INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

Slides:

Advertisements

Similar presentations

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

GT 4 Security Goals & Plans Sam Meder

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

INFSO-RI Enabling Grids for E-sciencE Glexec overview Gerben Venekamp NIKHEF.

Authz work in GGF David Chadwick

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

WP4 Security Update For WP4: David Groep

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

EDG Security European DataGrid Project Security Coordination Group

INFSO-RI Enabling Grids for E-sciencE Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

INFSO-RI Enabling Grids for E-sciencE glexec deployment models local credentials and grid identity mapping in the presence of complex.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

INFSO-RI Enabling Grids for E-sciencE glexec deployment models local credentials and grid identity mapping in the presence of complex.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.

1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Simone Campana (CERN) Job Priorities: status.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Status of the SRM 2.2 MoU extension

A gLite Authorization Framework

AuthZ Interop report out

Global Banning List and Authorization Service

Update on EDG Security (VOMS)

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Outline Local authorization Local authorization decisions Integrating with the Unix domain Managing the work space

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Authorization context Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Local Authorization EGEE Architecture –Policy providers orchestrated by a master PDP (not shown) –Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world) –both provide set of PDP implementations (should be the same set, or a callout from one to the other) –PDPs foreseen:  user white/blacklist  VOMS-ACL  Proxy-lifetime constraints  Certificate/proxy policy OID checks  peer-system name validation (compare with subject or subjectAlternativeNames)

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Local Authorization Today Current Implementation –Only a limited set of PDPs:  ban/allow and VOMS-ACL –Authorization interface is proprietary (at least for C/C++)  change foreseen soon to a ‘v2’ standard interface –Policy Enforcement Point (PEP) part of the (container) runtime (i.e. all evaluation is in-line)  source modifications needed to legacy (C-based) services (GT gatekeeper, GridFTP server)  AuthZ framework for Java as loadable classes –No separate authorization service (no site-central checking) –Policy format is not XACML everywhere (i.e. GACL)

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Black List Services BL-PDPs return Deny or Not-Applicable –Master-DPD treats “Permit” as Not-Applicable Only interested whether the black-list services deny access to the subject –They are not to be used for rendering of general purpose policy decisions Query the configured black-list services before the general purpose PDPs –Pushing of black-list assertions or EPRs not allowed “Deny-Override” rules for the black-list services …pragmatic way to address deny-requirements… –note that you are still allowed to shoot yourself in the foot with deny-policies “behind” the PDP interface…

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, What’s within reach? Some additional PDPs –Policy OID checking –Proxy certificate lifetime constraints –Limit to specific executable programs –… Standard white list, blacklist service for all services Better integration between Java and C worlds & the upcoming standards

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS Once authorisation has been obtained acquire local (Unix) credentials to run legacy jobs enforce those credentials on –the job being run or –FTP session started LCMAPS is the back-end service used by –GT2-style edg-gatekeeper (LCG2) –edg-GridFTP (LCG2) –glexec/grid-sudo wrapper –WorkSpace Service

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – control flow User authenticates using (VOMS) proxy … do local authorization … LCMAPS invoked –Acquire all relevant credentials –Enforce “external” credentials –Enforce credentials on current process tree at the end –Order and function policy-based Run task (e.g. job manager) CREDs LCMAPS Credential Acquisition & Enforcement Task Service

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – functionality view Unix mapping based on VOMS groups, roles, and capabilities Possibly pool groups as well as pool accounts Granularity set by the site administrator (see example following) Primary group set to first VOMS group – accounting More than one VO/group per grid user allowed [but…] Each VOMS unique FQAN listed translates into 1 Unix group id Each user-FQAN combination translates into 1 Unix user id New mechanisms could mitigate issues: –groups-on-demand, support granularity at any level –Central user directory support (nss_LDAP, pam-ldap) Not ready – and priorities have not been assigned to this yet.

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, VOMS to Unix domain mapping # groupmapfile "/EGEE/picard/*“ iteam "/EGEE/picard/Role=Manager" iteamsgm “/Wilma/Role=prod” wilmgr "/Wilma/*".wilma "/EGEE/riker/grp1" rikerhg “/EGEE/riker/grp2” rikermed “/EGEE/riker/grp3” rikerlow example

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Work Space Service On the road towards virtualized resources: Work Space Service Managed accounts –enable life cycle management –controlled account management (VO can request/release) –“special” QoS requests Use to request credentials (groups) with specific prios? WS-RF style GT4 service –uses LCMAPS as a back-end

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS usage in the job chain

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Summary Control over running jobs is via site mechanisms Authorization to (Java) services part of container –Fine-grained control is left as a service specific issue –Standard hooks for this are about to appear Mapping of credentials required for legacy programs –limited to Unix domain account mechanisms –Needs to remain manageable for site administrators –Scheduling/priorities based on Unix user and group names –Accounting based on uid, gid pairs –Unix domain is not very flexible. Sorry. Virtualisation is coming, but how far down the road?

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12,

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, EDG Gatekeeper (current) Gatekeeper LCAS GACL timeslot banned policy C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo -cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept TLS auth assist_gridmap Jobmanager-* Ye Olde Gatekeeper GSS context + RSL