Gateway Security Summit, January 28-30, 2008 Welcome to the Gateway Security Summit Nancy Wilkins-Diehr Science Gateways Area Director.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

User Services Transition To XD TG Quarterly Management Meeting, San Juan 12/7/2010 Amit & Sergiu.

Electronic Research Administration The National Institutes of Health, Office of Extramural Research Financial Conflict of Interest (FCOI) Notification.

Trent’s ROMEO e-System

Academic Technology Services The UCLA Grid Portal - Campus Grids and the UC Grid Joan Slottow and Prakashan Korambath Research Computing Technologies UCLA.

Pre-Authorization for Faculty Travel Request Form.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Internet Banking Standard and Standard-Hybrid Registration Intuit Financial Services University Internet Banking Certification Training.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

TeraGrid Gateway User Concept – Supporting Users V. E. Lynch, M. L. Chen, J. W. Cobb, J. A. Kohl, S. D. Miller, S. S. Vazhkudai Oak Ridge National Laboratory.

TeraGrid Information Services December 1, 2006 JP Navarro GIG Software Integration.

UNCLASSIFIED User Guide Applicant. UNCLASSIFIED Table of Contents What is the SAFETY Act? Applicant Guide Help Desk.

Scaling Account Creation and Management through the TeraGrid User Portal Contact: Eric Roberts

Let’s Make An Form! Bonney Armstrong GD 444 Westwood College February 9, 2005.

LBTO IssueTrak User’s Manual Norm Cushing version 1.3 August 8th, 2007.

December, 2009 David Hart.  Allocation Stats  Processing  Interfaces.

December, 2009 Kent Milfeld, TG Allocations Coordinator.

SSO current status 10/6/10 Area Director’s call. Easy as 1-2-3! Fully diagrammed login and certificate set-up process, pre- Single Sign-on You can see.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

ENTERING ELIGIBLE ENERGY RESOURCE APPLICATIONS IN DELAFILE Version 2.0 August 25, 2015.

Nipissing’s ROMEO e-System Internal Research Funding (IRF) Internal Research Grant Application Form (IRG)

MyFloridaMarketPlace MyFloridaMarketPlace Change Request Board August 30, 2007.

The New SIMnet.org with Social Networking User Orientation Notes June 21,

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Common Servers in a Workplace Environment Brandon Reynolds Computer Electronic Networking Dept. of Technology, Eastern Kentucky University.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

1 PY4 Project Report Summary of incomplete PY4 IPP items.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

0 eCPIC Admin Training: Automating User Account Management These training materials are owned by the Federal Government. They can be used or modified only.

TeraGrid Privacy Policy: What is it and why are we doing it… Von Welch TeraGrid Quarterly Meeting March 6, 2008.

TeraGrid CTSS Plans and Status Dane Skow for Lee Liming and JP Navarro OSG Consortium Meeting 22 August, 2006.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Evolving Interfaces to Impacting Technology: The Mobile TeraGrid User Portal Rion Dooley, Stephen Mock, Maytal Dahan, Praveen Nuthulapati, Patrick Hurley.

TeraGrid Allocations Discussion John Towns Director, Persistent Infrastructure National Center for Supercomputing Applications University of Illinois.

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Creating and running an application.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

TeraGrid Extension Gateway Activities Nancy Wilkins-Diehr TeraGrid Quarterly, September 24-25, 2009 The Extension Proposal!

Presented by: Tony Rimovsky TeraGrid Account Management Tony Rimovsky, Area Director for Network Operations and Security

Portal Update Plan Ashok Adiga (512)

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Research Administration Forum Changes to NSF & NIH Proposal Submission and Award Documents December 8, 2015.

TeraGrid Gateway User Concept – Supporting Users V. E. Lynch, M. L. Chen, J. W. Cobb, J. A. Kohl, S. D. Miller, S. S. Vazhkudai Oak Ridge National Laboratory.

LG DATABASE AND REPORTING SYSTEM (LGDRS) 8-9 September 2015

NOS Report Jeff Koerner Feb 10 TG Roundtable. Security-wg In Q a total of 11 user accounts and one login node were compromised. The Security team.

Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

Data, Visualization and Scheduling (DVS) TeraGrid Annual Meeting, April 2008 Kelly Gaither, GIG Area Director DVS.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

TeraGrid User Portal Migration Project Summery Jeff Koerner Director of Operations TeraGrid GIG Matt Heinzel Director TeraGrid GIG September 2009.

