Presentation is loading. Please wait.

Presentation is loading. Please wait.

9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK

Similar presentations


Presentation on theme: "9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 9-Jul-02D.P.Kelsey, DataGrid Security2 Overview GridPP/DataGrid DataGrid Security - Introduction Authentication Authorisation Deployment Summary

3

4 9-Jul-02D.P.Kelsey, DataGrid Security4 GridPP Provide architecture and middleware Use the Grid with simulated data Use the Grid with real data Future LHC Experiments Running US Experiments £17M PPARC project to Build Grid for UK PP Sep 01 – Aug 04

5 9-Jul-02D.P.Kelsey, DataGrid Security5 Main Partners CERN – International (Switzerland/France) CNRS - France ESA/ESRIN – International (Italy) INFN - Italy NIKHEF – The Netherlands PPARC - UK

6 9-Jul-02D.P.Kelsey, DataGrid Security6 Research and Academic Institutes CESNET (Czech Republic) Commissariat à l'énergie atomique (CEA) – France Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI) Consiglio Nazionale delle Ricerche (Italy) Helsinki Institute of Physics – Finland Institut de Fisica d'Altes Energies (IFAE) - Spain Istituto Trentino di Cultura (IRST) – Italy Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany Royal Netherlands Meteorological Institute (KNMI) Ruprecht-Karls-Universität Heidelberg - Germany Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands Swedish Research Council - Sweden Assistant Partners Industrial Partners Datamat (Italy) IBM-UK (UK) CS-SI (France)

7 9-Jul-02D.P.Kelsey, DataGrid Security7 Project Scope 9.8 M Euros EU funding over 3 years (Jan 01 – Dec 03) 90% for middleware and applications (HEP, EO and biology) Three year phased developments & demos (2001-2003) Possible extensions (time and funds) on the basis of first successful results: –DataTAG (2002-2003) –CrossGrid (2002-2004) –…

8 9-Jul-02D.P.Kelsey, DataGrid Security8 Programme of work Middleware –WP1 Grid Workload Management F. Prelz/INFN –WP2 Grid Data Management P. Kunszt/CERN –WP3 Grid Monitoring services S. Fisher/RAL –WP4 Fabric Management O. Barring/CERN –WP5 Mass Storage Management J. Gordon/RAL Testbed –WP6 Testbed Integration F. Etienne/CNRS –WP7 Network Services C. Michau/CNRS Scientific Applications –WP8 HEP Applications F. Carminati/CERN –WP9 Earth Observation ApplicationsL. Fusco/ESA-ESRIN –WP10 Biology Applications C. Michau/CNRS Dissemination WP11M. Lancia/CNR Project Management WP12F. Gagliardi/CERN

9 9-Jul-02D.P.Kelsey, DataGrid Security9 DataGrid Security Introduction No single Work Package (security is everywhere!) –3 sub-groups Authentication, Authorisation, & Co-ordination Based on Globus GSI –But adding our own extra functionality Security Requirements and first implementation –Document (D7.5) distributed to STF Security Design and 2 nd implementation (Jan 2003) Many topics not covered today!

10 9-Jul-02D.P.Kelsey, DataGrid Security10 Globus Security Grid Security Infrastructure (GSI) today PKI (X.509 certificates) Users, hosts and services are authenticated (both directions) Single sign-on –Delegation via Proxy credential (limited lifetime) Authorisation via “Grid Mapfile” –Maps certificate DN to local user (Unix, Kerberos) –Authorisation via local security mechanisms

11 9-Jul-02D.P.Kelsey, DataGrid Security11 Authentication 13 approved National Certificate Authorities –includes Registration Authorities – check identity CNRS (France) acts as “catch-all” CA –With appropriate RA mechanisms Matrix of “Trust” (work ongoing) – much work! –WP6 CA Mgrs check each other against agreed list of minimum requirements –Software being developed to aid this process (see next slide) Cross-Domain Authentication between Grid projects –USA (DOE) and CrossGrid are members of the CA group and Trust matrix

12 9-Jul-02D.P.Kelsey, DataGrid Security12 Authentication (2) DataGrid CA Features matrix

13 9-Jul-02D.P.Kelsey, DataGrid Security13 Authentication issues Don’t mix Authentication and Authorisation –But authentication often includes some implicit authorisation How to define list of “trusted” CA’s? –CP/CPS important –Audit of CA procedures – 3 rd party? (not done yet) –GGF GridCP and CA-Operations WG’s important here Scaling problems –How many CA’s can we cope with? (we will reach ~20) –Or should the VO’s issue Authentication certs? –Or use Kerberos at the site and generate certs online Authorisation is where the real identity checks need to be made –We should avoid (too) heavy-weight Authentication –Is MS.NET passport good enough?

