Presentation is loading. Please wait.

Presentation is loading. Please wait.

20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester."— Presentation transcript:

1 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester

2 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org Outline ● “Credential soup” ● X.509/GSI ● VOMS ● Shibboleth ● OpenID, XYZ, ??? ● Summary

3 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org “Credential Soup” “Grid projects typically generate one new acronym for every 10,000 lines of code” – (McNab's Law of Grid Acronyms?) Grid Security is no exception: – X.509, GSI, CAS, LDAP-VO, GACL, VOMS, XACML, SAML, Shibboleth, VOM, WS-Sec,... This talk is a quick review of credentials relevant to LCG/EGEE and how GridPP is involved.

4 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org X.509 / GSI The first part of GridPP to go into production (before GridPP started!) was the Certification Authority at RAL – Issues the X.509 user and host certificates that we use Globus's GSI defined the proxies that running jobs have – Eventually became RFC3820 and “Respectable” – gLite workload system uses GridPP's GridSite Delegation Protocol to give GSI proxies to jobs Between X.509 and GSI, the authentication problem was “Solved” pretty much from the start

5 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS VOMS was developed to address authorization “X.509 Attribute Certificates” (AC) – ie a digitally signed statement that a user belongs to one or more groups Users fetch a VOMS AC with voms-proxy-init – AC included in proxy that authenticates user to sites – AC proves membership of one or more groups – Users can also request proof of roles within groups

6 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS implementations ● INFN CNAF/Bologna – VOMS AC issuing server: the only server implementation in production and derived from Globus gatekeeper – VOMS parser for C/C++: again, depends of Globus libs ● CERN/KTH (“EDG WP2”) – Java Security: now part of gLite, and used by gLite Java ● GridPP VOMS implementations – GridSite for C/C++/scripts: used by Apache based gLite Web Services (eg WM Proxy) – Java AC creator/parser (“Acacia”) from Imperial

7 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS certificates ● Original version of VOMS required that the host certificate of each VOMS server was installed on each machine wanting to verify VOMS credentials – Not at all scalable, especially if VOMS server certificates are renewed each year ● VOMS now has the option to require only the DN of the host certificate to be stored on each verifying machine – ie uses the digital signatures to verify authority

8 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VO naming ● EDG/EGEE/LCG documents have been produced saying that VO names should be DNS names – (this was originally a GridPP idea from EDG) – eg expX.cern.ch not just expX – guarantees uniqueness (eg US vs official VOs) – DNS uniqueness allows for dynamic/lightweight VOs ● Most of the middleware will accept DNS VO names – Some outstanding problems identified by GridPP with deployment scripts

9 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org Policy Languages ● Many subsystems within LCG/EGEE use some form of access control policies ● Either internally managed lists of authorised users/managers for that service ● Or ACLs (POSIX-like ACLs?) ● Or full blown policy languages – GridPP has provided GACL which is used by the workload management system at sites – Also support XACML standard, but this unused...

10 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org Shibboleth ● Shibboleth was endorsed by JISC as a replacement for ATHENS at UK universities – Part of Internet2 in the US, and developed for controlling access to campus facilities (journal subscriptions etc) ● Shibboleth allows websites (“service providers”) to redirect users to their home website (“identity providers”) to authenticate – Passes the success of this in the background with SAML (attribute assertions in XML) messages ● As part of the JISC-funded FAME project, we have added Shibboleth support to GridSite

11 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org Shibboleth + GridPP ● www.gridpp.ac.uk now uses GridSite 1.4.x which includes Shibboleth support www.gridpp.ac.uk ● GridSite identity provider also includes an interface to VOMS – The Shibboleth protocol is sufficiently flexible to allow us to disclose VOMS attributes to websites – User's register with X.509 certificate and choose username / password ● However, while there is only a single Service Provider www.gridpp.ac.uk and a single Identity Provider, this could be achieved with a PHP script on a single webserver... www.gridpp.ac.uk

12 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org OpenID etc ● New security technologies continue to emerge that may become relevant to GridPP – especially to portals and other “web-like” components ● eg OpenID is gaining momentum in the “blogosphere” – basically a simplified reimplementation of Shibboleth – concentrates on authentication without attributes ● Inexorable WS-* processes grind on producing standards which again, may nor may not become relevant to LCG/EGEE

13 20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org Summary ● Authentication technology was “solved” at the start – Requires ongoing operations effort of course – Delegation re-implement for gLite Web Services ● VOMS provides proof of VO/Group membership – GridSite is used to access VOMS credentials from C/C++/Scripts based services ● Several access policy systems (ACLs, GACL,...) ● JISC, EGEE,... have expressed support for Shibboleth – But new acronyms generated every 10k lines or so!

Download ppt "20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester."

Similar presentations

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.

Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Similar presentations

Ads by Google