User Champion Field Report 12/11/2008 Chris Hempel, TACC

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Nancy Wilkins-Diehr.

December, 2009 Kent Milfeld, TG Allocations Coordinator.

Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.

Lindsey Velez, Director of Instructional Technology Single Sign-On One Click.

Common User Environments - Update Shawn T. Brown, PSC CUE Working Group Lead TG Quartely 1.

Rev. May 2016 cuResearch User’s Manual. What is cuResearch? Introduction to cuResearch More information is available on the CURO website:

TeraGrid’s Process for Meeting User Needs. Jay Boisseau, Texas Advanced Computing Center Dennis Gannon, Indiana University Ralph Roskies, University of.

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

Poole CPD Online - Lisa Tickhill

SCEC Drupal Website Development Overview and Status

Global Grid Forum GridForge

Tutorial for 21Classes.com

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Software Testing With Testopia

A Grid Authorization Model for Science Gateways

Presentation transcript:

Gateway Security Summit, January 28-30, 2008 Welcome to the Gateway Security Summit Nancy Wilkins-Diehr Science Gateways Area Director

Goals for the next two days The goal is to carefully define –How gateways will use community accounts Shell access for developers? Job execution capabilities for users –How sites will secure these accounts Will developers need to make help desk requests for any writes to community account directory? –How the community account request process will function The goal is not to have all sites to agree on how accounts will be secured –But we do need to define how all sites will secure these accounts and advertise this to users –And we want to try not to have 11 different approaches –Many examples of the process breaking today Gateway Security Summit, January 28-30, 2008

How did we get to where we are today? October, 2005 –NSF Resource Allocations Policy updated to include support for community accounts through the allocations process –Phil Andrews, Ralph Roskies, John Towns, Nancy Wilkins-Diehr edited policy to react to user feedback on a variety of issues Community Services: Proposals of this type are intended to support projects that provide services to a large community of users who are typically not collaborating with the PI of the submitted proposal. An example of such a project would be an application portal service providing access to software and cycles to a community of users via the developed service. This type of proposal needs to describe the services provided, the methods used and the expected consumption of resources. It is anticipated that most such services will consume resources under a single or very limited number of logins, but that the service itself will provide some tracking of usage by individuals making use of the service, and this should be reported in renewal requests for resources, progress reports, and end-of-project reports. –Originally written to support CASP protein structure prediction community Gateway Security Summit, January 28-30, 2008

Community Account Policy History September 2006, Community account policy approved by RPF –Community accounts will be set up by TeraGrid resource providers (RPs) and secured according to local policies. Accounts will be identified in the TGCDB by “Community User” in the last name field –Gateways are responsible for ensuring secure use of this login and refers to the user responsibility form, which had been specifically expanded and agreed upon to cover community account responsibilities. –End gateway users many not upload arbitrary executables through the community account. –TeraGrid will provide an optional service which sends problem jobids from an RP site to Gateway administrators in the event of an incident, allowing developers to disable access for the problem user and allowing the community account to remain active Gateway Security Summit, January 28-30, 2008

January, 2007, Policy approved by security-wg February, 2007, Policy sent to for comments, there were two to –“Only the community credential should be mapped (via the grid-mapfile) to the community account to prevent delegated credentials from other mapped credentials being made available to community users.” (Von Welch) Implementation, not added to policy doc –“Community Software Area should not be writable by any associated community account. As this would allow a compromised portal to (over-)write applications which it could then execute.” (JP Navarro) Done in CSA policy doc, loop closed with those installing CSAs Gateway Security Summit, January 28-30, 2008

More History May, 2007 –Community accounts are a topic on an RPF call, further clarity requested on Specific responsibilities of the RP's, PI's, and GIG Documented procedure for checking that the PI's logging responsibilities have been carried out Possibly a pointer in the policy document to an implementation procedures and common practices, etc doc, so that RP's are generally doing the same thing. –Both PSC and TACC for example are suggesting that they are implementing something such that a message like "No services have been defined for this account, contact Joe Smith at " until they have spoken directly with the PI and got the implementation of the community account details worked out. Policy addresses identification of community accounts in TGCDB and some usage restrictions –Does not address RP implementation States that the policy will evolve as further requirements are identified by security-wg, thus leading us to where we are today! Gateway Security Summit, January 28-30, 2008

