Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Slides:



Advertisements
Similar presentations
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
Advertisements

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Data Management Expert Panel - WP2. WP2 Overview.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.
Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
EDG Security European DataGrid Project Security Coordination Group
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Plans for D7.7 The Security Report on the Final Project Release Linda Cornwall, RAL.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
LHCC Referees Meeting – 28 June LCG-2 Data Management Planning Ian Bird LHCC Referees Meeting 28 th June 2004.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
OGF PGI – EDGI Security Use Case and Requirements
Classic Storage Element
StoRM: a SRM solution for disk based storage systems
Module Overview Installing and Configuring a Network Policy Server
Grid Security.
R-GMA Security Principles and Plans
Update on EDG Security (VOMS)
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
The EU DataGrid Security Services
The EU DataGrid Security Services
The GENIUS Security Services
Presentation transcript:

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 2 D7.5: Overview u What is Security? (Chapter 3): general description u Assumptions (Section 3.7): what will we not do u 3  3.7 = 4: Security Requirements u Achieved goals (Chapter 5): what is done u Plans (Chapter 6): not a consistent design yet! u Checklists (Chapter 7): summary of 4 & 5 & 6

Ákos FROHNER – DataGrid Security Requirements n° 3 Requirements u AUTAuthentication requirements u AUZAuthorization requirements u AUDAuditing requirements u NRPNon-Repudiation requirements u DLGDelegation requirements u CNFConfidentiality requirements u INTIntegrity requirements u NETNetwork requirements u ADDAdditional requirements u MNGManageability requirements u USRUsability requirements u IOPInteroperability u SCAScalability requirements u PER Performance requirements

Ákos FROHNER – DataGrid Security Requirements n° 4 Requirements - Authentication GSI – certificate based authentication u AUT-02 symmetric u AUT-05 lives beside existing authentication systems u AUT-14 no associated VO in a cert u AUT-15 no authorization information in a certificate Questions from me: u certificate revocation: n immediate vs. authorization? n large scale CRL handling? u certificate authorities: should not be bound to DataGrid or to grid

Ákos FROHNER – DataGrid Security Requirements n° 5 Requirements/Authorization: Role/Group/VO u principal (service or user) is identified by a certificate from a CA (not part of any VO) u group: n organizational structure or common interest inside a VO n no default group n e.g: Security and WP7 in DataGrid u role: n administrative tool n default role n password for extra role n e.g.: user and admin see AUZ-21 CA it CA ch CA fr VO Alice authz VO CMS authz RA ldap INFN RA ldap CERN RA ldap CNRS membership

Ákos FROHNER – DataGrid Security Requirements n° 6 Requirements/Authorization: 2. u AUZ-05 based on various info (id, CRL, role, group, lightweight...) u AUZ-16 disconnected operation u AUZ central access control – immediate disable? u AUZ-23,24 authorize the resource, not the user – whom to trust? u AUZ granularity: controlled operations and objects Questions: u listing accessible resources vs. checking permission case-by-case u central control (policy?) vs. disconnected operation

Ákos FROHNER – DataGrid Security Requirements n° 7 Requirements u Auditing+Non-repudiation: „trustable log” u Delegation: traceable delegation – original identity preserved u Confidentiality: protecting the data from unwanted access (before) u Integrity: check for possible manipulations and errors (after) u Network: firewalls (no more detail – yet) u Management/Usability: make it simple u Interoperability: with other „grids” u Scaleable/Robust (user/machine/institute/country): 1000/200/10/5 –> /1.000/100/10 –> /10.000/100/10

Ákos FROHNER – DataGrid Security Requirements n° 8 Testbed-1 you probably already know it

Ákos FROHNER – DataGrid Security Requirements n° 9 CA/RA u 11 CA u well defined practices u focus on only one VO: DataGrid u CA = RA ? u membership info in VO/LDAP goal: „production deployment” Certificate Management: u scaleable revocation list handling u user cert storage (central?) u roaming access: web portals u long term/renewable proxy certificates for long jobs

Ákos FROHNER – DataGrid Security Requirements n° 10 Data Management / Storage Element in Tomcat configuration files: u certificate checking u certificate -> identity u identity -> role Goals: u Short term: local authorization DB u Long term: general solutions for other services as well Testbed-1: only local filesystem with gridftp for remote access u pool of local userids u VO = groupid group-level access permissions

Ákos FROHNER – DataGrid Security Requirements n° 11 Castor (MSS) with the GSI library u certificate checking u certificate -> identity u identity -> local userid Access control uses the local authorization system: every grid- user have a corresponding local userid. u Short term: n thread-safe GSI n local userid not exposed to client u Long term: SE solution

Ákos FROHNER – DataGrid Security Requirements n° 12 Networking u Detailed firewall configuration guide for light/medium/heavy config. u VPN: use application level encryption Plans: u Network Address Translation for large CEs u dynamic firewall configuration for interactive jobs

Ákos FROHNER – DataGrid Security Requirements n° 13 Open Issues gridmap file: authentication & authorization & map to local userid u authentication: configurable trust (trusted CAs from VO?) u authorization: central vs. local service (CAS?) u mapping: n single userid: grid service does everything (SE) n pool of userids: local enforcement system (CE) n 1-1: local authorization system (maybe as an extra step)