Database authentication and authorisation in LCG — 3D workshop 17-19 Oct 2005 1 Kuba Zajączkowski Database authentication and.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Data Management Expert Panel - WP2. WP2 Overview.
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Lecture 23 Internet Authentication Applications
Open Science Grid Project DASH: Securing Direct MySQL Database Access for the Grid D. Malon, E. May, D. Ratnikov, A. Vaniachine Argonne National Laboratory.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.
Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
GRID job tracking and monitoring Dmitry Rogozin Laboratory of Particle Physics, JINR 07/08/ /09/2006.
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
M1G Introduction to Database Development 6. Building Applications.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
OGSA-DAI in OMII-Europe Neil Chue Hong EPCC, University of Edinburgh.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Database authentication in CORAL and COOL Database authentication in CORAL and COOL Giacomo Govi Giacomo Govi CERN IT/PSS CERN IT/PSS On behalf of the.
Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB Markus.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
LCG Distributed Databases Deployment – Kickoff Workshop Dec Database Lookup Service Kuba Zajączkowski Chi-Wei Wang.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Grid Technologies for Distributed Database Services 3D Project Meeting CERN, May 19, 2005 A. Vaniachine (ANL)
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Password? CLASP Phase 2: Revised Proposal FOCUS, 3 May 2001 Denise Heagerty, IT/IS.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Third Party Transfers & Attribute URI ideas
Grid Security.
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
The New Virtual Organization Membership Service (VOMS)
Goals Introduce the Windows Server 2003 family of operating systems
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Introduction of Week 5 Assignment Discussion
Presentation transcript:

Database authentication and authorisation in LCG — 3D workshop Oct Kuba Zajączkowski Database authentication and authorisation in LCG

Database authentication and authorisation in LCG — 3D workshop Oct Presentation Outline Introduction Grid authentication mechanisms Oracle authentication mechanisms Current Status ANL-PIOCON Project Authentication with middleware Summary

Database authentication and authorisation in LCG — 3D workshop Oct Authorisation and Authentication LCG uses different authentication mechanisms (proxy certificates) than usual means implemented in RDBMS (user password pair, PKI certificates, etc.) LCG supplies it's own access control mechanism based on idea of virtual organisations (Virtual Organization Membership Service – VOMS) Traditional means of authorization will become either unusable or will pose a major security risk in grid environment. A safe and secure solution is needed.

Database authentication and authorisation in LCG — 3D workshop Oct Traditional Database Access client authenticates himself with username and password (or certificate) table or object access rights are granted to a username GRANT... ON table TO 'joesmith' client has access to a table SELECT... FROM table WHERE... DBMS client DB username/ password authentication: username access rights: username

Database authentication and authorisation in LCG — 3D workshop Oct LCG Access Mechanisms identification is based on X.509 certificates, usually in connection with secure transport layer proxy certificates (RFC 3820) are used for regular operations example DN: C=CH/O=CERN/OU=LCG/CN=Jan Nowak/CN=proxy additional authorisation attributes are enclosed in attribute certificate (RFC 3281) connected to the proxy certificate VO (Virtual Organisation):/aliceCalibration role: /aliceCalibration/Role=Operator user identifier, DN and user privileges are granted and digitally signed by managing organisations of CA and VO

Database authentication and authorisation in LCG — 3D workshop Oct DB access with LCG authentication DBMS client DB authentication: DN + attributes acces rights: attributes or DN proxy certificate DN attrib. cert. attr: VO, groups,roles grid client authenticates himself with proxy certificate authentication: certificates validity, users DN and also VOMS signature (for attributes) are checked table or object access rights are granted based on DN or attributes. GRANT... ON table TO ' C=CH/O=CERN/OU=LCG/CN=Jan Nowak ' GRANT... ON table TO ' VO=/aliceCalibration/Role=Operator ' client has access to a table SELECT... FROM table WHERE...

Database authentication and authorisation in LCG — 3D workshop Oct Authorisation Issues LCG Virtual Organisations and proxy certificates – fine grained access control system short term partial authorisation mechanism Oracle Enterprise User Security – certificate based user authentication, shared schemas, enterprise roles, user – schema and user – role mappings Open Source Databases – traditional access control, certificate authentication, no higher level user management, source code availability. OpenSource databases can be adapted to work with LCG, Oracle requires the use of existing components.

Database authentication and authorisation in LCG — 3D workshop Oct Oracle Access Mechanisms Authentication Username/password Radius Kerberos SSL (traditional, lack of official support for proxy certificates) proxy authentication(eg. through application server) Authorisation Oracle Enterprise User Security Shared schema Enterprise roles Oracle Internet Directory + OracleContext has no support for attribute certificates There is neither support for user management outside of Oracle Context nor there is support for proxy or attribute certificates.

