Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Outline u EDG Testbed Overview u Globus Security u Sysadmins’ issues u Existing VO u Pool accounts u LCAS/LCMAPS Site Access Control u VOMS u SlashGrid u GridSite u Grid ACL’s u Future developments

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Existing EDG Testbed Currently ~300 users at ~20 sites across Europe

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Globus Security u EDG currently uses Globus 2 gatekeepers and file servers, and Globus’s GSI model for authentication. u Users and hosts are identified by X.509 certificates, signed by one of ~20 “national” Certificate Authorities n CA policy statement must be acceptable to EDG CA Group n CA root certs/configuration distributed by same channels as bug fixes, security patches etc. u Users can produce delegated credentials (“GSI proxy”) by signing a public key with their user certificate n this can be chained to delegate credentials to remote servers u Authorization is provided by simple text file with certificate names and corresponding local Unix account names. n /etc/grid-security/grid-mapfile consisting of lines like: “/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew McNab” mcnab

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Testbed site administrators’ initial worries... u How can Grid users gain access without me creating new accounts every day? u How can I limit what they can do? u How can I audit what they’ve done to me? u How can I keep track of files they’ve created? u Local access control and account management usually boils down to n mapping Grid identities into appropriate local Unix identities n while respecting the above.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Existing EDG LDAP VO u EDG currently uses Virtual Organisation authorisation servers: centrally provided authorisation listings n published via LDAP (~300 users in ~10 VO ’s) n mkgridmap tool for building local grid-mapfile with local choice of VO ’s. n GUI tools allow VO managers to manage VO membership u Provides a list of certificate DN’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n can’t be defined on ad-hoc basis by small groups of users u Will eventually meet scaling issues since each site must frequently (daily?) fetch listings for VO ’s it accepts. n VOMS or CAS “visa” model would help a lot with this

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Joining an application VO u Users first join the Acceptable Use Policy VO, with their web browser, using their certificate n this involves agreeing to the DataGrid wide AUP, that sets out obligations of sites and users n legal wording done in conjunction with CERN legal experts (who understandably have a lot of experience of international law) u Users can then join the VO of their application (eg an LHC experiment) n VO manager can choose whether to accept user u At each site, AND of AUP VO and Application VO controls access

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Pool accounts u The other half of removing account creation burden from admins n pre-create pools of accounts and allocate these to users when they request access u Widely used by EDG Testbed sites, but not obligatory n in practice, almost all have chosen to use it u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing /etc/grid-security/gridmapdir/ lock files with NFS. u Existing system works ok for CPU-only jobs. n but not really appropriate if users are creating long lived files at the site in question. n limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 LCAS / LCMAPS site access u Extension of Globus access control / mapping u LCAS - provides site-specific callouts to check authorisation based on user identity, what is requested, quotas, free-slots in batch system etc. n currently implemented as patched Globus gatekeeper, plus plugins to enforce policies n allows sites to implement complex, locally defined rules for access, including locally written extensions to check site-specific features (eg load on locally written tape-library service) n some of this functionality will also be provided by recent Globus proposal for authorisation callouts (but currently limited to yes/no on identity?) u LCMAPS - manages current mappings of Grid to local identity n makes this available to other local site components n important when not just using a simple, shared grid-mapfile for mapping

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Virtual Organisation Membership Service: VOMS u Instead of publishing lists of VO and group membership, supply signed attribute certificates to users. u Users can then present these attribute certificates to sites/resources and obtain access with group privilege, role etc. u Certificates can be included in GSI proxy certificates as extensions u Multiple attribute certificates can be used simultaneously, even from different VOMS servers and VOs. u Potential to allow users to create ad-hoc groups within VO, and to discard unnecessary VOMS credentials at delegation steps. u This is similar to Globus’s Community Authorization Service (CAS) n however, VOMS is designed for maximum backwards compatibility and to maintain the user as the verifiable and principle source of authentication

