Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December.

Similar presentations


Presentation on theme: "Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December."— Presentation transcript:

1 Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December 11 th -16 th 2006 Sophie Nicoud CNRS/UREC Sophie.Nicoud@urec.cnrs.fr

2 2Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  What do we need to access to Grid Computing infrastructure ?  Authentication Digital certificates Certification Authority collaboration Grid Security Infrastructure (GSI)  Authorization Concept of Virtual Organizations Mechanisms and architecture  Security Groups

3 3Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 What do we need to access to Grid Computing infrastructure ?  Authentication=> Digital Certificate X509v3 (CA) Who I am ?  Authorization=> Virtual Organization (VO or VOMS) What I am allowed to do  Access to GRID=> User Interface or Web portal (UI)  Single Sign-On  Accounting WHO do WHAT and WHEN ?  Future billing

4 4Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Authentication Digital certificates Certification Authorities collaboration Grid Security Infrastructure (GSI)

5 5Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 What’s a digital certificate ?  Build on mathematical asymmetric algorithms  and trust in a third party, the Certification Authority (CA)  It’s a couple of two keys The keys are generated together It is impossible to derive the private key from the public one A message encrypted by one key can be decrypted only by the other one  It’s composed of a public key and a private key  The public key Plus some information about the owner is signed by the Certification Authority Published worldwide by the CA In the current language, it’s named certificate  The private key Stored in the hard disk of the user machine Encrypted and protected by password

6 6Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (1)  A digital certificate (or X509v3 certificate) can be issued for Physical person (personal certificate) Machine (host certificate) Program (service certificate)  The CA check the identity of the requester => RA‘s job Registration Authority  The digital certificate has a validity period and an unique serial number  CA has a certificate signed by itself => Root CA by other CA => sub-CA

7 7Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (2)  When a certificate is lost, stolen or password forgotten the certificate is revoked  The CRL, Certificate Revocation List, contains all serial number of revoked certificates is published when a certificate is revoked at least every month

8 8Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (3)  The certificate contains : Subject or DN (Distinguish Name) Serial number Time of validity Public key Info on the CA X509v3 extensions s Owner email s Allowed use of the certificate s... Digital signature of the CA

9 9Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 X509v3 Certificate (4) # openssl x509 -text -noout -in usercert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 656 (0x290) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, O=CNRS, CN=GRID-FR Validity Not Before: Feb 8 10:04:45 2006 GMT Not After : Feb 8 10:04:45 2007 GMT Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Sophie Nicoud Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b9:8d:52:15:ee:80:d8:8f:3c:a7:1f:fb:59:6d:  Serial number  Issuer CA  Time of validity  Subject  Public key

10 10Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Un certificat X509v3 (2) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.10813.1.1.8.1.0 X509v3 Subject Alternative Name: email:Sophie.Nicoud@urec.cnrs.fr X509v3 CRL Distribution Points: URI:http://crls.services.cnrs.fr/GRID-FR/getder.crl 1.3.6.1.4.1.7650.1: unicoreClient Signature Algorithm: sha1WithRSAEncryption 7a:ea:e5:96:d6:cb:2f:2e:a6:9c:1d:06:55:8a:af:2a:7a:1c:  X509v3 extensions Allowed use  X509v3 extensions CP/CPS version Email CRL  CA signature

11 11Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Digital signature Hash code Public key Fingerprint CA private key Signing of a certificate by the issuer CA Encripted fingerprint CA signing £$ Public key + info + CA signature £$ Certificate £$

12 12Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certificate checks Public key + info + CA signature £$ Certificate £$ Fingerprint A Hash code CA public key Fingerprint B Equal ? £$ Public key + info + CA signature £$ Time of validi ty ? Inclu de in CRL ? CRL £$ Public key + info + CA signature £$

13 13Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certification Authorities collaboration (1)  In a Grid environment with many users and many organizations need single sign-on and identity certificates for all national and global grid projects thus issued by independent identity providers and trusted by everyone in the grid  Impossible to use only one CA by project or partner => One CA by country s But also by set of country or institute Need collaboration in each country Need CA coordination to establish CA trust domain Need Catch-all CA for countries without CA

