Presentation is loading. Please wait.

Presentation is loading. Please wait.

15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

Published byJocelin Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk d.p.kelsey@rl.ac.uk

2 15-May-03D.P.Kelsey, SCG Summary2 Authentication

3 15-May-03D.P.Kelsey, SCG Summary3 Certificate Authorities WP6 CA group –EDG, CrossGrid, LCG 5 new CA’s (in 2003) 3 updated CA’s (Ireland, UK, US DOE) 18 on the trusted list (today) Canada, CERN, Cyprus, Czech Republic, France, Germany, Greece, Ireland, Italy, Netherlands, Nordic, Poland, Portugal, Russia, Slovakia, Spain, UK, USA “Catch-all” operated by CNRS/France Under development/consideration Belgium, FNAL (KCA), Hungary, Israel, Japan, Taiwan, (Austria?) FNAL and Taiwan the furthest down the road Next CA meeting: 12/13 June 2003

4 15-May-03D.P.Kelsey, SCG Summary4 Online AuthN/AuthZ FNAL running a Kerberos CA (KCA) –CERN also interested –User authenticates via Kerberos mechanisms –KCA issues short-lived certificate for Grid Key Management Concerns –User-held private keys – security concerns Need also to consider MyProxy, VSC, VOMS, … –And indeed User-generated Proxy certs “long-lived” CA’s different from online (short-lived) services –“Online” run by the project LCG-1 working towards interim trust of KCA –And FNAL trust of EDG CA’s

5 15-May-03D.P.Kelsey, SCG Summary5 Design (see D7.6)

6 Overview of the New Security Model - n° 6 Overview MyProxy user CA certificate: dn, ca, Pkey proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) TrustManager doit pre-process: parameters-> obj.id + req. op. obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth WebServices Authz dn,attrs,acl, req.op ->yes/no doit auth authz map dn -> DB role TrustManager LCMAPS dn -> userid, krb ticket GSI LCAS dn,attrs,acl, req.op ->yes/no doit auth authz map GSI doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth coarse grained (e.g. Spitfire) coarse grained (e.g. gatekeeper) fine grained (e.g. RepMec) fine grained (e.g. SE, /grid) Java proxy cert mod_ssl doit pre-process: parameters-> obj.id + req. op. GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz auth C web fine grained (e.g. GridSite) proxy cert VOMS VOMS cred: VO, group(s), role(s) certificate proxy cert delegation: cert+key (long lifetime) delegation: cert+key (short lifetime) re-newal request focus is on VOMS details are in D7.6 Security Design

7 Overview of the New Security Model - n° 7 VOMS

8 Overview of the New Security Model - n° 8 User’s Authorization in EDG 1.4.x VO-LDAP user service grid-mapfile authentication info user cert (long life ) proxy cert (short life ) VO-LDAP CA mkgridmap crl update low frequency high frequency host cert (long life ) registration grid-proxy-init

9 Overview of the New Security Model - n° 9 User’s Authorization in EDG 2.x VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration LCAS edg-java-security

10 Overview of the New Security Model - n° 10 Migration to VOMS VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 0. VOMS userservice proxy (voms) grid-mapfile phase 2. VO-LDAPVOMS userservice proxy grid-mapfile voms-ldap-sync grid-proxy-init phase 1. VOMS userservice phase 3. proxy (voms) testing the VOMS serversuser management on VOMS compatibility mode: mixed servicesfully migrated: only VOMS-aware services VO-LDAP grid-proxy-init edg-mkgridmap voms-proxy-init edg-mkgridmap voms-proxy-init

11 15-May-03D.P.Kelsey, SCG Summary11 Applications

12 15-May-03D.P.Kelsey, SCG Summary12 WP8 Security Joint session this week Need VOMS and file ACL’s –Working on detailed Use cases for Groups/Roles “Production” can write files “User” can read files Discussed plans for LCG-1 User Registration –Checks on User before registration in VO

13 15-May-03D.P.Kelsey, SCG Summary13 WP9 Security Joint session this week Need VOMS –Groups = experiments (like sub-VO’s) –And Roles Need file ACL’s to control who can write/read

14 15-May-03D.P.Kelsey, SCG Summary14 WP10 Security See use cases in D7.6 Joint session this week The most requirements for security Medical images –Different access for patient, doctor, researcher –Require encryption –No unpriv. access to contents of ACL’s Needs WP2 fine-grained AuthZ to RC –Not on the current plan?

15 15-May-03D.P.Kelsey, SCG Summary15 Security Plans for TB 3

16 15-May-03D.P.Kelsey, SCG Summary16 Plans for TB 3 Reminder –Both EU Reviews encouraged more on Security Particularly for Bio-medical Release 2.0 –Improved security But need C/C++ security API (WP2, WP3,…) –Limited AuthZ LCAS in 2.0 Grid mapfile General statement –No major EDG functionality change between 2.0 and TB3 –BUT… we need security –Will the WP’s succeed? Risks: could break everything!!

17 15-May-03D.P.Kelsey, SCG Summary17 VOMS Ready, being tested (INFN, NIKHEF, CERN…) Dropped off end of list for 2.0 release High priority item! –integration immediately after 2.0

18 15-May-03D.P.Kelsey, SCG Summary18 Middleware plans (TB3) WP1 –AuthZ support for scheduling and admin access? WP2 –Delegation through G-HTTPS –VOMS integration –Authorization manager and admin interface WP3 –Authentication (not in 2.0 – need C/C++ API) –Planning for AuthZ (need delegation)? WP4 –LCMAPS, new LCAS, VOMS plug-in WP5 –File-level Access Control (VOMS, GACL) –Needs delegation (SRMcopy), how to define ACL?

19 15-May-03D.P.Kelsey, SCG Summary19 Summary We must aim to release the security components –VOMS, LCAS/LCMAPS, Java Security, … –WP8/9/10 have clear requirements Need to decide – can we do the WP10 confidentiality? –Groups/roles in VOMS and file ACL’s The highest priority WP2/WP5 and WP4 critical here Need more work on the ACL model –WP1 and WP3 security (lower priority?) Will need careful coordination over coming months Stability, Stability, Stability,… Yes, but… Security, Security, Security,…

Download ppt "15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK"

Similar presentations

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin

The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK

20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Similar presentations

Ads by Google