14 9-Jul-02D.P.Kelsey, DataGrid Security14 Authorisation Testbed 0 (2000) –Based on Globus GSI and Grid Mapfile Maps certificate DN to one UNIX user account No groups or roles Unix UID/GID-based access control Testbed 1 (2001) –DataGrid “Virtual Organisation” (VO) support Tools to manage grid mapfile automation –> groups Leasing of dynamic user accounts –mods to Globus mapping code

15 9-Jul-02D.P.Kelsey, DataGrid Security15 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

16 9-Jul-02D.P.Kelsey, DataGrid Security16 Authorisation (2) Original Globus CAS –Community certificate, signed by CAS Also contains authorisation capabilities –All access control centralised in CAS DataGrid model (for Testbed 2 – 2002) –Authenticate with personal certificate –Virtual Organisation Membership Service VOMS “adds” role(s) and group(s) –As requested by user New Globus CAS going this way (AC-like) –Grid ACL’s local to resource Continue to look at other technology (CAS, PERMIS, …)

17 9-Jul-02D.P.Kelsey, DataGrid Security17 SlashGrid & GACL (McNab – HEP Manchester) Framework for creating “Grid-aware” filesystems –different types of filesystem provided by dynamically loaded plugins –Uses CMU Coda kernel module –Source, binaries and API notes: http://www.gridpp.ac.uk/slashgrid/ http://www.gridpp.ac.uk/slashgrid/ GACL –a C library for manipulating Grid Access Control Lists, written in XML-based Access Control Languages. –http://www.gridpp.ac.uk/gacl/http://www.gridpp.ac.uk/gacl/ n.b. also GridSite for certificate-base web authorisation

18 9-Jul-02D.P.Kelsey, DataGrid Security18 Authorisation issues Moving towards more functionality –Users with more than one allowed role –Move away from Unix uid based security –Applicable to all Grid services Users may belong to multiple VO’s –Authorisation may need to be based on “joins” Global vs Local authorisation mechanisms –need to negotiate policy – Global/VO/Local

19 9-Jul-02D.P.Kelsey, DataGrid Security19 Grid Deployment - issues Legal, political, site security policies, etc. –The user does not (need to) know where the jobs will run Cannot sign registration forms everywhere –Acceptable Use policies (Rules) What is needed for User Registration? –We have a solution for EDG Testbed But not yet for full production –What is acceptable to Site Security Officers? PPDG “Grid Site AA” project working on this –An extremely important area – could kill the Grid!

20 9-Jul-02D.P.Kelsey, DataGrid Security20 US PPDG-SiteAA Particle Physics Data Grid –Using Globus GSI US DOE Science Grid CA now in operation “Grid Site AA” project - extension to PPDG http://www.ppdg.net/docs/PPDG-AAA-Proposal.pdf http://www.ppdg.net/pa/ppdg-pa/siteaa/ –Examine/evaluate the impact of GSI on local site security –Important area not yet tackled by DataGrid

21 9-Jul-02D.P.Kelsey, DataGrid Security21 Issues – Deployment (2) VO’s need to manage their members and sites/resource providers negotiate with VO’s –Only system which will scale Sites cannot manage large number of Grid users –Not just a technical problem! –Must develop procedures to allow this to happen –VO’s not used to managing resources –Will Computer Centres give up (full) control?

22 9-Jul-02D.P.Kelsey, DataGrid Security22 Deployment – a personal view Today –Computer centres register users (lots of rules and checks) but then allow them to do almost anything! In the (GRID) future –Computer centres will register VO’s VO’s manage their users –“Trust” established between VO’s and Sites –The applications could (will?) be tightly controlled Using e.g. Community restricted delegation and signed apps –The actual user does not matter (but must have audit trail) Control the “What” and not the “Who”

23 9-Jul-02D.P.Kelsey, DataGrid Security23 Summary – lessons learned Authentication –Cross-Domain Trust is the big problem How to scale? Authorisation –The IMPORTANT area This is where the identity and rights need to be checked –Technology is immature Many operational and legal deployment issues to be solved –To establish Trust between Sites/VO’s/users

24 9-Jul-02D.P.Kelsey, DataGrid Security24 Web links GridPPhttp://www.gridpp.ac.ukhttp://www.gridpp.ac.uk DataGridhttp://www.eu-datagrid.orghttp://www.eu-datagrid.org DataGrid Security Requirements document http://hepwww.rl.ac.uk/kelsey/datagrid- d7.5.pdf http://hepwww.rl.ac.uk/kelsey/datagrid- d7.5.pdf PPDGhttp://www.ppdg.nethttp://www.ppdg.net


Download ppt "9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK"

Similar presentations


Ads by Google