8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

Slides:



Advertisements
Similar presentations
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Advertisements

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Mine Altunay July 30, 2007 Security and Privacy in OSG.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Last update 31/01/ :41 LCG 1 Maria Dimou Procedures for introducing new Virtual Organisations to EGEE NA4 Open Meeting Catania.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
LCG User Level Accounting John Gordon CCLRC-RAL LCG Grid Deployment Board October 2006.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.
Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users
Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
Opensciencegrid.org Operations Interfaces and Interactions Rob Quick, Indiana University July 21, 2005.
Gilda certificates. Certification Authority
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
Grid Operations Centre Progress to Aug 03
Operations Interfaces and Interactions
David Kelsey CCLRC/RAL, UK
AIM/education directory (Ed dir)
David Kelsey CCLRC/RAL, UK
David Kelsey CCLRC/RAL, UK
Update on EDG Security (VOMS)
HIDTA’s Overdose Detection Mapping Application Program
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Presentation transcript:

8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

8-Jul-03D.P.Kelsey, LCG-GDB-Security2 Overview Topics for agreement today Rules for Use of LCG-1Paper #36 Audit RequirementsPaper #37 Incident ResponsePaper #38 User Registration/VO ManagementPaper #39 Security Group meeting –19 th June (phone)

8-Jul-03D.P.Kelsey, LCG-GDB-Security3 Rules for Use of LCG-1 #36 To be agreed to by all users (signed via private key in browser) when they register with LCG-1 Deliberately based on current EDG Usage Rules –Does not override sites rules and policies –Only allows professional use Once discussions start on changes –Chance we never converge! We know that they are far from perfect Are there major objections today? –One comment says we should define the list of user data fields (as agreed at the last GDB) Use now and work on better version for Jan 2004 –Consult lawyers?

8-Jul-03D.P.Kelsey, LCG-GDB-Security4 Audit Requirements #37 UINone RBNone – look at later For origin of job submission CEgatekeeper maps DN to local account Keep gatekeeper and jobmanager logs SE/GridFTP Keep input and output data transfer logs Batch system jobmanager logs (or batch system logs) Need to trace process activity – pacct logs –This is large Central storage of all logfiles? Rather than on the WN To be kept for at least 90 days by all sites

8-Jul-03D.P.Kelsey, LCG-GDB-Security5 Incident Response #38 Procedures for LCG-1 start (before GOC) –Incidents, communications, enforcement, escalation etc Party discovering incident responsible for Taking local action Informing all other security contacts Difficult to be precise at this stage – we have to learn! We have created an ops security list (before GOC) –Default site entry is the Contact person but an operational list would be better LCG-1 sites need to refine and improve All sites must buy-in to the procedures

8-Jul-03D.P.Kelsey, LCG-GDB-Security6 User Registration & VO Management #39 User registers once with LCG-1 –Accepts User Rules –Gives the agreed set of personal data (last GDB) –Requests to join one VO/Experiment We need robust VO Registration Authorities to check –The user actually made the request –User is valid member of the experiment –User is at the listed institution –That all user data looks reasonable E.g. mail address The web form will warn that these checks will be made User data is distributed to all LCG-1 sites

8-Jul-03D.P.Kelsey, LCG-GDB-Security7 User Registration aims To provide LCG-1 with accurate information about users for –Pre-registration of accounts (where needed) –Auditing (legal requirements) To ensure VO managers do appropriate checks –To allow LCG-1 sites to open resources to VO BUT… the current procedures have limited resources –To some extent has to be “best efforts” E.g. do we need backup VO managers?

8-Jul-03D.P.Kelsey, LCG-GDB-Security8 VO Registration (2) Today’s VO managers –ALICEDaniele MuraINFN –ATLASAlessandro De SalvoINFN –CMSAndrea SciabaINFN –LHCbJoel ClosierCERN –DTEAMIan NeilsonCERN Plan to continue to use the existing VO servers and services (run by NIKHEF) and the current VO managers (all agree to continue) –DTEAM run at CERN

8-Jul-03D.P.Kelsey, LCG-GDB-Security9 VO/Experiment RA For LCG-1 start VO manager checks request via one of –Direct personal knowledge or contact (not ) –Check in official CERN or experiment database –With official experiment contact person at employing institute Signed ? (not done today) Identity and employing institute are the critical ones VO managers/LCG registrar to maintain a list of institutes and contact persons Work needed on more robust procedures for 2004 –That can scale With distributed RA’s?