14 14Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Certification Authorities collaboration (2)  At start of EDG in 2001 3 CA : CNRS, INFN, CERN One coordination group CACG then EuGridPMA  Now, in 2006 Coordination group splits in 3 continents European coordination : 37 CAs Asia and Pacific coordination : 8 CAs Americas coordination : 2 CAs Every year new CAs come Many Grid projects : EGEE, LCG, DEISA, EELA, EuMedGrid, EScience, PPDG, …

15 15Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Organisation of GRID PMAs  IGTF, International Grid Trust Federation Establish worldwide trust for Grid Establish rules and charter between PMAs Approved at GGF 15, October 5, 2005 http://www.gridpma.org/  EUGridPMA First PMA to establish IGTF In fact covers not only Europe but stays the reference for most continents http://www.eugridpma.org  TAGPMA America South and North 2 CA, DOE and Canada. Many in accreditation process for South America  APGridPMA Asia and Pacific 10 CA, Australia, Japan, China, Taiwan, … http://apgrid.org/

16 16Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Purpose of GRID PMA  Policy Management Authority : GRID PMA Establish minimal requirements and best practices for GRID CA Accredit CAs by review CP/CPS Audit CAs  Minimal requirements : Certificate Revocation List (CRL) s Lifetime must be no more than 30 days s New CRL must be generated at least 7 days before expiration s New CRL must be issued immediately after a certificate revocation CA Namespace s No clash with any other CA CA System s Dedicated machine in a secure environment where access is controlled Some certificate extensions must be set to specific values …

17 17Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Chinese CA  IHEP CA https://gridca.ihep.ac.cn/ Issue certificates to people and sites participating in Grid Computing CA running since 2004 Accredited by EUGridPMA and APGridPMA in 2005 Managed by Gongxing SUN  SDG CA http://ca.sdg.grid.cn/en/ SDG CA provides PKI services for the Scientific Data Grid research community that are involved in Grid activities Accrdited by APGridPMA Managed by Kai Nan

18 18Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 French CA  2001-2004 : Datagrid-fr CA Sub-CA of CNRS CA dedicated to DataGrid (EDG) project  Since 2005 : GRID-FR CNRS CA Sub-CA of CNRS CA dedicated to GRID projects  Issues certificates for: All French entities: s French institutes or private companies involved in GRID project with the CNRS Catch-all CA: s Institutes or private companies, no HEP, involved with CNRS in a GRID project which have not a national GRID CA  Now, we issue around 800 certificates per year in 27 countries

19 19Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Grid Security Infrastructure (GSI)  Authentication based on digital certificates and trusted CA  A standard for Grid softwares  Implement : Single sign-on: the password is given only one time Mutual authentication : every Grid transaction is mutually authenticated Proxy: allows remote process to authenticate on behalf of the user, to allow someone to use his authorizations and his authentication  Proxy certificates Certificate with limited lifetime signed with user private key

20 20Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Authorization Concept of Virtual Organizations Mechanisms and architecture

21 21Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Authorization  Virtual Organizations (VO) A set of entities sharing the same objective Users Resources A set of individuals or organisations, not under single hierarchical control, (temporarily) joining forces to solve a particular problem at hand, bringing to the collaboration a subset of their resources, sharing those at their discretion and each under their own conditions.

22 22Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Virtual Organizations (1)  A VO can be a set of user sharing the same experiment, or from the same lab, area or project : Experiment : Biomed, gene, Alice, Atlas, Babar, LHCb, ESR, EGEODE,... Labs, areas : vo.dapnia.cea.fr, vo.lal.in2p3.fr,... Projects : ambrace, infngrid, GridPP, auvergrid,... Other : dteam,...  https://cic.in2p3.fr/index.php?id=vo  One administrator per Virtual Organization He’s the manager of the users of his VO  Site managers allow VO to access to site resources  Specific rights can be allowed by site administrators Refuse users with specific certificate subject patterns VO

