Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

ANTHONY TIRADANI AND THE GLIDEINWMS TEAM glideinWMS in the Cloud.
Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Security Mechanisms The European DataGrid Project Team
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.
OSG Security Review Mine Altunay December 4, 2008.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Grid Infrastructure group (Charlotte): Barry Wilkinson Jeremy Villalobos Nikul Suthar Keyur Sheth Department of Computer Science UNC-Charlotte March 16,
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.
Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Next Steps: becoming users of the NGS Mike Mineter
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
GLIDEINWMS - PARAG MHASHILKAR Department Meeting, August 07, 2013.
OSG RA, DOEGrids CA features Doug Olson, LBNL August 2006.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Making Grants.gov Work for You: U.S. Department of Education International Education Program Service Technical Assistance Workshop January 2009 Find. Apply.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
Gilda certificates. Certification Authority
OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid.
OSG PKI Transition Mine Altunay OSG Security Officer
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Running User Jobs In the Grid without End User Certificates - Assessing Traceability Anand Padmanabhan CyberGIS Center for Advanced Digital and Spatial.
Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.
New OSG Virtual Organization Security Training OSG Security Team.
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WLCG Update Hannah Short, CERN Computer Security.
OSG Security Kevin Hill.
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Tweaking the Certificate Lifecycle for the UK eScience CA
Update on EDG Security (VOMS)
Presentation transcript:

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team

Highlights Introduction OSG PKI transition to OSG CA SHA2 CILogon CA certificates Certificate-Free Job Submissions Future Goals Kevin Hill - Evolution of the OSG Authentication Model 2 Fall 2013 HEPIX

Introduction OSG Security Team  Mine Altunay – OSG Security Officer  Kevin Hill  Anand Padmanabhan The Open Science Grid is funded by National Science Foundation and Department of Energy 3 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

OSG PKI Transition OSG historically has used x509 certificates (proxies) for authentication. The security team is responsible for the OSG root CA bundles.  IGTF bundle + a few additions. DOEGrids CA shut down, and OSG started its own CA. 4 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

PKI Transition – DOEGrids CA DOEGrids CA stopped issuing new certs March All existing DOEGrids certs will expire early When announced (well ahead of time) OSG started planning to create its own CA. Some concerns:  DOEGrids CA had its own web site for user cert requests, as well as command line tools for getting certificates.  DOEGrids CA had its own concept of Sites and Virtual Organizations.  Served wider audience than OSG.  Slightly different mapping of virtual organizations. Kevin Hill - Evolution of the OSG Authentication Model 5 Fall 2013 HEPIX

OSG CA OSG now has its own certificate portal with DigiCert CA signing certificates in the background. Digicert created a separate OSG Grid root CA. New web interface and command line tools. Web interface part of existing OIM system. Integrated with OSG GOC ticket system. Some growing pains with getting old DOEGrids Virtual Organizations mapped to OSG Vos. Kevin Hill - Evolution of the OSG Authentication Model 6 Fall 2013 HEPIX

Certificate Approval Process Certificate is requested.  Requester specifies a VO, as well as a sponsor. The sponsor verifies the requester comes from a real person. The RA approves the certificate based on sponsor’s ok. Certificate is signed and downloaded by the requestor. 7 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

SHA2 Transition SHA1 certificates are nearing the point where processing power to generate collisions won’t be unreachable Current recommendation is to start issuing SHA2 certs December 1 st. OSG will recommend January 15 th, to avoid changes during the holidays. All OSG provided software is working with SHA2. Other software may still need testing. 8 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

CILogon Basic Certificates Alternative source of x509 certificates for users. Uses federated authentication to issue certificates authorized by requesters’ home institution, acting as a Identity Provider (IdP). CILogon Basic CA certs not IGTF approved currently. Unfortunately includes most sites. CILogon Silver CA currently in IGTF Root CA bundle. Kevin Hill - Evolution of the OSG Authentication Model 9 Fall 2013 HEPIX

