Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester

Slides:



Advertisements
Similar presentations
Security middleware Andrew McNab University of Manchester.
Advertisements

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
Grid Security and VO Management Andrew McNab University of Manchester.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EDG Security European DataGrid Project Security Coordination Group
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Security Middleware Andrew McNab University of Manchester.
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester
GridSite status Andrew McNab University of Manchester.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Third Party Transfers & Attribute URI ideas
Update on EDG Security (VOMS)
Presentation transcript:

Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Outline u EDG Testbed Overview u Globus Security u Sysadmins’ issues u Existing VO u Pool accounts u LCAS/LCMAPS Site Access Control u VOMS u SlashGrid u GridSite u Grid ACL’s u Future developments

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Existing EDG Testbed Currently ~300 users at ~20 sites across Europe

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Globus Security u EDG currently uses Globus 2 gatekeepers and file servers, and Globus’s GSI model for authentication. u Users and hosts are identified by X.509 certificates, signed by one of ~20 “national” Certificate Authorities n CA policy statement must be acceptable to EDG CA Group n CA root certs/configuration distributed by same channels as bug fixes, security patches etc. u Users can produce delegated credentials (“GSI proxy”) by signing a public key with their user certificate n this can be chained to delegate credentials to remote servers u Authorization is provided by simple text file with certificate names and corresponding local Unix account names. n /etc/grid-security/grid-mapfile consisting of lines like: “/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew McNab” mcnab

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Testbed site administrators’ initial worries... u How can Grid users gain access without me creating new accounts every day? u How can I limit what they can do? u How can I audit what they’ve done to me? u How can I keep track of files they’ve created? u Local access control and account management usually boils down to n mapping Grid identities into appropriate local Unix identities n while respecting the above.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Existing EDG LDAP VO u EDG currently uses Virtual Organisation authorisation servers: centrally provided authorisation listings n published via LDAP (~300 users in ~10 VO ’s) n mkgridmap tool for building local grid-mapfile with local choice of VO ’s. n GUI tools allow VO managers to manage VO membership u Provides a list of certificate DN’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n can’t be defined on ad-hoc basis by small groups of users u Will eventually meet scaling issues since each site must frequently (daily?) fetch listings for VO ’s it accepts. n VOMS or CAS “visa” model would help a lot with this

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Joining an application VO u Users first join the Acceptable Use Policy VO, with their web browser, using their certificate n this involves agreeing to the DataGrid wide AUP, that sets out obligations of sites and users n legal wording done in conjunction with CERN legal experts (who understandably have a lot of experience of international law) u Users can then join the VO of their application (eg an LHC experiment) n VO manager can choose whether to accept user u At each site, AND of AUP VO and Application VO controls access

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Pool accounts u The other half of removing account creation burden from admins n pre-create pools of accounts and allocate these to users when they request access u Widely used by EDG Testbed sites, but not obligatory n in practice, almost all have chosen to use it u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing /etc/grid-security/gridmapdir/ lock files with NFS. u Existing system works ok for CPU-only jobs. n but not really appropriate if users are creating long lived files at the site in question. n limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 LCAS / LCMAPS site access u Extension of Globus access control / mapping u LCAS - provides site-specific callouts to check authorisation based on user identity, what is requested, quotas, free-slots in batch system etc. n currently implemented as patched Globus gatekeeper, plus plugins to enforce policies n allows sites to implement complex, locally defined rules for access, including locally written extensions to check site-specific features (eg load on locally written tape-library service) n some of this functionality will also be provided by recent Globus proposal for authorisation callouts (but currently limited to yes/no on identity?) u LCMAPS - manages current mappings of Grid to local identity n makes this available to other local site components n important when not just using a simple, shared grid-mapfile for mapping

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Virtual Organisation Membership Service: VOMS u Instead of publishing lists of VO and group membership, supply signed attribute certificates to users. u Users can then present these attribute certificates to sites/resources and obtain access with group privilege, role etc. u Certificates can be included in GSI proxy certificates as extensions u Multiple attribute certificates can be used simultaneously, even from different VOMS servers and VOs. u Potential to allow users to create ad-hoc groups within VO, and to discard unnecessary VOMS credentials at delegation steps. u This is similar to Globus’s Community Authorization Service (CAS) n however, VOMS is designed for maximum backwards compatibility and to maintain the user as the verifiable and principle source of authentication