23 23Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 LDAP VO  At each site each user certificate is mapped into a unique local user account (UID/GID) in function of his VO  This UID/GID is picked up in the VO pool account defined by the site administrator  Now, there’re 2 types of VO : LDAP VO and VOMS  LDAP VO The oldest method, it is based onLDAP server that contains the list of VO members A user can be a member of only one VO All members of a VO have the same rights access User authentication command is : grid-proxy-init The local authorization file, grid-mapfile, is rebuilt every few hours from the LDAP server. Each certificate subject of the VO is mapped with its VO pool account. "/O=GRID-FR/C=FR/O=CNRS/OU=CC-LYON/CN=Sylvain Reynaud".dte "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Alexandre Rozanov".atl "/O=GRID-FR/C=FR/O=CNRS/OU=CPPM/CN=Andrei Tsaregorodtsev" lhcs

24 24Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VO LDAP architecture VO Service grid-mapfile Mutual authentication + authorization checks Proxy Cert. (24 h max) VO CA CRL update low frequency high frequency Host Cert. (1 an max) grid-proxy-init User Interface CA Cert. registration User Cert. (1 an max)

25 25Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (1)  VOMS, Virtual Organization Membership Service VOMS database contains VO members with their specific rights A VOMS user can have many different set of authorization, next a user can be a member of many VOMS User rights depend of his group or role membership in the VOMS Groups, roles and rights are included in the user proxy User authentication command is : voms-proxy-init --voms Authorizations are expressed by FQAN* and included in proxy attributes /Role=[ ][/Capability= ] *FQAN : Fully Qualified Attributes Name

26 26Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (2)  Groups Groups can have a hierarchical structure, indefinitely deep Useful to give different authorization in function of group membership Default group is /  Roles Software manager, VO-Administrator, Production, … Roles have no hierarchical structure – there is no sub-role Roles are not used in ‘normal operation’ They must be specifically requested when user creates his proxy  Proxy attributes are check by each site with LCAS and LCMAPS

27 27Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS (3)  LCMAPS Maps grid credentials (subject + attributes of the proxy certificate) to local credentials (UID/GID)  LCAS Checks if the user is authorized or banned at the site (currently using the grid-mapfile)  Local authorization file, grid-mapfile, is rebuilt every few hours. Each VOMS/group/role is mapped with its pool account. "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer".dte "/O=GRID-FR/C=FR/O=CEA/OU=DAPNIA/CN=Frederic Schaer" dtes "/VO=dteam/GROUP=/dteam".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=NULL/CAPABILITY=NULL".dte "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin" dtes "/VO=dteam/GROUP=/dteam/ROLE=lcgadmin/CAPABILITY=NULL" dtes "/VO=dteam/GROUP=/dteam/ROLE=production" dtep "/VO=dteam/GROUP=/dteam/ROLE=production/CAPABILITY=NULL" dtep

28 28Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 VOMS architecture VOMS Service Mutal authentication and authorization VOMS CA CRL update Low frequency high frequency Host Cert. (1 an max) voms-proxy-init User Interface CA Cert. registration User Cert. (1 an max) Proxy cert. (24 h max) Authorization = Cert. LCAS LCMAPS VOMS Cert.

29 29Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Overview  Security Groups

30 30Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Security groups  Security Incident Response Policy (EGEE/LCG) Grid Security Incident Handling and Response Guide, http://osgdocdb.opensciencegrid.org/0000/000019/002/OSG_incident_handling_v1.0.pdf Announcements and Information Dissemination Incident Detection and Analysis Incident Response on-site => Member(s) on each site Vulnerability Handling  Middleware Security Group (EGEE) Focalized on middleware developments  JSPG, Joint Security Policy Group (LCG) Advise and make recommendations to the LCG Grid Deployment Manager and the LCG Grid Deployment Board (GDB) on matters related to LCG Security. AUP, Grid Acceptable Use Policy, https://edms.cern.ch/document/428036https://edms.cern.ch/document/428036  CA Manager Groups  VO Manager Group

31 31Sophie Nicoud – Security, Authentication, Authorization – Beijing, Dec. 2006 Links  Certification Authorities http://gridpma.org/  VOMS https://edms.cern.ch/file/572406/1/user-guide.pdf  Security Groups http://egee-jra3.web.cern.ch/egee-jra3/ http://proj-lcg-security.web.cern.ch/proj-lcg-security/ https://cic.gridops.org/index.php?section=roc&page=securityissues Thanks !


Download ppt "Security, Authentication and Authorization on Grid Computing 1st Chinese-French workshop on LHC Physics and Associated Grid Computing Beijing, December."

Similar presentations


Ads by Google