Grid Security and VO Management Andrew McNab University of Manchester

13 December 2005Grid Security Outline ● Defining VOs ● VO Pull vs Push ● Pool Accounts ● VOMS ● GridSite components ● Web service support ● VO practicalities

13 December 2005Grid Security Perspective ● GridPP is the UK's High Energy Physics grid project – 15 university sites + RAL – largest is a 2000 processor farm at Manchester ● Participates in deployment of LHC Computing Grid – ~160 sites worldside, led by CERN ● Contributes to EGEE middleware development – info system, data management and security ● I co-ordinate the GridPP security middleware work – this is principally the GridSite system

EGEE/LCG-2 grid: 160 sites, 36 countries (35 sites in UK&Ireland cluster) >15,000 processors, ~5 PB storage Other national & regional grids: ~60 sites, ~6,000 processors Country providing resources Country anticipating joining LCG/EGEE Grid Sites : September 2005

13 December 2005Grid Security Virtual Organisations ● Within LCG/EGEE, VOs are essentially authorization domains: – access rights to resources and datasets owned by a group of people ● So the central “VO problem” becomes how to prove individuals are members of that VO, subgroup etc ● There are two classic ways of doing this: – Pull and Push

13 December 2005Grid Security VO by Pull ● EU DataGrid developed a way of publishing lists of VO members – Authentication based on X.509 DNs: ie VO = “DN List” – LDAP(S) used, but can also be done by HTTPS ● Sites subscribe to VO lists and pull them periodically – daily or every few hours ● Advantage is that user's software doesn't need to know ● Disadvantage is that hundreds of service machines need to pull lists of thousands of users several times a day

13 December 2005Grid Security Pool accounts ● The other half of the EU DataGrid system was Pool Accounts, developed in Manchester – Unix accounts created and assigned to users as they submit jobs, access files on that site. – Local copy of VO membership list decides whether a mapping can be created – May direct user to a special pool of accounts for their VO ● Now used by LCG and UK NGS ● Surprisingly successful for a “temporary” fix!

13 December 2005Grid Security VO by push ● LCG and EGEE are now deploying VOMS – Users are given short-lived X.509 Attribute Certificates which prove their VO and group membership ● Users then present these ACs to services, currently in the form of extensions to GSI Proxy certificates ● Advantages: no need for sites to pull all VO lists; users can choose which group/role to use. ● Disadvantages: clients need to be aware of VOMS; need to add X.509 AC support to services' SSL/TLS.

13 December 2005Grid Security Access Policies ● “DN Lists” (eg grid-mapfile) are simplest access policies ● LCG/EGEE also uses references to VOMS groups, and XML policy files: both GridSite's GACL and XAMCL ● GridSite GACL/XACML policy files support: – multiple credential types: individual DN, DN List, VOMS AC and DNS domain – AND + OR of conditions – Read, List, Write, Exec, Admin permissions ● Allows “virtualisation” of access: not just tied to a (pool) unix account, and easy to dynamically manage

13 December 2005Grid Security GridSite components ● libgridsite C/C++ toolkit provides utility functions – based on OpenSSL, libxml2, gSOAP – parse GSI Proxies and VOMS X.509 attribute certs – evaluate GACL and XACML access policies – generate new GSI Proxies ● mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache ● htcp, htls, htdelegate,... provide command line tools

13 December 2005Grid Security Module architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP CGI Web Services (gsexec) HTTP grst-admin.cgi: page editing, file upload, GACL editing etc. mod_gridsite: PUT, MOVE and DELETE Apache/GridSite mod_gridsite: GSI / VOMS OpenSSL callback wrappers

13 December 2005Grid Security Web Service support ● GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services ● We also provide the C/C++ implementation of the GridSite / EGEE Delegation portType – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem ● Allows sharing between different CGI languages

13 Decmber 2005Grid Security suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● Start as root, process as apache, CGI as joeuser ● We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the cert in the client program determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user

13 December 2005Grid Security suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● X.509, GSI Proxy, VOMS, DN List credentials ● We can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy their C/C++/Perl/Python services remotely

13 December 2005Grid Security GRACE ● In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids ● This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs

13 December 2005Grid Security Deployment Issues ● Panel question: “How can we deploy a Grid security infrastructure that is scalable, hierarchical, capable of dynamic VOs and easy to use?” ● I think that practical Grid infrastructures will follow most of the established patterns of practical Web infrastructures – Many lessons already learnt on the Web – Also, users/admins are already familiar with the Web ● Key lession is to be as loosely-coupled as possible – Use clearly defined interfaces and avoid reinvention

13 December 2005Grid Security Software Issues ● Most significant security issue for existing internet services is patching vulnerabilities – “Keeping up to date” has resulted in automated update services for major operating systems – The more you deviate from off-the-shelf software, the more of this you have to do yourself for your users ● So want to reuse Apache, OpenSSL etc as much as possible, ideally without making own versions, to benefit from OS updates

13 December 2005Grid Security Authentication ● This is largely dealt with by the CAs, and the international CA co-ordination bodies (EUgridPMA and now the IGTF) ● However, users are very aware of authentication (“I forgot my password!” etc) and so it has a large impact on ease of use of the whole system ● Can already use X.509 certs in browsers as simple single- signon to HTTPS websites (GridSite, GridSiteWiki etc) ● But X.509 handling is itself cumbersome for some users – May need to go to online CAs, merging CAs and university Shibboleth infrastructures etc

13 December 2005Grid Security Authorization ● Creation of VOs, subgroups, roles etc – assigning users to these groups/roles – binding credentials to resources, dataset rights etc ● Scalability drives design decisions – Can't keep asking VO if a local operation is permitted ● Pull and Push models already cover most use cases – Dynamic VOs are a natural extension of current systems – Static CA infrastructure means trust can be described by dynamic policies in terms of certificate identities

13 December 2005Grid Security Local enforcement ● Can easily be the Cinderella of a grid security architecture – easy to implement shiny new authorization systems in purely Grid software that your project is creating – but what about file access, SQL database queries, execution of native binaries? ● Either use virtual machines (Java etc) ● Or map grid identity to local identity (Unix pool account, MySQL user etc) and then grant it rights derived from grid policies ● Getting this right has significant performance advantages

13 December 2005Grid Security More information ● is the GridSite project website – Open Source, bug tracker, CVS, links to LCG/EGEE ● Includes the new GridSiteWiki – Derived from MediaWiki but uses X.509 instead of usernames / passwords – is the largest site using GridSite – and includes it's own Wiki, which is pulling in info ● You can also find GridSites at NGS, GOC, CERN, LCG, TCD.IE,... by searching for GridSite with Google!

13 December 2005Grid Security Summary ● LCG/EGEE have deployed multiple VOs to 160+ sites using Pull, and are moving to Push via VOMS ● Pool accounts allow a simple way of using Unix accounts ● Access policies tie VOs & Authorization to resources ● GridSite provides libgridsite Grid security toolkit for C/C++ ● mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache ● We can now build secured Web Services for Grids as CGI programs