30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

Slides:

Advertisements

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

Advertisements

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The GridSite Security Framework Andrew McNab University of Manchester.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

VOMS Alessandra Forti HEP Sysman meeting April 2005.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

EDG Security European DataGrid Project Security Coordination Group

10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Plans for D7.7 The Security Report on the Final Project Release Linda Cornwall, RAL.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

WP3 Security and R-GMA Linda Cornwall, RAL. WP3 Linda Cornwall, RAL - 02/09/2002Security and R-GMA,DataGrid Workshop, Budapest 2 Current Status Currently,

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

David Kelsey CCLRC/RAL, UK

WP1 WMS release 2: status and open issues

Update on EDG Security (VOMS)

The GENIUS Security Services

Presentation transcript:

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

30-Sep-03D.P.Kelsey, SCG Summary2 Overview Security in EDG 2.1 SCG/Applications joint session (Saturday) VO naming, ACL syntax (input to GGF) D7.7 plans Summary

30-Sep-03D.P.Kelsey, SCG Summary3 Comments This is the first time I have not had to request a slot in the summary plenary (at final project conference!) SCG has come of age Quote: –EDG realised it had forgotten security (1st conference) Fabrizio Gagliardi (26 Sep 2003) So….no security requirements All requirements fully satisfied!

30-Sep-03D.P.Kelsey, SCG Summary4 Security in EDG 2.1

30-Sep-03D.P.Kelsey, SCG Summary5 VOMS VOMS is deployed Big improvement in Authorization (AuthZ) functionality –Fine-grained access control –Groups, sub-groups, roles, capabilities –Support for multiple VO’s Unfortunately little time for services to use the VOMS attributes EDG PTB (26 August) decided that job submission integrated with VOMS together with LCAS/LCMAPS was the highest priority for the EDG 2.1 Application TB –WP1/WP4/SCG efforts

2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 6 Job Submission user CE user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation ( AccessControlBase) 4. CEs for VOs in authz? 3. job submission MyProxy server WMS 2. cert upload

2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 7 MyProxy server Running a Job CE cert (long term) host cert proxy authz VO WMS 1. cert download LCAS/ LCMAPS authentication & authorization info 2. job start LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups u default VO = default UNIX group u other VO/group/role = other UNIX group(s) voms-proxy-init

30-Sep-03D.P.Kelsey, SCG Summary8 VOMS status VOMS server deployed (19 th Sep) –INFN, RAL and CERN running servers –ITeam and WP6 VO’s tested VOMS client –Included in UI –Configured at CERN on dev testbed Need to run VOMS servers for other VO’s –NIKHEF offer to do this (WP6) VO managers need training

30-Sep-03D.P.Kelsey, SCG Summary9 WP1 Security WP1 –Proxy renewal service (26 Sep) Support for VOMS Renew proxy with same VOMS info as in old proxy –Logging and Bookkeeping service (26 Sep) Access control implemented –Job-owners can specify an ACL to allow others access –Uses GACL library –ACLs stored in LB database –New LB API (and command line) to add/remove ACL entries VOMS support (AuthZ info extracted for use in ACL) –WMS Uses VO info from CE Info provider for job matchmaking –If job comes with VOMS proxy (VO name only)

30-Sep-03D.P.Kelsey, SCG Summary10 WP2 and WP3 security WP2 –edg-java-security deployed (24 th Sep) –Authentication works –Authorization not enabled –C++ client now working but not deployed WP3 –Authentication in R-GMA deployed Well tested, but currently turned off –No delegation –No Authorization –C++ client as well will be turned on with Java security –R-GMA browser (requires host certificates as in WP2)

30-Sep-03D.P.Kelsey, SCG Summary11 WP4 Security WP4 –LCAS, LCMAPS deployed (12 th Sep) Full fine-grained VOMS support Sys admins have to enable this on clusters –Only for central LDAP-based user database If not then coarse-grained VO-based AuthZ –Or local group-based AuthZ – defined by sys admin –GACL-based access control: LCAS plug-in –Translation tool for local credentials to GACL –CE Info Provider can give static list of VO’s For use in WP1 WMS

30-Sep-03D.P.Kelsey, SCG Summary12 WP5 Security WP5 –Secure mode (edg-java-security) deployed –Insecure mode supported in parallel always mapped to WP6 VO –Plan to switch off insecure mode Needs testing Needs WP2 to call secure mode –ACLs supported (GACL) but not deployed Therefore no fine-grained access control –Testing restricted write access (from VOMS) May be possible on EDG 2.1 –No delegation (web services)

30-Sep-03D.P.Kelsey, SCG Summary13 SCG/Applications

30-Sep-03D.P.Kelsey, SCG Summary14 Joint SCG/WP session To consider use cases for VOMS and priorities –Groups –Roles –Access Control etc Papers written by each WP during the summer Useful discussions Also highlighted many other missing or incomplete features –Accounting, monitoring, quotas, …

30-Sep-03D.P.Kelsey, SCG Summary15 Cartoonist View of the World Actually it’s 2 years and 10 months…

30-Sep-03D.P.Kelsey, SCG Summary16 Conclusion For deployment beyond EDG 2.1 –If resources available and bug-fixing allows… Implement fine-grained access control to files (WP2/5) –Using WP9/GOMES as an example –Possible demo for EU Review (Feb 2004) Really would have liked to tackle Bio-medical encryption –Very doubtful that we will find time

30-Sep-03D.P.Kelsey, SCG Summary17 VO naming, ACL syntax

30-Sep-03D.P.Kelsey, SCG Summary18 Names and syntax Offering EDG AuthZ as input examples to GGF –VOMS, LCAS/LCMAPS, Java Security, GACL, GridSite, etc GGF OGSA-AuthZ working group –Co-chaired by EDG member (Andrew McNab) –AuthZ/Access Control with SAML and XACML We need globally unique names for VO’s –Also need to establish the root of trust –Propose using registered DNS names e.g. vo-atlas.cern.ch Or even lhcb.org Strings in ACL entries – defined format –/VO[/Group/[Sub-group(s)]][/Role=r][/Capability=c]

30-Sep-03D.P.Kelsey, SCG Summary19 Deliverable D7.7

30-Sep-03D.P.Kelsey, SCG Summary20 Plans for D7.7 D7.7 (PM36) –Final Report on Security Discussed at SCG meeting on Monday Linda Cornwall (RAL) – editor Will concentrate on –Successful deployment of new AuthZ technology Design described in D7.6 –Show the requirements that have now been met As specified in D7.5 –Describe areas for work in future projects Security evaluations also in other deliverables (e.g. D6.8)

30-Sep-03D.P.Kelsey, SCG Summary21 Summary Much progress has been made –Delays in EDG 2.0 delayed the security implementation Nevertheless –We will demonstrate AuthZ in WMS On application testbed (EDG 2.1) –Some simple access control may be possible on files Even on EDG 2.1 –Working on full demo for EU review A big thank you to all my colleagues in SCG –The architects, designers and developers