Services Security A. Casajus R. Graciani. 12/12/2005 2 Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
The EC PERMIS Project David Chadwick
Security Mechanisms The European DataGrid Project Team
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
CSCI 6962: Server-side Design and Programming
Course 201 – Administration, Content Inspection and SSL VPN
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Javascript Cog Kit By Zhenhua Guo. Grid Applications Currently, most grid related applications are written as separate software. –server side: Globus,
Module 9: Fundamentals of Securing Network Communication.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Apache Web Server Quick and Dirty Evelyn NAMARA for AfNOG 2014 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Ayitey Bulley for AfNOG 2011 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Integrating and Troubleshooting Citrix Access Gateway.
Module 7: Advanced Application and Web Filtering.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
CAS Proxying and Web Services The somewhat “easy way” Presented By: Joseph Mitola Programmer/Analyst Office Of The Registrar.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.
Core and Framework DIRAC Workshop October Marseille.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.
Jean-Philippe Baud, IT-GD, CERN November 2007
SFS-HTTP: Securing the Web with Self-Certifying URLs
Apache web server Quick overview.
Third Party Transfers & Attribute URI ideas
IBM Certified WAS 8.5 Administrator
Update on EDG Security (VOMS)
IIS.
Presentation transcript:

Services Security A. Casajus R. Graciani

12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization scheme DIRAC Portals DIRAC Transfers Relation with VOMS

12/12/ DIRAC Security Infrastructure Based on: –Trusted “Certification Authorities”, CA, for Authentication. –“Virtual Organizations”, VO, for Authorization. We want to skip globus and use directly OpenSSL to minimize dependencies Dirac applications use grid proxies to connect to services. –Based on x509 certificates understood by OpenSSL

12/12/ DIRAC Security Infrastructure What the user needs: –Certificate and key signed by a CA and accepted by VO –Up-to-date CAs and CRLs –Being able to generate a Grid Proxy (grid-proxy-init) What the server needs: –Certificate and key signed by a CA –Up-to-date CAs and CRLs The server is also authenticated by the client.

12/12/ Dependencies DIRAC Security Infrastructure relies on: –pyOpenSSL. Python module encapsulating some of the native OpenSSL functionalities. –OpenSSL. Open source full-featured toolkit implementing Secure Sockets Layer (SSL v2/3 ) and Transport Layer Security (TLS). pyOpenSSL wraps all needed OpenSSL calls in a simple python API. Some extensions were implemented. OpenSSL handles all underlying authentication except grid proxies.

12/12/ XML-RPC way Python provides XML-RPC implementation ready to use over a non- secure channel. Secure connection support provided by python is very limited. Would be nice to mix OpenSSL, pyOpenSSL and python’s XML-RPC to provide an easy gateway to secure XML- RPC.

12/12/ HSGE Transport HTTP + SSL + GRID + Extended transport layer HSGE wraps together all nasty ssl code, authorization and authentication mechanisms under simple calls. Uses XML-RPC to perform remote calls over HTTP/HTTPS depending on the URL automatically. unsecureClient = HSGEClient( “ ) unsecureClient.get( “ConfigurationService”, “List” ) secureClient = HSGEClient( “ ) secureClient.rescheduleJob( iJobID )

12/12/ HSGE Transport

12/12/ HSGE Transport Supports >200 pet/s,  10 times more than other implementations tested (Apache + mod_ssl, GridSite). From the client point of view is used exactly the same way as native XML-RPC. From the server point of view: –By changing the HSGE server object petitions can be handled in secured or unsecured way. Developer’s code remains the same. class FakeServiceHandler ( HSGERequestHandler ): def export_fakeMethod( self, someArg, someOtherArg ): doSomething() oSecureServer = HSGEServer( ( “”, iPort ), FakeServiceHandler, “ServiceName” ) oSecureServer.serve_forever() oUnsecureServer = HSGEUnsecureServer( ( “”, iPort ), FakeServiceHandler, “ServiceName” ) oUnsecureServer.serve_forever() –Authentication and first level authorization are hidden from developer’s server code.

12/12/ Authentication Official OpenSSL does not support grid proxies. HSGE OpenSSL version supports standard X509 certificates and grid proxies as well. HSGE uses ssl sessions (lifetime defined as a parameter) for each client. Just one handshake for multiple calls.

12/12/ Authentication Grid proxies chain are tested until a valid CA is found to ensure their validity Each side of the channel authenticates the other one (server  client and client  server). –All DIRAC secure clients and servers need valid and unexpired certificates.

12/12/ Authorization The HSGE authorization is done in a per method basis. HSGE Server side verifies user’s DN to be in an authorized list of users (role) for the method called. User defines witch role wants to use for dirac application. #~> dirac-role.py lhcb_user If the user does not specify a role lhcb_user is used as default. User’s DN and role are available to server methods. –For instance, lhcb_user is authorized to access a job Matching method, but the JobMatcher will only return jobs that belong to the given DN (or role).

