Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey CLRC/RAL, UK

Security in DataGrid2 The EU DataGrid DataGrid: generic Grid middleware and test bed for –High Energy Physics –Earth Observation and ozone modelling –Bio-informatics & bio-medicine Middleware components (on top of Globus): –scheduling and accounting –data replication and management –monitoring –data storage –fabric and farm management

Security in DataGrid3 No allocated effort, so groups distributed over WP’s: –CA Coordination (Test bed WP6) Started before the project (end 2000), well established –Ad-hoc Authorization (Test bed WP6) Interim solutions for distributing collaboration user lists and “virtual organization directories”. –Security Coordination (“Networking” WP7) Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development

Security in DataGrid4 Start with … Authentication

Security in DataGrid5 WP6 CACG 11 DataGrid Testbed1 CA’s –See WP6 web –Much effort to run these – growing number of cert requests –Several moving to OpenCA US DOE ScienceGrid CA –Operational since January 2002 –Approved as a DataGrid “trusted” CA (& vice-versa!) –First test of transatlantic authentication last month Karlsruhe CA (CrossGrid and HEP Germany) –To be incorporated later Seems to attract Grid CA issues that should have gone to GGF!

Security in DataGrid6 Authentication (2) One of the EDG CA’s (CNRS) acts as a “catch-all” CA –CP/CPS will get explicit statements about RA’s Matrix of Trust (work ongoing) – much work! –Feature matrix –Acceptance matrix (WP6 CA Mgrs check each other against min. requirements) BUT: Still another 7 CrossGrid countries with no CA And many other LHC countries Scaling problems! –Automate the feature checking –Continue to work with GGF in the GridCP group

Security in DataGrid7 Authentication (3) DataGrid CA Features matrix

Security in DataGrid8 CA Acceptance Matrix Detailed reports per CA Guidelines for “national” site admins To be done: – versioning of CP/CPS – invalidation after CP/CPS updates

Security in DataGrid9 And now … Authorisation

Security in DataGrid10 GSI – Grid map file Resource Authorization based on access lists Maps “Grid name” (cert subject DN) → local UID In effect after successful authentication triode:davidg:1002$ cat /etc/grid-security/grid-mapfile "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg "/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn "/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon "/C=IT/O=INFN/L=Torino/CN=Piergiorgio aliprod

Security in DataGrid11 mkgridmap and VO’s Virtual Organizations (VOs) define user groups “ATLAS”, “LHCb”, “OzoneModelling”, … Directory with user lists maintained by VO admin Resource owners extract list from “allowed” VOs optional: AND with one other directory (AUP!) periodically generated (once per day)

Security in DataGrid12 grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

Security in DataGrid13 Entries in VO Directory VO Membership list dn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=org objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: pkiUser sn: Barbera cn: Roberto Barbera mail: labeledURI: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate (sub) groups dn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org objectClass: domain objectClass: organizationalUnit objectClass: groupofnames.. owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org VO administrators sub-group administrators

Security in DataGrid14 Authorisation WP6 Authorisation group (R. Cecchini – INFN) Future plans –Evaluation of CAS and PERMIS –Better VO Directory management; –Support of replicas of VO Directories; –Support for users’ attributes in the VO Directories: e.g. the AUP signing information (with expiration date...)

Security in DataGrid15 Authorisation (2) Globus Community Authorisation Server (CAS) –Long awaited! –Hot news – alpha release by end of next week PERMIS ( –EU funded project –Univ of Salford (UK) – member of SecureGrid –Policy-based Role-based (XML) Access control

Security in DataGrid16 Spitfire Security Mechanism Servlet Container SSLServletSocketFactory TrustManager Security Servlet Does user specify role? Map role to connection id Authorization Module HTTP + SSL Request + client certificate Yes Role Trusted CAs Is certificate signed by a trusted CA? No Has certificate been revoked? Revoked Certs repository Find default No Role repository Role ok? Connection mappings Translator Servlet RDBMS Request and connection ID Connection Pool

Security in DataGrid17 WP4 Subsystems and relationships (D4.2)

Security in DataGrid18 GridMapDir (WP6 - McNab) Account sharing mechanism for local UIDs Modifier version of GSI allows mapping to ‘account pools’ (à la DHCP) nice when VO directories are large and not all users go to all sites difficult to recycle accounts (files!) sucessfully deployed in EDG TB1

Security in DataGrid19 SlashGrid (WP6 - McNab) Framework for creating “Grid-aware” filesystems –different types of filesystem provided by dynamically loaded plugins. –Source, binaries and API notes: certfs.so plugin provides local storage governed by Access Control Lists based on DN’s. Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. Also, a GridFTP plugin could provide secure replacement for NFS.

Security in DataGrid20 Authorisation issues We need more functionality –“Dynamic policy-based Access control” –Users with more than one allowed role –Move away from Unix uid based security (and grid mapfile) –Applicable to all Grid services (and callable from) Users may belong to multiple VO’s –Authorisation may need to be based on “joins” Global & Local authorisation mechanisms –need to negotiate policy – Global/VO/Local We should aim for a limited number of compatible authorisation mechanisms –Job for Architecture group and WP7 Security OGSA?

Security in DataGrid21 Security Architecture for EDG And now …

Security in DataGrid22 WP7 Security/D7.5 “Security Requirements and Testbed-1 Security Implementation” List of Requirements (now more than ~ 70) List of security functions Currently being discussed: –matching matrix requirements vs. function –see how much is already fulfilled in EDG TB1 –setting “realistic” goals for EDG (only 20 month to go!) Should be ready by mid April.

Security in DataGrid23 Future plans The EU review encouraged us to do more on security –It is already happening! WP6 CA group –continue Acceptance matrix and work with GGF WP6 Authorisation group –Test and evaluate CAS and PERMIS WP7Sec D7.6 (M25) “Security Design and TB2 report” Work going on in all middleware WP’s on security WP7Sec & Architecture group need to –Coordinate activities –Check that mechanisms are “secure”