Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center
Gateway Security Summit : 01/30/ OSG Security Team Mine Altunay FNAL Doug Olson LBNL Bob Cowles SLAC Don Petravick FNAL
Gateway Security Summit : 01/30/ OSG Security The big picture: –What OSG security does ? Security Infrastructure –Authentication –VOMS –PRIMA/GUMS –gPlazma –gLexec How can someone become part of OSG
Gateway Security Summit : 01/30/ OSG Security A security framework that enables science and promotes autonomous and open science collaboration among VOs, sites, and software providers Operational –Vulnerability analysis, patches, –Incident response Interoperability –Joint policy work, JSPG, MWSG, IGTF –Why we are here – how to build interoperability with other Grids TeraGrid Education –Security tutorials, documents for naïve user
Gateway Security Summit : 01/30/ Globu s Condo r GLexe c RSV Gratia VDT Fermi grid BNL_ATLAS _1 UCSDT2 ATLAS CM S Software Check software vulnerabilities Develop and announce patches Interoperability JSPG, IGTF: Participate in EGEE’s response and operation teams: Security Education for Sites and VOs Raise security awareness Teach OSG policies and best practices workshops, tutorials, grid schools Open Science Grid Job Submissions Policies for Site-VO interoperability Develop policies : AUP, Service Agreements, pilot policies, MOU, membership Inter operability Incident Response and Monitoring Coordinating the response teams, communication with Sites and VOs Banning compromised machines or users, monitoring for suspicious job submissions Fire drills for practice
Gateway Security Summit : 01/30/ Security Infrastructure Authentication –Performed by GSI –OSG distributes IGTF approved root CAs (in VDT) –Sites fetches automatic CRL updates –Sites can update root CAs (optional tool in VDT)
Gateway Security Summit : 01/30/ Authorization VOMS+PRIMA+GUMS VOMS Server Attribute Repository GUMS Server DN/FQAN Mapping (MySQL) Synch periodically to get VO membership Validate Proxy (GSI) Gate keeper Gridmap callout PRIMA Module Batch system Job submission 3 4: request account 5: account mapping 6 1: voms-proxy-init 2: receive VO permissions
Gateway Security Summit : 01/30/ VOMS VO Membership service –VO manages access rights for its members –FQAN: Fully Qualified Attribute Name –Based on RFC 3281 –Example: /oscar.nikhef.nl/mcprod/Role=production/Capability=NULL –Different roles have different permissions Sites must honor VO permissions VOMS registration –via VOMS, or VOMRS or manually Use voms-proxy-init instead of grid-proxy-init – VO specific permissions FQAN inserted into X.509 noncritical extensions
Gateway Security Summit : 01/30/ GUMS: Grid User Management Service Maps user DNs/FQANs to accounts –Replaces grid-map files –Site-wide tool Sites recognize VO permissions Synch with VOMS periodically –Downloads the VO memberships, FQANs –Can work with LDAP instead of VOMS
Gateway Security Summit : 01/30/ GUMS Three types of mapping –personal accounts (manual or from LDAP) –group accounts (multiple DNs to a single UID, like VO -> UID) –pool accounts (dynamically generated) Guarantee that the same UID can be used by only one DN/FQAN at any given time Currently, the pool account is created when a DN/FQAN is first seen, and never released
Gateway Security Summit : 01/30/ GUMS Two kinds of grouping User groups –Map (DN,FQAN) to (uid,gid) Host groups –Connect host with user groups –A M x N configuration –A single host group can be used for Multiple hosts (like "*.usatlas.bnl.gov") Multiple user groups (like “usatlasGroup,atlas,dial")
Gateway Security Summit : 01/30/ gPlazma: Storage Authz SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service a 4b 4c 4d
Gateway Security Summit : 01/30/ CE and SE: Big Picture GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service
Gateway Security Summit : 01/30/ Local or Remote Client Proxy with VO Membership | Role Attributes SAZ GUMS Site-wide Assertion Service Site VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout PEP Storage Authorization Service
Gateway Security Summit : 01/30/ Local or Remote Client Proxy with VO Membership | Role Attributes GUMS Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service
Gateway Security Summit : 01/30/ SAZ gPLAZMALite Authorization Services suite GUMS Site-wide Assertion Service Site VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout Storage Authorization Service Local or Remote Client Proxy with VO Membership | Role Attributes
Gateway Security Summit : 01/30/ Local or Remote Client Proxy with VO Membership | Role Attributes gPLAZMALite Authorization Services suite GUMS Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout PEP Storage Authorization Service
Gateway Security Summit : 01/30/ gLExec Slide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL When a user submits a grid job to an OSG site, the job always carries the user's credentials. At the execution site, the job is assigned an appropriate userid under which to run. Another option for submitting grid jobs involves the concept of a pilot job. This type of job, once it's in a site's batch slot, coordinates and calls a series of user jobs according to VO priorities at launch time. If the pilot job and the user jobs all run under the same userid, however, the pilot job framework violates the security policies of any site that requires knowledge and control of its resource users. gLExec, a gLite product currently used on European Computing Elements, solves this problem. gLExec is a privileged executable that, given a user credential and an execution command, obtains the appropriate Unix ID from a site's GUMS server and executes the job under that Unix ID. In order to use gLExec within OSG, VOs must configure the pilot job such that it "calls home" to get the associated user credential. The pilot then forwards the credential to gLExec, which uses it to communicate with the site security service, thus returning control to the site.
Gateway Security Summit : 01/30/ gLExec Slide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL
Gateway Security Summit : 01/30/ How to become an OSG member? Join the OSGEDU VO: – Run small applications after learning how to use OSG from schools Be part of the Engagement program and Engage VO: –Support within the Facility to bring applications to production on the distributed infrastructure Be a standalone VO and a Member of the Consortium: –Ongoing use of OSG & participate in one or more activity groups. Open Science Grid
Gateway Security Summit : 01/30/ Documents OSG Security twiki – OSG Security Plan – bin/ShowDocument?docid=389http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=389 Security Awareness for the OSG – bin/ShowDocument?docid=573http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=573