Download presentation
Presentation is loading. Please wait.
Published byAllen Barker Modified over 9 years ago
1
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What we want/need Immediate decisions Policies (XACML) and VOMS Limitation and Revocation Future
2
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Stakeholders LCG Security Group (chair D. Kelsey) – Emphasis on written policies, AUPs etc EGEE Site Security Group – Details still being sorted EGEE JRA3 – Northern Europe (NL, FI, SE) INFN/CERN – VOMS GridPP – GACL / GridSite
3
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 JRA3 Middleware Core is provided by Northern Europe Cluster – Helsinki Institute of Physics, Foundation for Fundamental Research of Matter in Utrecht, University of Amsterdam, University of Bergen, Royal institute of Technology in Stockholm Also forming agreement with INFN for – continued support of VOMS service – (VOMS admin interface to be supported by JRA3) GridPP has undertaken to continue various pieces related to GridSite and GACL – Currently, GACL and GACL-in-XACML – Delegation (G-HTTPS becoming Delegation Service)
4
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Architecture (incomplete) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors process space “sudo” Diagrams from David Groep / Joni Hahkala / Olle Mulmo
5
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we have (Unix native) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxyVOMS LCAS GACL Gsoap process space “sudo” snort(*) GRAM + LCMAPS (*) Almost there G-HTTPS httpg
6
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we have (Java) Intrusion Cred store Proxy cert AA service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors MyProxy (client) CAS EDG AuthZ(*) Axis various SAML(*) XACML(*) (*) Almost there GT, EDG Java process space “sudo” GRAM
7
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 What we want (incomplete) Intrusion Cred store Proxy cert VOMS service delegation VO policy Audit Site policy Access control Revo- cation Trust anchors Policy based authZ ??? Audit Site policy Access control Revo- cation Trust anchors Provisioning
8
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Immediate decisions Will start with Transport Layer Security – ie SOAP over GSI HTTPS for web services – that is HTTPS with GSI proxy certificates This is because XML Security is currently too slow For C/C++ can use globus_gss_assist() – (or GridSite library / mod_gridsite and gSOAP) For Java use Axis with CoG Will rapidly develop a WS delegation portType – We will do this in C/C++ (based on grst-proxy.cgi) – JRA3 will do this for Java (based on EDG java sec)
9
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Policies Need to combine multiple policy sources Move towards XACML Subset of XACML relevant to us needs to be defined GridPP developing GACL XACML translator XACML java tools are being tried out in NIKHEF Policy combination to be defined Policy handling still needs a lot of thought In conceptual, architechtural and implementation level Name space issues need to be solved
10
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 VOMS Server maintained and developed by IT/CZ cluster VOMS admin interface maintained by JRA3 for now LCG will continue development JRA3 involvement in development to be decided Light weight VOMS Operation centers required to host many VOs Java client needed (portals?) VOMS AC parsing needs to be added to java library
11
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Limitation / Revocation Will carry on using MyProxy to extend ~12hr GSI proxies for long running jobs Will add support for Online Certifcate Status Protocol to check status of user/service certificates Stop distributing Certificate Revocation Lists OCSP service can allow revocation in ~minutes (One possibility, which isn't included, is using OCSP to allow users to revoke their own GSI proxies too ie can kill a 12 hr proxy wherever it is on the Grid)
12
Andrew.McNab@man.ac.uk EGEE Security Area 13 May 2004 Future Iterate all this with Applications and Sites groups Implementation of access policies at site/resource level to be more integrated Move (almost) everything to Web Services protocols Mutual authorization, not just authentication – Resources certified by VO's? – Machine-readable operational policy statements, signed AUPs for users and services
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.