23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL2 Outline Introduction to Grid Security EU DataGrid/DataTAG (EDG/EDT) developments LHC Computing Grid Project (LCG) Phase 1 –The main challenges for 2003 Summary

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL3 Introduction to Grid Security

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL4 Authentication (1) Proof of Identity Grid Security Infrastructure (GSI) PKI = Public Key Infrastructure –Private/public key pair Generated by user – “private” key must be kept secret Asymmetric encryption –X.509 certificate National Certificate Authority “signs” the public key Binds to a “name” / identity No authorisation to use resources

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL5 Authentication (2) Uses SSL, certificates and the key-pair –Need to trust the CA(s) Securely identifies User, Machine, Service –In both directions (mutual authentication) To achieve … Single sign-on to Grid (via Proxy certificate) –short-lived (no revocation) To avoid having to register all users at all sites! Many issues –Revocation, length of keys, period of validity, security of private key, operational procedures, … –Registration authorities (checks identity)

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL6 Authorisation Today: based on local mechanisms –e.g. UNIX (uid, gid) or Kerberos Globus gatekeeper –Maps global identity (Distinguished Name) to local user account Access control all based on standard UNIX tools –Or Kerberos, AFS etc Site/System management fully in control Limited tools for Virtual Organisations (VOs) to manage access to resources

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL7 EDG/EDT security developments

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL8 EDG Security news EU Deliverable 7.5 –Security Requirements and Testbed1 (complete) EU Deliverable 7.6 –Security Design and Testbed2 (January 2003) Security components –VO/LDAP & VOMS – Authorisation –LCAS, LCMAPS – local authorisation and mapping –Gridmapdir – dynamic leased accounts –Gridsite – certificate-based web management –SlashGrid - dn-based grid homefile system –GACL – Library to parse ACL’s (XML) –edg-security (for database access control)

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL9 EDG WP6 CA group The PMA (Policy Management Authority) for EDG –Members: the CA managers (but not just EDG!) –includes CrossGrid, US DOE CA’s… more joining – Establishing “Trust” between CA’s, Grid projects, VOs, Sites –Need approval of site security officers and sysadmins To (perhaps) bypass normal user registration procedures –Achieved for EDG testbed activities NOT yet for LCG production-scale deployment Defining “best practice” and “minimum requirements” –Working with GGF –CP/CPS documents –Registration Authority procedures –Operational procedures

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL10 Trusted CA’s 13 trusted CA’s –CERN, Czech Rep, France, Germany, Ireland, Italy, Netherlands, Nordic, Portugal, Russia, Spain, UK, USA Under consideration –Canada, Greece, Poland, Slovakia CNRS/France willing to act as short-term “catch-all” –For small number of users/machines –But needs agreed registration procedure(s) –Already doing so for Austria, Israel, Switzerland, Romania, Taiwan…

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL11 Authorisation VO/LDAP shown in Catania HEPiX Now we (EDT for EDG) are developing VOMS –Virtual Organisation Membership Service See Luciano Gaido’s slides (EDG meeting Budapest) and VOMS architecture report (EDT meeting 8Oct02)slidesVOMS architecture –Some of these follow LCAS & plug-ins and GACL to apply Access Control Easy management of ACL’s still missing

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL12 current implementation (LDAP) Support for users belonging to more than one VO – –vo option to grid-proxy-init command; –the VO name is inserted in the Subject of the proxy certificate (D field); –requires a patch to Globus code (and a change to mkgridmap); –under test the interaction with RB; –availability: 30 September ’02.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL13 VO Membership Service 1.Client and server authenticate themselves and establish a secure communication channel using standard Globus API. 2.The Client sends the request to the Server. 3.The Server checks the request and sends back the required info (signed by itself). 4.The Client checks the validity of the info received. 5.Steps 1—4 are repeated for each Server the Client wants to contact. 6.The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers. Query Authentication Request Auth DB VOMS pseudo- cert C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL14 VOMS

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL15 LCG Phase 1

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL16 LCG 1 security LCG Phase 1 – deploy a production quality Grid –from July 2003 Planning now – documents by December 2002 –Must be ready by summer 2003 Security planning –User Registration –Authentication –Authorisation –Security Policy –Operational issues

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL17 User Registration Users would like to register just once (per VO) –Sign one form –One single “Acceptable Use” description Sites need –Sufficient recorded information about the user VO databases – managed by whom? (expt offices?) –Behind-the-scenes creation of new user accounts Or willingness to use dynamic leased accounts VO’s need –Tools to manage users, roles, groups Who owns the databases – VOs and/or Sites?

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL18 Authentication Scaling of establishing list of trusted CA’s –Currently one per country (many countries!) –Often issued by CA’s serving larger community than HEP CERN and FNAL proposing a Kerberos-based CA –User authenticates via kerberos to the KCA –KCA then issues short-lived X.509 certs –Not yet “trusted” by EDG/LCG Some sites will not accept long-lived private keys held by users –Credential repositories (MyProxy, aVOMS) –Smartcards –Specialised additional authentication (e.g. Cryptocard) Doesn’t scale! Support multiple levels of authentication Credential renewal for long-running batch jobs

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL19 Authorisation Technology immature –What will be ready for LCG phase 1? –Need input from the experiments Who manages access? –To sites –To resources –To individual files, objects Sites authorise VO’s –VO’s authorise users, roles, groups Much will be definition of procedures –Aim for independence from technologies Move to OGSA, ws-security, … Sites need to trust VO procedures

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL20 Operational issues Communication between sites Intrusion detection Incident tracking Auditing and reporting

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL21 Summary EDG/EDT – much progress during 2002 –More functionality in 2003 –GGF and other Grid projects also important Current procedures work well for Testbed scale LCG Phase 1 (and BaBar Grid) –Need improved procedures for production scale Need to plan for and support –Multiple authentication and authorisation technologies Will need full consultation with Sites and VOs (experiments) to agree policies and establish trust MUST be pragmatic –LCG Phase 1 MUST work