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 SlashGrid / certfs / curlfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. u certfs.so plugin provides local storage governed by Access Control Lists based on Grid certificate name’s and VO groups n certfs is very solid: you can build a bootable Linux kernel on a certfs filesystem (~100,000 file operations in a few minutes) u Since new ACL’s just have creator’s name, this is equivalent to file ownership by certificate name rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u HTTP/HTTPS remote filesystem plugin (curlfs) provides some NFS/AFS-like functionality, again governed by Grid creds + ACL’s.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 SlashGrid as container environment u Basic SlashGrid use maps area like /var/spool/slashgrid/grid/xxx to /grid/xxx, with mapping controlled by plugin code. u But also allows virtual directory hierarchies which don’t correspond to real areas on disk n “gridmap” plugin, populated with symbolic links: eg /grid/p/atlas001 -> /grid/u/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u Could go further and create whole user environments on demand n can be a “sandbox” if we prevent operations outside this environment n can be tailored to user’s application (eg default shared library versions) u This means we could achieve a lot of the security and uniformity between sites that, say, a Java VM has, but with native binaries. u This would be very complementary to new GT3 GRAM and execution environment factory.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Current ACL’s u When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. u Current SlashGrid and GridSite use per-directory XML ACL in.gacl n As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. n Sysadmins want disk filesystem ACL’s on same physical disk as files if possible (or managed off-site!) u Implementing ACL’s also solves some other Grid vs Unix issues that emerged during with Testbed: n eg per-UID tape storage: can store all tape files with one UID but associate ACL with the file and use that. u Clearly, isn’t a recognised standard, and we could go to, say, a subset of XACML: however, things like filesystems are very performance sensitive.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Current ACL format ldap://ldap.abc.ac.uk/ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcVOMS Abc readers /O=Grid/DN=Andrew

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Grid ACL vs fine-grained VO: CAS, VOMS etc u CAS or VOMS can provide ACL-like feature, specifying what capability (“write”) is permissible on objects (“higgs-wg-montecarlo”) n In some cases, this could be used to provide ACL functionality. u However, we think this is too coarse-grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to have to set up a new entry on the central CAS or VOMS machine u The two types of system should be seen as complementary n when you create some Higgs Monte Carlo data, you set its ACL to give write access for people with “higgs-wg-montecarlo-admin” credential. n when you create a temporary working directory, you set its ACL to give only you read and write access. n applications should “find their own level” when splitting policy between local ACL or VO-wide authorisation service

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but have several products in use which need to use it: GridSite; SlashGrid; and EDG Storage Element. u ACL will almost certainly change again in the future; and may need to understand different ACL’s (eg XACML?) from other projects. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles read/list/write ACL’s in a reasonably general way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as new types. u Despite current C implementation, API is readily translatable to object-orientated languages n Java API and implementation being produced

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GridSite u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers n Originally produced for u ACL’s control level of read and write access to file/directory n Write access by HTML forms (interactive) or HTTP PUT (programmatic) u Website admins can define groups of users with specific rights n Can delegate administration of that group to one or more members. n Group membership can also be published in EDG VO LDAP format. u New 0.9 architecture also provides support for efficient HTTP GET and PUT operations via Apache module. n ACL enforcement now available for PHP, CGI, JSP etc as well as HTML u GridSite used by several external projects, including e-Science Level 2 Grid support website.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GridSite 0.9 architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Future Developments u EU DataGrid officially finishes 31st Dec 2003 n EGEE is an EU Framework 6 proposal to deploy an EU-wide Grid, largely using EDG technology for HEP, Bioinformatics and other e-Science. n GridPP comes to an end in 2004, and GridPP-2 proposal submitted to PPARC for e-Science 2nd Phase funding. n CERN is also sponsoring the LHC Computing Grid to deploy a Grid for High Energy Physics. u All of these projects stress deployment and operations rather than middleware development. u However, development of Accounting and Usage Control mechanisms is acknowledged as essential to running these production services. u We propose to extend GridPP Authorization work into Accounting to contribute to EDG / LCG / EGEE.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Summary u Most of the concerns of Testbed site admins are being addressed u LDAP VO system is currently sufficient, but VOMS or CAS would be more flexible and scalable. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs provides a solution to this. u LCAS/LCMAPS allow flexible, locally configurable site policies. u GridSite provides a way of controlling HTTP(S) via Grid credentials. u GACL library provides API for handling Grid ACL’s. u Extending work into Usage Control, not just Access Control. u See for links to source code and details of all tools mentioned in this talk