/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define security services/components for M9 How to handle security in the future Listen to what is happening elsewhere
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop2 Issues for WP1 Use GSI –job submission to LRMS –between community scheduler and Condor-G –Between user and scheduler (but may also be a web portal based on `plain’ PKI) Credentials should be valid for long time (days or weeks) –For re-submission and while waiting for a cluster –Might use MyProxy service (operates like `quasi CA’) Information needed (from WP4) –Which clusters may be used (M9: publishing grid-mapfiles in GIS?) –(aggregate or approx.) accounting needed for scheduling policy (possible not needed for M9, later definite `yes’)
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop3 Issues for WP2 Will co-exist with existing uid/gid mechanisms Replica Manager will get you the files locally and use uid/gid's from there The Replica Mngr needs more permissions, but there are only few Will need access control on Replica Catalogue Replica Manager DataMover Storage Elements Problem with all objects in one file (Objectivity)
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop4 Issues for WP3 Some of the information is personal → legal requirement to protect: –Accounting information –Grid map file
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop5 Issues for WP4 See presentation of Lionel for details Some key points: Host certs for nodes (secure logging/auditing/configure) makes for O (10 5 ) host certificates Mapping of grid to local credentials maybe automatically generated but persistent uid’s? Should cert- or authorization revocation kill job? User ban lists, propagated through DataGrid? Site regulations: who is liable for a break-in? NAT and process access to the outside world
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop6 Issues for WP5 WAN access to storage only via Replica Manager No remote user access from programs this triggered Ingo who wants jobs to access object databases and remote CEs and SEs from within a job and not specify anything in the JDL! Will use uid/gid in local fabric (again) Can use grid map file but will not manage it (maybe except for Replica Manager entries)
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop7 Issues for Applications Want single sign-on and authentication once Authorization, accounting and quota per role –Via experiment secretariat for HEP –people migrate, also physically Want to apply policies (per role): –e.g. data not to be copied to other side for privacy (bio) Encryption of job submission (biologists are paranoid) Encryption of data optional Marking data read-only QoS commitments and trust (also in face of local changes) Light-weight access for O (10 5 ) biologists
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop8 Application status of LHCb MC Currently 19 different accounts for production Need manual intervention to get access to resrcs Special for current situation: Web server and servlets to do job submission need write access to local storage web server should be accessible Log job info to htdocs directory in central place Long-lived credentials (>72hrs)
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop9 Plans for M9 Authentication –1 cert per user issues by national CA –Host certs also from national CA –No more Globus certs –Policy checks by CA group –Tools for automatic CA configuration (incl. CRLs) –No support for K5/K4/AFS –Renewal of credentials needed (MyProxy?) –Light-weight access for BioMed
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop10 Plans for M9 Authorization –GSI more or less OK –Via Grid map file –No group accounts –Groups and roles are required in some way Globus CAS will not be ready –Access and accounts: via WP management and WP6 Auditing –Auditing must be there –Write to syslog –Need to keep audit trail
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop11 Plans for M9 Incident monitoring –WP6 will (should?) provide the DataGrid CSIRT Accounting –Shared task of WP4 and WP1 Information services –Secure MDS from Globus (not critical) –List of allowed clusters needed for scheduling expose map file??
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop12 Plans for M9 Storage –WAN access to files only by Replica Manager –Experiments (LHCb) want AFS like access, but mean a exp. software install on worker nodes –HEP applications was to update remote DBs from within a job Firewalls and NAT –Ports should preferably be static
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop13 Authorization tools INFN LDAP grid map management –User and group info in directory, used by local admins to generate the grid map file –User DNs associated with groups and domains –OU manager access still problem (standardization!) gridmapdir patch to Globus –Works like DHCP leases from account pools –Supports multiple pools or groups –Expiry of leases is challenging! –
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop14 Agreed Long Term Statements Local control should always be retained Authorization and its revocation is key problem A policy language is needed –Including conditional authorization, e.g. from 9am-5pm Accounting and auditing infrastructure needed Aware of firewalls & NAT and of attack risks
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop15 Aaaarch Research Task Force Next Generation AAA Architecture based on mesh of interconnected AAA servers RFCs 2903 – 2906 & drafts Provide nice overview of different architectures: –Agents query service to allow user access –Service pulls info from UHO AAA server –UHO AAA pushes tokens for user to access service Working on policy language
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop16 Some Open Issues Need all channels encryption or integrity? Does the scheduler need authentication itself (does the scheduler have more rights than its end-user?) Authorization service universal problem –Who managers authorization information –Revocation of authorization –How often do you check this Scalability –Access permissions on user or group level (which group)
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop17 More Open Issues Files vs. Objects (all data in Objectivity owner by one uid) DataGrid will not bring more security to insecure solutions Are jobs to use other services than `Grid’ services? Or: how to prevent this! Attacks, cracking, DDoS, … How to secure the security infrastructure