CILogon Basic CA Advantages Quick for users to get certificates Replaces the RA->Sponsor manual verification step in the OSG CA workflow a federated authentication check via InCommon federation. 10 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

Future CILogon Basic usage Currently looking for more sites to accept certs, so more users can use them. Not currently issuing service certs. Some sites have issue with certain IdPs, which effectively lets everyone with a valid account sign up.  Can be limited via modified signing_policy file.  Care needed in case of updates to cilogon ca cert package. Really not that different than regional CA or large university. VO registration is an added authentication step. Kevin Hill - Evolution of the OSG Authentication Model 11 Fall 2013 HEPIX

Certificate-free Job Submission Certificate management can be a headache, especially for new users who may not need individual certificates for any other use. Manual approval process in the case of traditional CAs could result in delays of several days in issuing certificates. Glidein WMS allows users to submit jobs with local account on a submission system, without their own certificate. 12 Fall 2013 HEPIX Kevin Hill - Evolution of the OSG Authentication Model

Certificate-Free Job Submission Why do we use certificates?  Identify users running jobs (traceability)  Identify who is running a particular job.  Identify where a particular user has jobs running.  Control access  Block a compromised account from running new jobs.  Block unwanted access  Limit access to jobs from certain VOs, or other criteria. Kevin Hill - Evolution of the OSG Authentication Model 13 Fall 2013 HEPIX

Certificate-Free Job Submission Can we do these functions without certificates? Yes, if we move job submission from end user systems to VO managed portals. Only reliable if user management policies of submission portal is trusted. Certificates allow jobs to be submitted from any computer with appropriate tools installed. Account management needs to be trusted. Kevin Hill - Evolution of the OSG Authentication Model 14 Fall 2013 HEPIX

Glidein WMS Overview Kevin Hill - Evolution of the OSG Authentication Model 15 Fall 2013 HEPIX * Blatantly stolen from

Certificate-Free Job Submission Project Evaluate if traceability is possible, to determine individual running job submitted via Glidein without end user x509 cert. Requires coordination of admins at worker node, factory and frontend systems. All information was preserved in logs. Not a single stop for the information needed. Kevin Hill - Evolution of the OSG Authentication Model 16 Fall 2013 HEPIX

Traceability concerns VOs can have multiple independent submission systems. Access control limited to blocking dn of the VO submission system instead of individual dn. Flocking produces additional complications. Should all VOs be trusted? If not, what changes should we make? Kevin Hill - Evolution of the OSG Authentication Model 17 Fall 2013 HEPIX

OSG Connect OSG Connect project provides a web portal for users to sign up and submit jobs Uses CILogon/InCommon federated authentication so there is only minimal delays in creating accounts for users of existing experiments Uses Globus Online to transfer data via web browser Submitted jobs are flocked to existing OSG VOs frontend Kevin Hill - Evolution of the OSG Authentication Model 18 Fall 2013 HEPIX

Future Plans Continue with Digicert CA signed certificates for the time being. Recommend CILogon CA signed certs for InCommon member sites. Pursue federated login support via InCommon federation (CILogon). Eliminate end user certificate requirements for normal usage from known submission nodes. Move job submission from end user systems to VO managed portals. Kevin Hill - Evolution of the OSG Authentication Model 19 Fall 2013 HEPIX

Links  OSG Security Page bin/ShowDocument?docid= bin/ShowDocument?docid=1149  Traceability Requirements for end user jobs without certificates bin/ShowDocument?docid= bin/ShowDocument?docid=1175  An Assessment of User Job Traceability in GlideinWMS framework Kevin Hill - Evolution of the OSG Authentication Model 20 Fall 2013 HEPIX

Questions? Hopefully everyone is still awake… Kevin Hill - Evolution of the OSG Authentication Model 21 Fall 2013 HEPIX

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.