DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and LCMAPS David Groep, NIKHEF EDG Security Coordination A. Frohner – CERN D. Kouril - CESNET F. Bonnassieux - CNRS R. Alfieri, R. Cecchini, V. Ciaschini, L. dell'Agnello, A. Gianoli, F. Spataro - INFN O. Mulmo – KDC D.L. Groep, M. Steenbakkers, W. Som de Cerff, O. Koeroo, G. Venekamp – NIKHEF L. Cornwall, D. Kelsey, J. Jensen – RAL A. McNab – University of Manchester P. Broadfoot, G. Lowe – University of Oxford

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 2 Talk Outline u Introduction u Authorization requirements u VO Membership Service u Java Security for Hosted Environments u Native Mechanisms (LCAS, LCMAPS) u Conclusions

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 3 Authentication – only the first step u EDG security infrastructure based on X.509 certificates (PKI) u Authentication n Needs “trusted third parties”: 16 national certification authorities n Policies and procedures  mutual thrust n Users identified with “identity” certificates signed by a national CA See also next talk by Dave Kelsey… u Authorization n Several entities involved s Resource Providers (e.g. computer centres, storage providers, NRENs) s Virtual Organizations (e.g. LHC experiments collaborations) n Cannot decide Authorization for grid users only on local site basis

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 4 User’s Authorization in Globus user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) CA crl update low frequency high frequency host cert (long life ) grid-proxy-init

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 5 User’s Authorization in EDG 1.4.x VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 6 VOMS Overview u Provides info about the user’s relationship with his VO(’s) n groups, “compulsory” groups, roles (admin, student,...), capabilities (free form string), temporal bounds u Features n single login: voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); n expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); n backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; n multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; n security: all client-server communications are secured and authenticated.

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 7 User’s Authorization in EDG 2.x VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration service cert (short life) authz cert (short life) registration LCAS LCMAPS edg-java-security

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 8 Pseudo-Certificate Format /C=IT/O=INFN/L=CNAF/CN=Vincenzo /C= IT/O=INFN/CN=INFN CA /C=IT/O=INFN/OU=gatekeeper/L=PR /C=IT/O=INFN/CN=INFN CA VO: CMS URI: TIME1: Z TIME2: Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” SIGNATURE: L...B]....3H =".h.r...;C'..S......o.g.=.n8S'x..\..A~.t 'Q.V.I..../.Z*V*{.e.RP.....X.r qEbb...A... u The pseudo-cert is inserted in a non- critical extension of the user’s proxy n u It will become an Attribute Certificate u One for each VOMS Server contacted user’s identity server identity user’s info

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 9 VOMS Architecture DB JDBC GSI https Tomcat & java-sec axis VOMS impl servlet vomsd Perl CLI Web interface voms-proxy-init mkgridmap Apache & mod_ssl voms-httpd DBI https VOMS server soap + SSL MySQL db – with history and audit records u User query server and client (C++) u Java Web Service based administration interface n Perl client (batch processing) n Web browser client (generic administrative tasks) u Web server interface for mkgridmap

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 10 Authorization User VOMSservice authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire service dn dn + attrs Fine-grained e.g. RepMeC Coarse-grained e.g. CE, Gatekeeper Fine-grained e.g. SE, /grid Java C authenticate ACL

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 11 Authorization for Web Services u Java TrustManager can secure both web sites and web services u Based on Apache Tomcat Catalina servlet container n SOAP client, as an extension of the Axis SocketFactoryFactory n HTTP client, as an API that creates HTTPS connections. u Authorization Mngr gives attributes based on userDN and VOMS extensions u For web services n Service uses proxy of host u For browser interaction n Must use long-lived host cert to be TLS compliant

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 12 Services secured by EDG-Java-Sec u Spitfire uniform access to SQL database services (MySQL, DB/2, Oracle) u Replica Location Service, RepMeC, Giggle – metadata and replica information services u VOMS server u R-GMA Relational Grid Monitoring Architecture – Information System u Basis for new OGSA/WebServices components

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 13 Authorization for Native Environments u All systems for running Grid jobs and storing files are UNIX based u Need for interface between Grid rights and local rights u Two-phase process n Authorization of users: LCAS n Acquiring and enforcing local ( UNIX -style) credentials: LCMAPS u Why the split? n Authorization decisions may be applied for more than single resources n Credential mapping may be time-consuming and “heavy” n Internal service security credential mapping needs root privileges, authorization can do without

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 14 LCAS: Local Centre AuthZ Service C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Gate Keeper exec=/bin/cat arguments=/etc/passwd Gate Keeper GridFTP Server LCAS Service Job Manager Node Authorization using: Authentication + VO data Job description Site policy other clusters Plug-in framework currently shipping modules Allowed-users list Banned-users list wall-clock limitations

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 15 LCMAPS – Local Credential MAPping u Provides local credentials needed for jobs within the fabric u Plug-in framework, driven by (site specific) policy u Mapping based n user identity n VO affiliation, groups and roles n site-local policy u Supports multiple credential types: n Traditional POSIX: in-process & LDAP, via fixed or PoolAccounts* n AFS tokens n true Kerberos5 C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOM S pseu do- cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 16 LCMAPS – new functionality u Local UNIX groups based on VOMS group membership and roles u More than one VO and group/role per grid user u No pre-allocation of pool accounts to specific groups u New mechanisms: n groups-on-demand n support for central user directories (primarily LDAP ) u Why do we continue to need LCAS? n Centralized site decisions on authorized users for multiple fabrics n Coordinated access control across multiple CEs and SEs n (and save on ‘expensive’ account allocation mechanisms in LCMAPS)

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 17 Conclusions u EDG provides extensive Grid authorization infrastructure today n LCAS* and Java-security already deployed n VOMS and LCMAPS ready for deployment (confirmed for June ’03) n Updates for various services in October ’03 User Side u Support for large, fast-changing user community u Roles and groups within the experiment VOs u Multiple affiliations and roles per user Resource Side u Minimal effort on resource provider side u More smooth integration in Grid computing at large u Retains tracability and auditability at all levels

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 18 More Information EDG Security Coordination Group Web site VOMS Web site CVS site Developers’ mailing list PoolAccounts Web sitehttp:// LCAS-LCMAPS Web site CVS site Maillist EDG Java Security Web site

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 19 Some Related Works u CAS (Globus Team) n Proxy generated by CAS server, not by user (no direct traceability) n Proxy not backward compatible n Attributes are permissions (resources access controlled by VO) u Permis (Salford Univ., England) n AC’s stored in a repository at the local site n Good policy engine n VOMS complementary (flexible VOMS AC + PERMIS pol. engine) u Akenti (US Gov.) n Target Web sites, not easy migration in a VO environment

HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 20 LCMAPS Site Policy and Preferences VOMS-group LocalAccount PoolAccount LDAP FALSE POSIX TRUE path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount.mod \ -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms.mod -vomsdir /etc/grid-security/certificates \ -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount localaccount -> posix_enf poolaccount -> ldap ldap -> posix_enf