Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.

Slides:



Advertisements
Similar presentations
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Advertisements

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.
Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
EDG Security European DataGrid Project Security Coordination Group
Security monitoring boxes Andrew McNab University of Manchester.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
Security Middleware Andrew McNab University of Manchester.
Data Management The European DataGrid Project Team
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Author - Title- Date - n° 1 Partner Logo WP5 Status John Gordon Budapest September 2002.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester
GridSite status Andrew McNab University of Manchester.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen
Introduction to NTFS Permissions
DJRA3.1 issues Olle Mulmo.
Shiv Kaushal, University of Manchester
Presentation transcript:

Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Outline u Sysadmins’ issues u Existing VO vs CAS u Pool accounts u SlashGrid u Grid ACL’s u XML Grid ACL’s u GACL library u Certfs as “native container” hosting environment u GridSite as “0th order container” environment

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Current Grid site administrators’ worries... u How can Grid users gain access without me creating new accounts every day? u How can I limit what they can do? u How can I audit what they’ve done to me? u How can I keep track of files they’ve created? u Local access control and account management boils down to n mapping Grid identities into appropriate local Unix identities n while respecting the above.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Existing VO vs CAS u EDG already has VO authorisation servers in use: centrally provided authorisation listings n published via LDAP (~100 users in 7 VO ’s) n mkgridmap tool for building local grid-mapfile with local choice of VO ’s. u Provides a list of DN ’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n can’t be defined on ad-hoc basis by small groups of users u However, current system gives the functionality running experiments like BaBar cope with, so ok. u Globus CAS would allow finer grained authorisation. n Also need a way for users to define new resources and associate authorisation groups with them. In CAS or locally?

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Pool accounts u The other half of removing account creation burden from admins u Widely used by TB1 sites (ie all except Lyon which is AFS based) u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing gridmapdir locks files with NFS. u Existing system works ok for CPU+tmpfile only jobs. u But not really appropriate if users creating long lived files at the site in question. u Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 SlashGrid / certfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: u certfs.so plugin provides local storage governed by Access Control Lists based on DN’s. u Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u (Also, a GridFTP plugin could provide secure replacement for NFS.)

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Grid ACL’s u For simplicity, would want to use same ACL format for gsiftpfs etc. u Current SlashGrid prototype (and GridSite ) uses plain text, per-directory ACL in.grid-acl u As a file, this can be stored in directories, copied via unmodified http, gsiftp channels and easily manipulated by scripts and applications. u Implementing ACL’s could also solve some other issues to emerge with TB1: n eg per-UID tape storage: could store all tape files with one UID but associate ACL with the file and use that. u Sysadmins want disk filesystem ACL’s on same physical disk as files if possible.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Grid ACL vs CAS (or fine-grained VO) u CAS provides ACL-like feature of specifying what action (eg write) is permissible on an object (eg tau-wg-montecarlo). u (If using lots of subgroups within a VO, could achieve much the same thing: eg define a group of people in tau-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to setup a new entry on the central CAS machine to control this. u The two systems should be seen as complementary n when you create some tau Monte Carlo, put it somewhere the ACL gives write access for people with “tau-wg-montecarlo write.”) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 XML Grid ACL u Several variations of XML Grid Access Control Lists have been suggested. u XML-based format an obvious choice, since: n (a) have XML parsers around already for other things n (b) many protocols and metadata formats going to XML so could easily include a Grid ACL n (c) XML is extensible so we don’t need to predict the future so much. u For files, most seem to be based on about 4 permisssions: read, list, write and admin (cf AFS.) u Then associate these with combinations of personal DN’s, CAS objects and LDAP VO groups.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 One example XML Grid ACL format... ldap://ldap.abc.ac.uk/ ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcCAS Can-read- /O=Grid/DN=Andrew

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but want to write code that needs it now (GridSite in production for GridPP etc; SlashGrid to be in EDG 1.3.) u ACL may change again in the future; may need to understand different (ugh!) ACL’s from other Grid projects. u Insulate G-S and S-G from this by moving existing ACL handling functions into a standalone library, and make this understand XML. u Handles ACL’s in a reasonably general way, packs C structs with their contents and provides access functions to manipulate the structs as new types: n GACLperm - read, list, write, admin... n GACLcred - a DN, VO group or CAS object. n GACLentry - several credentials, plus Allow and Deny for Levels. n GACLacl - several entries.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 GACL library (2) u Currently uses libxml to do basic XML parsing n can read from files or from strings in memory. u Functions like GACLnewCred(int type, char *issuer, char *name) provided to build up new ACL’s in memory, and manipulate or evaluate existing ones. u Working version of GridSite using GACL exists; SlashGrid next. u Intend to provide file and directory utility functions: n “read in the ACL for file /dir1/dir2/xyz” looks in /dir1/dir2/.gacl-xyz for a file ACL, then /dir1/dir2/.gacl, /dir1/.gacl … n but don’t limit functionality to files (ACL’s on metadata? queues? RB’s?) u Currently, implements XML format from earlier slide. u See for source and API description of version.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Certfs as “native container” hosting environment u Some of the OGSA discussions make distinction between simple (eg native Linux) and container (eg Java or.NET) hosting environments. n May need native environments for existing and proprietary apps. u The original motivation for “in a box” environments is security. u OGSA interest is in creating new services dynamically: this is easier if services are “in a box” to start with. u Certfs is motivated by desire to keep users from making long lived UID-owned files. u However, it is also a step towards the kind of dynamic environments OGSA talks about. u Is the answer to our concerns about security and our desire for flexible, dynamic services, to make Unix UID’s as transitory as Process Group ID’s?

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 GridSite as “0th order” container environment u GridSite allows you to manage a website using Grid credentials n authentification provided by Grid cert in standard browser (IE/NS) u Admins can manage groups, and grant read, list, write or admin permission for directories (also published in an EDG-compatible LDAP VO - eg BaBar and GridPP VO’s.) u Directory access control provided by same ACL’s as SlashGrid: prototype exists using GACL and XML ACL’s u NeSC opening BaBar Demo was done with GridSite: can deposit a Globus proxy with website and server side can execute Globus actions (eg globus-job-status) on your behalf. u Intend to blur the line between filesystem and Web using Grid tools: n access GridSite server through local filesystem via SlashGrid. n access remote resources via web browser, respecting file ACL’s and running remote CGI scripts using pool accounts/SlashGrid filesystems.

Andrew McNab - Access Control - 28 May 2002 GridPP / EDG / WP6 Summary u Most of the concerns of admins are being addressed to some extent. u Current VO system is probably sufficient, but CAS would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs intended to provide solution to this. u Defining a Grid ACL format deals with other issues too. u Do this in XML: what format? u GACL library provides API for handling whatever is finalised. u How far can we go towards make UID’s purely transitory? u GridSite as “0th-order” container environment