12/12/ DIRAC Authorization scheme Each server has authorized roles defined via local or remote configuration for each method it exports. [TestServiceAuthorization] Default = lhcb_user exampleMethod1 = lhcb_user, lhcb_prod, lhcb_admin exampleMethod2 = lhcb_prod, lhcb_admin exampleMethod3 = lhcb_admin Clients include their role on each XML-RPC query: HSGE code checks if the user belongs to the role sent and if the role is allowed to perform the call. User’s DN is taken from the proxy or certificate.

12/12/ DIRAC Authorization scheme List of roles (can be extended): –lhcb_user: explicit DN list of all lhcb recognized users. Must be kept in sync with VO. –lhcb_prod: explicit DN list of production managers, responsible for “production” type activities. –lhcb_admin: explicit DN list of users with DIRAC administrative privileges. Roles are defined in section [DiracRoles] [DiracRoles] lhcb_user = FakeDN1 lhcb_user += FakeDN2 … lhcb_prod = FakeDN3 …

12/12/ Portal DIRAC Portals Portals are connection redirectors. Clients can connect a portal, and it will forward the connection to the destination server. Each portal can redirect to many services. Client Service 1 Client Service 1

12/12/ DIRAC Portals Redirection is based on the URL –Portal URL + Service Name  Two kind of portals –Secure portals Programmed in python + HSGE Can redirect to either secure and unsecure services –Unsecure portals Also programmed in PHP + web server Can only redirect to unsecure services

12/12/ Advantages of DIRAC Portals Single entry point for all services Benefits of secure portals –Reduce number of ssl authentications Server receives handshakes only from portals. One client has just to handshake once for all petitions though the portal.

12/12/ DIRAC portals Client: Agent, Job Wrapper, Production Manager,… HSGE: DIRAC Portal Server: Configuration Service SSL Negotiation Client Query Server Response Connection request SSL Negotiation Client Query Server Response Connection request

12/12/ Security in Secure DIRAC Portals Secure portals need a valid certificate. Act as clients and servers. Final server needs to know who are the recognized portals. Portals authenticate the client and services authorize the call.

12/12/ Server: WMS Job Receiver Service Redirection HSGE: DIRAC Portal Server: Monitoring Service Server: WMS Job Matcher Client: Agent, Job Wrapper, Production Manager,… Client: Agent, Job Wrapper, Production Manager, … Client: Agent, Job Wrapper, Production Manager, … HSGE: DIRAC Portal HSGE: DIRAC Portal Server: Configuration Service Server: WMS Job Receiver Server: WMS Job Matcher Server: Configuration Service Server: Configuration Service User Cert. Portal Cert.

12/12/ HSGE Transfers HSGE also allows to transfer files from and to servers. Uses the same authentication + authorization as normal HSGE. Transfer information is sent via XML-RPC using HSGE. Once a transfer is accepted (DIRAC authorization), data is sent in binary format through the same connection.

12/12/ HSGE Transfers To enable transfers developers must code some specific callbacks. Services can serve normal XML-RPC petitions and transfer petitions. Developers simply have to code whatever callbacks they need in the request handler. In a “put” transfer (client  server) needed callbacks are: putFileHSGE( self, sID, sFilename ) receiveFile( self, stFileData ) In a “get” transfer (server  client) needed callbacks are: getFileHSGE( self, sID, sFilename ) sendFile( self, stFileData ) errorSendingFile( self, stFileData, dErrorInfo )

12/12/ HSGE Transfers Data is sent and received using helper functions: Client Example oClient = HSGETransferClient( “ % iPort ) If oClient.putFile( “/etc/motd”, sJobID, “motd” )[ ‘Status’ ] == “Error”: processError() Server Example: Class ExampleRH (HSGERequestHandler): def putFileHSGE( self, sID, sFilename ): return S_OK() def receiveFile( self, stFileData ): sData = “dummy” while len( sData ) > 0: self.doSomething( sData ) sData = self._getDataPacket() oServer = HSGEServer( ( “”, iPort ), ExampleRH, “ExampleTransfer” ) oServer.serve_forever()

12/12/ Relation with VOMS Daily update from ldap VO server. lhcb_user role is updated from the VO server (ldap://grid-vo.nikhef.nl/ou=lcg1,o=lhcb,dc=eu- datagrid,dc=org). Things to do: –Retrieve short username from VOMS –Associate DIRAC roles to VOMS groups

12/12/ To be done DIRAC roles: –User –Group –Admin DIRAC groups: –Lhcb_user –Lhcb_prod –Lhcb_admin –Lhcb_data –… Use VOMS and VOMS proxy to associate users to groups. Lhcb user Lhcb prod Lhcb admin Lhcb data UserX GroupXX adminX

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.