Database authentication and authorisation in LCG — 3D workshop Oct Oracle + LCG authorisation If Oracle will support proxy and attribute certificates Oracle Net OID VOMS Client 1.The client asks VOMS for an attribute certificate with privileges 2.VOMS sends a digitally signed certificate 3.The client generates a proxy certificate, attaches attribute certificate to it and sends it to the database 4.The database passes this certificate over to OID. OID authenticates the user. It also maps that user to a shared schema and to enterprise roles based on supplied attributes. 5.Now the database has all the info required 6.A data connection is opened. Data base

Database authentication and authorisation in LCG — 3D workshop Oct Current Progress We've set up a test environment – Oracle database using Oracle Enterprise User Security with SSL certificates, test Virtual Organisation and a test Certificate Authority plus an example worker node for generation of proxy certificates. We've run a number of connection test against it. While access using regular SSL certificates works fine, we can't get past the Oracle's SSL layer when using proxy certificates. We have filed a TAR at Oracle with enhancement request to support proxy certificates. We will follow up on that closely.

Database authentication and authorisation in LCG — 3D workshop Oct Possible Scenarios We could send user certificates (wallets) along with the jobs and use them for authorisation. This however is not acceptable because of LCG security means. It would mean a long lasting open access to someone who could intercept that wallet. If we could get past the SSL layer we could use an OID module to extract user's base DN from a proxy DN and use this for authentification. With no attribute support a simple tool would be needed to periodically synchronise and map VOMS roles and privileges to Oracle Context. The number of entries in the OID would be signifigant – one or more for each user. If Oracle would choose to support attribute certificates as well, all we need is a way for OID modules to access attribute data in the same manner as it can read the DN trom the certificate. Mapping of VOMS to Oracle privileges would be only a matter of writing a simple OID module and supplying that map.

Database authentication and authorisation in LCG — 3D workshop Oct Mid-term Proposal For the next 6 months or until proxy certificate handling is resolved we propose: read-only accounts for Tier 1 and 2 protected with traditional passwords write accounts only at Tier 0 compatible with 3D startup model – T0, T1/2 has been discussed with CERN and LCG security – seems acceptable as a stop-gap

Database authentication and authorisation in LCG — 3D workshop Oct MySQL + Grid auth Project High-performance Database Access Technologies for Computational Grids – a project by Argonne National Laboratory and Piocon Technologies In our proof-of-concept prototype we implemented Globus grid proxy certificate authorization technologies for MySQL database access control. By localizing Globus security concerns in our software aspect we achieved a clean separation of Globus Grid Security Infrastructure libraries dependencies from the MySQL server code. Alexander Vaniachine, ANL Current Status working prototype with Globus grid proxy certificate VOMS attribute certificate support planned in the future Open Science Grid is the main priority You can find more info about this project at

Database authentication and authorisation in LCG — 3D workshop Oct Middleware authorisation If middleware is required to interoperate Oracle Net OID VOMS Client Data base 7 4 Middleware 1.The client asks VOMS for an attribute certificate with privileges 2.VOMS sends a digitally signed certificate 3.The client generates a proxy certificate, attaches attribute certificate to it and sends it to the middleware 4.Middleware authenticates the client and passes DN to the database 5.The database passes the DN to OID. OID assignes a shared schema and enterprise roles based on supplied DN. 6.Now the database has all the info required 7.A data connection is opened.

Database authentication and authorisation in LCG — 3D workshop Oct Existing middleware projects OGSA-DAI: SOAP/XML + XML binary extensions Spitfire (EDG WP2): SOAP/XML text-only data transport Perl DBI database proxy (ALICE): SQL data transport Why you might NOT want to use OGSA-DAI You want very fast data access OGSA-DAI is slower than direct connection methods e.g. JDBC But remember OGSA-DAI provides functionality "over and above" these methods – e.g. data delivery and transformation You need scalability Depends on your intended usade of e.g. delivery mechanisms, number of clients, etc. Neil P Chue Hong, OGSA-DAI Status Summary, Third OGSA-DAI Users Group Meeting, 6/1/2005

Database authentication and authorisation in LCG — 3D workshop Oct Comparison Without middleware No message-level security overhead Only minor changes required on the client side; normal use of database drivers (jdbc, odbc, oci, etc.) Vendor-specific advantages, eg. binary data transport, distributed XA transactions Without Oracle's support, proxy cetificate based security will remain theoretical, MySQL solution available Libraries available for most programming languages Still in developement With middleware Additional overhead – possible bottleneck Major client-side changes nedded, existing solutions are not interchangable Limited support for vendor-specific capabilitities, some additional posibilites like data transformation Existing solutions claim to support a wide range of database engines. Limited support for client programming languages Still in developement

Database authentication and authorisation in LCG — 3D workshop Oct Summary Authentication and Authorisation is a major issue to be solved before production phase Direct access mechanisms only partially supported (MySQL), but with DB vendors help, means to utilise proxy certificates certainly exist Direct support for VOMS-based access control requires more developement and again DB vendors support Middleware solutions are probably insufficient for data- intensive access There is an acceptable stop-gap solution

Database authentication and authorisation in LCG — 3D workshop Oct Questions Thank You! In case of any questions feel free to contact me: Kuba Zajączkowski

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.