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 SlashGrid / certfs / curlfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. u certfs.so plugin provides local storage governed by Access Control Lists based on Grid certificate name’s and VO groups n certfs is very solid: you can build a bootable Linux kernel on a certfs filesystem (~100,000 file operations in a few minutes) u Since new ACL’s just have creator’s name, this is equivalent to file ownership by certificate name rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u HTTP/HTTPS remote filesystem plugin (curlfs) provides some NFS/AFS-like functionality, again governed by Grid creds + ACL’s.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 SlashGrid as container environment u Basic SlashGrid use maps area like /var/spool/slashgrid/grid/xxx to /grid/xxx, with mapping controlled by plugin code. u But also allows virtual directory hierarchies which don’t correspond to real areas on disk n “gridmap” plugin, populated with symbolic links: eg /grid/p/atlas001 -> /grid/u/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u Could go further and create whole user environments on demand n can be a “sandbox” if we prevent operations outside this environment n can be tailored to user’s application (eg default shared library versions) u This means we could achieve a lot of the security and uniformity between sites that, say, a Java VM has, but with native binaries. u This would be very complementary to new GT3 GRAM and execution environment factory.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Current ACL’s u When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. u Current SlashGrid and GridSite use per-directory XML ACL in.gacl n As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. n Sysadmins want disk filesystem ACL’s on same physical disk as files if possible (or managed off-site!) u Implementing ACL’s also solves some other Grid vs Unix issues that emerged during with Testbed: n eg per-UID tape storage: can store all tape files with one UID but associate ACL with the file and use that. u Clearly, isn’t a recognised standard, and we could go to, say, a subset of XACML: however, things like filesystems are very performance sensitive.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Current ACL format ldap://ldap.abc.ac.uk/ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcVOMS Abc readers /O=Grid/DN=Andrew

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Grid ACL vs fine-grained VO: CAS, VOMS etc u CAS or VOMS can provide ACL-like feature, specifying what capability (“write”) is permissible on objects (“higgs-wg-montecarlo”) n In some cases, this could be used to provide ACL functionality. u However, we think this is too coarse-grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to have to set up a new entry on the central CAS or VOMS machine u The two types of system should be seen as complementary n when you create some Higgs Monte Carlo data, you set its ACL to give write access for people with “higgs-wg-montecarlo-admin” credential. n when you create a temporary working directory, you set its ACL to give only you read and write access. n applications should “find their own level” when splitting policy between local ACL or VO-wide authorisation service

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but have several products in use which need to use it: GridSite; SlashGrid; and EDG Storage Element. u ACL will almost certainly change again in the future; and may need to understand different ACL’s (eg XACML?) from other projects. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles read/list/write ACL’s in a reasonably general way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as new types. u Despite current C implementation, API is readily translatable to object-orientated languages n Java API and implementation being produced

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GridSite u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers n Originally produced for u ACL’s control level of read and write access to file/directory n Write access by HTML forms (interactive) or HTTP PUT (programmatic) u Website admins can define groups of users with specific rights n Can delegate administration of that group to one or more members. n Group membership can also be published in EDG VO LDAP format. u New 0.9 architecture also provides support for efficient HTTP GET and PUT operations via Apache module. n ACL enforcement now available for PHP, CGI, JSP etc as well as HTML u GridSite used by several external projects, including e-Science Level 2 Grid support website.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 GridSite 0.9 architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Future Developments u EU DataGrid officially finishes 31st Dec 2003 n EGEE is an EU Framework 6 proposal to deploy an EU-wide Grid, largely using EDG technology for HEP, Bioinformatics and other e-Science. n GridPP comes to an end in 2004, and GridPP-2 proposal submitted to PPARC for e-Science 2nd Phase funding. n CERN is also sponsoring the LHC Computing Grid to deploy a Grid for High Energy Physics. u All of these projects stress deployment and operations rather than middleware development. u However, development of Accounting and Usage Control mechanisms is acknowledged as essential to running these production services. u We propose to extend GridPP Authorization work into Accounting to contribute to EDG / LCG / EGEE.

Andrew McNab - EDG Access Control - 17 Jun 2003 GridPP / EDG / WP6 Summary u Most of the concerns of Testbed site admins are being addressed u LDAP VO system is currently sufficient, but VOMS or CAS would be more flexible and scalable. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs provides a solution to this. u LCAS/LCMAPS allow flexible, locally configurable site policies. u GridSite provides a way of controlling HTTP(S) via Grid credentials. u GACL library provides API for handling Grid ACL’s. u Extending work into Usage Control, not just Access Control. u See for links to source code and details of all tools mentioned in this talk