Why a Face to Face Meeting? Considerable work on the issue in both security-wg and gateways –Thank you all for your contributions Current process not working for end users –Usage models and implementation strategies require further definition Face to face meeting needed come to resolution on several important topics Critical Issues –Carefully define usage models –Carefully assess risk –Thoughtfully restrict accounts on par with risks Do not want a major gateway security incident involving TeraGrid Severe restrictions may have a significant impact on the gateway program Gateways reduce the impact of thousands of end user laptops, but may increase other risks Gateways are a very important capability for both TeraGrid and the NSF –We want them operated securely Gateway Security Summit, January 28-30, 2008

TeraGrid is a service organization Must occasionally step back and look at the big picture What are our processes like for the end user? TeraGrid is a tool users use to accomplish other goals –They have to worry about funding the science work, teaching class, writing papers, etc. –They don’t have time to become familiar with all the intricacies of our processes, but they do their best to understand what they need to know If TeraGrid is too frustrating to use, users will push harder for their own machines –NSF would like to see TG take the place of some individual hardware awards on grants because it is more cost effective We need to make sure they have a good experience Gateway Security Summit, January 28-30, 2008

How do Gateway PIs begin using TeraGrid? Write allocation proposal –POPS login –Follow our detailed instructions, can only submit larger requests during very specific windows –Justifications, paper listings, renewals each year Supplements and extensions PI must use add user form to add each and every developer –Go through this process again if a new platform of interest is added If the PI wants a community account –Submit form providing a contact info (again), short and long description of gateway, gateway URL Gateway is then listed on the public page –Get user portal login, login to portal, go to MyTeraGrid and then community account form –Provide contact info (again), script locations, anticipated run sizes, anticipated data needs, IP address Wait for community account setup at sites Go through this process again if a new platform of interest is added Gateway Security Summit, January 28-30, 2008

Accounts are set up, on to software If the PI wants to stage software somewhere other than a home directory –Request community software area (CSA) First name, last name, disk required, for how long, directory name, group members, for each group member, requested sites –Need to make sure community account group membership does not intersect with CSA group membership Don’t want community account to have write access to visible software areas like CSAs –Go through this process again if a new site of interest is added Now the PI has –An allocation –Developer accounts –A community account –A software area Time to run some jobs Gateway Security Summit, January 28-30, 2008

Let the programming begin Developers add TG calls into their own fully developed gateway –Queues –GRAM job submissions –Input file verification –Gridftp Identify striped and non-striped servers –Accounting GRAM audit Report to us quarterly on number of end users using gateways –Attributed-based authentication –Credential management Upload logs that include gateway use of TG Discussion over the next two days about exactly how developers should use the combination of individual and community accounts for gateway development We need to make sure the TeraGrid experience is worth this level of effort! Gateway Security Summit, January 28-30, 2008

Easy as 1-2-3! Fully diagrammed login and certificate set-up process, pre- Single Sign-on You can see from the flow chart that things could potentially be easy. The most important thing I get from this in hindsight is that it was all exception driven. Gateway Security Summit, January 28-30, 2008

We are asking a lot of our users We need the processes to at least work as advertised or change the advertising –Proposal process –User and community account requests –Community software area requests –Auditing –Attribute-based authentication Focus on community accounts at this meeting Gateway Security Summit, January 28-30, 2008

Recent Community Account Experience National Biomedical Computation Resource Sent: Wednesday, October 31, :57 PM I did some login and GSI authentication test for the "nbcruser" on Teragrid. Some sites don't work, can you help me to figure this out? First, I can get the proxy from myproxy.teragrid.org. SDSC: Everything works. NCSA: At the early of this month, I could login NCSA clusters from laptop and NBCR machines, and GSI authentication was also successfully. For now, I can not login NCSA with the passwd, authentication also failed, but I still can login NCSA from SDSC teragrid machine, and the authentication from SDSC to NCSA is successful. PSC: Login and authentication never work. Purdur Univ: The passwd of "nbcruser" isn't provided on the paper, and GSI authentication failed. TACC: I can login to the cluster, but the provided username is "tg459196", not the uniform "nbcruser"myproxy.teragrid.org Gateway Security Summit, January 28-30, 2008

This summit will improve that user’s experience Gateway Security Summit, January 28-30, 2008

Goals for the next two days The goal is to carefully define –How gateways will use community accounts Shell access for developers? Job execution capabilities for users –How sites will secure these accounts Will developers need to make help desk requests for any writes to community account directory? –How the community account request process will function The goal is not to have all sites to agree on how accounts will be secured –But we do need to define how all sites will secure these accounts and advertise this to users –And we want to try not to have 11 different approaches –Many examples of the process breaking today Gateway Security Summit, January 28-30, 2008