, but mean a exp. software install on worker nodes –HEP applications was to update remote DBs from within a job Firewalls and NAT –Ports should preferably be static

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop13 Authorization tools INFN LDAP grid map management –User and group info in directory, used by local admins to generate the grid map file –User DNs associated with groups and domains –OU manager access still problem (standardization!) gridmapdir patch to Globus –Works like DHCP leases from account pools –Supports multiple pools or groups –Expiry of leases is challenging! –

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop14 Agreed Long Term Statements Local control should always be retained Authorization and its revocation is key problem A policy language is needed –Including conditional authorization, e.g. from 9am-5pm Accounting and auditing infrastructure needed Aware of firewalls & NAT and of attack risks

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop15 Aaaarch Research Task Force Next Generation AAA Architecture based on mesh of interconnected AAA servers RFCs 2903 – 2906 & drafts Provide nice overview of different architectures: –Agents query service to allow user access –Service pulls info from UHO AAA server –UHO AAA pushes tokens for user to access service Working on policy language

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop16 Some Open Issues Need all channels encryption or integrity? Does the scheduler need authentication itself (does the scheduler have more rights than its end-user?) Authorization service universal problem –Who managers authorization information –Revocation of authorization –How often do you check this Scalability –Access permissions on user or group level (which group)

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop17 More Open Issues Files vs. Objects (all data in Objectivity owner by one uid) DataGrid will not bring more security to insecure solutions Are jobs to use other services than `Grid’ services? Or: how to prevent this! Attacks, cracking, DDoS, … How to secure the security infrastructure