Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Published bySusan Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues"— Presentation transcript:

1 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch

2 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 2 D7.5: Overview u What is Security? (Chapter 3): general description u Assumptions (Section 3.7): what will we not do u 3  3.7 = 4: Security Requirements u Achieved goals (Chapter 5): what is done u Plans (Chapter 6): not a consistent design yet! u Checklists (Chapter 7): summary of 4 & 5 & 6

3 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 3 Requirements u AUTAuthentication requirements u AUZAuthorization requirements u AUDAuditing requirements u NRPNon-Repudiation requirements u DLGDelegation requirements u CNFConfidentiality requirements u INTIntegrity requirements u NETNetwork requirements u ADDAdditional requirements u MNGManageability requirements u USRUsability requirements u IOPInteroperability u SCAScalability requirements u PER Performance requirements

4 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 4 Requirements - Authentication GSI – certificate based authentication u AUT-02 symmetric u AUT-05 lives beside existing authentication systems u AUT-14 no associated VO in a cert u AUT-15 no authorization information in a certificate Questions from me: u certificate revocation: n immediate vs. authorization? n large scale CRL handling? u certificate authorities: should not be bound to DataGrid or to grid

5 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 5 Requirements/Authorization: Role/Group/VO u principal (service or user) is identified by a certificate from a CA (not part of any VO) u group: n organizational structure or common interest inside a VO n no default group n e.g: Security and WP7 in DataGrid u role: n administrative tool n default role n password for extra role n e.g.: user and admin see AUZ-21 CA it CA ch CA fr VO Alice authz VO CMS authz RA ldap INFN RA ldap CERN RA ldap CNRS membership

6 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 6 Requirements/Authorization: 2. u AUZ-05 based on various info (id, CRL, role, group, lightweight...) u AUZ-16 disconnected operation u AUZ-17... central access control – immediate disable? u AUZ-23,24 authorize the resource, not the user – whom to trust? u AUZ-25... granularity: controlled operations and objects Questions: u listing accessible resources vs. checking permission case-by-case u central control (policy?) vs. disconnected operation

7 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 7 Requirements u Auditing+Non-repudiation: „trustable log” u Delegation: traceable delegation – original identity preserved u Confidentiality: protecting the data from unwanted access (before) u Integrity: check for possible manipulations and errors (after) u Network: firewalls (no more detail – yet) u Management/Usability: make it simple u Interoperability: with other „grids” u Scaleable/Robust (user/machine/institute/country): 1000/200/10/5 –> 10.000/1.000/100/10 –> 100.000/10.000/100/10

8 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 8 Testbed-1 you probably already know it

9 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 9 CA/RA u 11 CA u well defined practices u focus on only one VO: DataGrid u CA = RA ? u membership info in VO/LDAP goal: „production deployment” Certificate Management: u scaleable revocation list handling u user cert storage (central?) u roaming access: web portals u long term/renewable proxy certificates for long jobs

10 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 10 Data Management / Storage Element in Tomcat configuration files: u certificate checking u certificate -> identity u identity -> role Goals: u Short term: local authorization DB u Long term: general solutions for other services as well Testbed-1: only local filesystem with gridftp for remote access u pool of local userids u VO = groupid group-level access permissions

11 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 11 Castor (MSS) with the GSI library u certificate checking u certificate -> identity u identity -> local userid Access control uses the local authorization system: every grid- user have a corresponding local userid. u Short term: n thread-safe GSI n local userid not exposed to client u Long term: SE solution

12 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 12 Networking u Detailed firewall configuration guide for light/medium/heavy config. u VPN: use application level encryption Plans: u Network Address Translation for large CEs u dynamic firewall configuration for interactive jobs

13 Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 13 Open Issues gridmap file: authentication & authorization & map to local userid u authentication: configurable trust (trusted CAs from VO?) u authorization: central vs. local service (CAS?) u mapping: n single userid: grid service does everything (SE) n pool of userids: local enforcement system (CE) n 1-1: local authorization system (maybe as an extra step)

Download ppt "Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues"

Similar presentations

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

Similar presentations

Ads by Google