Mine Altunay July 30, 2007 Security and Privacy in OSG.

Slides:



Advertisements
Similar presentations
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
OSG Security Review Mine Altunay December 4, 2008.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Grid User Management System Gabriele Carcassi HEPIX October 2004.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK
OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
VO Management Tanya Levshina Computing Division, Fermilab.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
New OSG Virtual Organization Security Training OSG Security Team.
OSG Security Review Mine Altunay March 12, Jan Security Overview Current Initiatives  OSG Security roadmap  Technical and operational.
FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab
Argus EMI Authorization Integration
OSG Security Kevin Hill.
A Model for Grid User Management
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Presentation transcript:

Mine Altunay July 30, 2007 Security and Privacy in OSG

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 2 Who am I ? Recently joined OSG Security Team Ramping up to be full time OSG Security Working through the OSG Security Plan Helping develop any new items for the Security Plan in Year 2

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 3 Security Controls Security Control: safeguards prescribed for an information system to protect integrity, confidentiality and availability of a system and its information –Management Controls (policies) –Operational Controls (things that people do) –Technical Controls (things that machines do) OSG Security Plan defines, implements and executes these controls

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 4 Security Plans Two types of security plans –Core OSG: assets under complete control of OSG (eg, middleware software cache). OSG is responsible for security of these systems –Facilities, VOs and software providers that are “part” of OSG. OSG can create examples and templates of security plans that can be incorporated into site and VO plans. Sites and VOs are responsible for security of these

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 5 What does this mean for a site admin? You are responsible for the security of your own site You should understand the usage scenarios analyze the risks implement and execute security controls

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 6 Site Resources Accessible to VO Data Storage 1 Data Storage 2 Site Database Site Web Services WN Cluster 1 WN Cluster 2 NOT Accessible to VO A fictitious site access policy: for each resource, only allow authorized users AND deny any requests from black-listed users

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 7 Site grants access to the VO. VO delegates the access privilege to its trusted members VO manages its members’ access rights –different access rights to different VO members –E.g. grouping of users based on tasks; or roles played in an experiment

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 8 A simple usage scenario grid job VOSite Researcher A from University X, which is a member of the VO VO trusts ResearcherSite trusts VO Site allows access by Researcher VO-accessible Site Resources Three separate security domains: –Univ., VO and Site Two trust relationships Researcher accesses Site’s resources due to the trust between the VO and the Site. VO Infra. & Services Data Storage 1 WN Cluster 1

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 9 Researcher A from Uni. X Researcher B from Uni. Y Group 1’s Data Group 2’s Data VO Group1 : Uni. X Role: Researcher, Privileges: execute, read-write VO determines member privileges over Site resources WN Group2 : Uni. Y Role: Researcher, Privileges: execute, read-write Site enforces VO assigned permissions Site resources

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 10 VO Policy Site Policy Enforced Policy Site’s Resources that are accessible to VO Data Storage 1 WN Cluster 1

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 11 Researcher A from Group 1 grid job 1 VO VO Infra. & Services Site WN Researcher B from Group 2 Group 1’s Data Group 2’s Data Unauthorized access Enforced Policy outcome Researcher A cannot modify Researcher B’s data (due to VO policy)

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 12 Researcher A from Group 1 grid job 1 VO VO Infra. & Services Site WN Researcher B from Group 2 DN name is blacklisted Group 1’s Data Group 2’s Data Enforced Policy outcome Researcher B denied access due to Site policy Unauthorized access

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 13 Grid Site VOMSVOMRS VO Services synchronize register get-voms-proxy synchronize SAZ Sitewide Services GUMS CE Gatekeeper Prima/SAML callouts (C) Job Manager Submit request with voms-proxy Privilege Project Module Legend VO Management Services user name DN, FQAN user name SE SRM gPlazma Storage Auth Service DN, FQAN Prima/SAML Client (Java) Storage priv set DN, FQAN Storage priv set certificateVOMS Extended proxy VOMS Extended proxy Is authorized? yes/no

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 14 GUMS Gatekeeper Prima/SAML callouts (C) Job Manager Pilot DN Pilot UID Pilot User Job WN Pilot UID Pilot User queue User job User DN Pilot DN Request User job and Pilot job runs in the same user account  modifications between jobs Site does not auth/authz the user  only auth/authz pilot job

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 15 GUMS Gatekeeper Prima/SAML callouts (C) Job Manager Pilot DN Pilot UID User DN User UID Pilot User Job gLExec WN Pilot UID User DN User UID Pilot User queue User job User DN Pilot DN Request

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 16 What if something goes wrong? Incident Response Researcher A launches attack against the Site Site discovers the attack Site analyzes the attack, temporarily blacklists Researcher A (if it can trace it) Site should Call GOC at , or submit a trouble ticket, Or

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 17 –Inform VO security contact –Site trusts the VO, not individual members –VO finds which member has the privilege Logs and mapping repository (VOMRS) –Determines culpability and take measures over Researcher A’s privileges OSG has only controls over core OSG assets and staff –VO is responsible for its users behavior –OSG may bar a VO if VO violates OSG policies

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 18 Building and maintaining a trust relationship with VO Determining which resources are accessible to VO members and in which capacity Reaching an agreement with VO over the usage of the resources –privileges associated with roles (r/w privilege over a data location by a VO member) Enforcing VO assigned privileges and site’s access policies Keeping in synch with VO policy (e.g. VOMRS), maintaining service availability for access Sites are responsible for

07/30/2007 OSG Site Admins Technical Meeting, July 2007: Mine Altunay 19 –Keeping access logs of VO users and maintaining audits –Informing VO Security contact about security incidents –Complying with grid operational controls Keeping up to date with CA-certificates IGTF updates Certificate Revocation Lists Using latest configuration for grid distributed software