Presentation is loading. Please wait.

Presentation is loading. Please wait.

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

Published byBaldric Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 9-May-02D.P.Kelsey, Security Plans, GridPP42 Overview Security Technology/Plans in (some) Grid projects –Globus –DataGrid (EDG) –PPDG –DataTAG/iVGDL/HICB Security Development/Issues –Authentication –Authorisation –Grid Deployment

3 9-May-02D.P.Kelsey, Security Plans, GridPP43 Grid Security Technology/Plans

4 9-May-02D.P.Kelsey, Security Plans, GridPP44 Globus Grid Security Infrastructure (GSI) today PKI (X.509 certificates) Users, hosts and services are authenticated (both directions) Single sign-on –Delegation via Proxy credential (limited lifetime) Authorisation via “Grid Mapfile” –Maps certificate DN to local user (Unix, Kerberos) –Authorisation via local security mechanisms Next 4 Slides shown by Bill Allcock (ANL) in Paris DataGrid meeting (8 Mar 02)

5 9-May-02D.P.Kelsey, Security Plans, GridPP45 Ongoing/Future GSI Work Protection against compromised resources –Restricted delegation, smartcards Standardization –Current certificates are not compliant with standards in front of GGF/IETF so will need to change. Scalability in numbers of users & resources –Credential management –Online credential repositories (“MyProxy”) –Account management Authorization –Policy languages –Community authorization

6 9-May-02D.P.Kelsey, Security Plans, GridPP46 Security Standardization Based on existing standards: –SSL/TLS, X.509 & CA, GSS-API Standards Documents in Progress –draft-ggf-gss-extensions-04.txt Being considered by GGF GSI working group. Not yet submitted to IETF. Credential import/export, delegation at any time in either direction, restricted delegation, better mapping of GSS to TLS (SSL) –draft-ietf-pkix-proxy-01.txt Being considered by IETF PKIX working group / GGF GSI working group Defines proxy certificate format, including restricted rights and delegation tracing –draft-ietf-tls-delegation-01.txt Being considered by IETF TLS working group / GGF GSI working group Defines how to remotely delegate an X.509 Proxy Certificate using extensions to the TLS (SSL) protocol

7 9-May-02D.P.Kelsey, Security Plans, GridPP47 Community Authorization Service Question: How does a large community grant its users access to a large set of resources? –Should minimize burden on both the users and resource providers Community Authorization Service (CAS) –Community negotiates access to resources –Resource outsources fine-grain authorization to CAS –Resource only knows about “CAS user” credential CAS handles user registration, group membership… –User who wants access to resource asks CAS for a capability credential Restricted proxy of the “CAS user” cred., checked by resource

8 9-May-02D.P.Kelsey, Security Plans, GridPP48 CAS 1. CAS request, with resource names and operations Community Authorization Service Does the collective policy authorize this request for this user? user/group membership resource/collective membership collective policy information Resource Is this request authorized for the CAS? Is this request authorized by the capability? local policy information 4. Resource reply User 3. Resource request, authenticated with capability 2. CAS reply, with and resource CA info capability

9 9-May-02D.P.Kelsey, Security Plans, GridPP49 DataGrid - Authentication 11 DataGrid (EDG) National Certificate Authorities –includes Registration Authorities – check identity CNRS (France) acts as “catch-all” CA Matrix of “Trust” (work ongoing) – much work! –WP6 CA Mgrs check each other against list of minimum requirements Started work on cross-Authentication between Grid projects –USA and CrossGrid

10 9-May-02D.P.Kelsey, Security Plans, GridPP410 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

11 9-May-02D.P.Kelsey, Security Plans, GridPP411 PPDG Using Globus GSI US DOE Science Grid CA now in operation –Working on “trust” of EDG CA’s Download files to include EDG CA details –PPDG work in this area likely to be accepted by GriPhyN and iVDGL (April meeting) Authorisation –DataGrid VO LDAP system/tools –Globus CAS “Grid Site AAA” project (new proposal) - extension to PPDG http://www.ppdg.net/docs/PPDG-AAA-Proposal.pdf –Examine/evaluate the impact of GSI on local site security –An important contribution – not yet tackled by DataGrid

12 9-May-02D.P.Kelsey, Security Plans, GridPP412 DataTAG/iVDGL/HICB HICB = “HENP Intergrid Collaboration Board” Transatlantic Testbed(s) –Interoperability essential for HEP applications! Cross project Authentication –US DOE SciGrid CA already “trusted” by EDG –US projects working on “trust” of EDG CA’s Cross project Authorisation –DataTAG WP4 has resources to work in this area

13 9-May-02D.P.Kelsey, Security Plans, GridPP413 EDG Security Development/Issues

14 9-May-02D.P.Kelsey, Security Plans, GridPP414 EDG security 4 Groups –WP6 CA, WP6 Auth, WP7 Security Co-ord (SCG) –ATF: Akos Frohner represents SCG Security Workshop – CERN, 17 th May 2002 –Authorisation plans for TB2 and beyond –Co-ordination of middleware security development –Is the design/architecture secure? D7.5 (Requirements and TB1) – M15 document D7.6 (Security design and TB2) – M25 document

15 9-May-02D.P.Kelsey, Security Plans, GridPP415 Authentication issues Don’t mix Authentication and Authorisation GSI/PKI issues –Management of private keys and update of revocation lists –Restricted delegation, credential repository, renewal,… How to define list of “trusted” CA’s? –Audit of CA procedures – 3 rd party? –GGF GridCP working group important here –Will sites “trust” the technology and procedures? Scaling problems - how many CA’s can we cope with? –Or should the experiments issue Authentication certs? –Or use Kerberos at the site and generate certs online Authorisation is where the real identity checks need to be made –We should avoid heavy-weight Authentication –Is MS.NET passport good enough?

16 9-May-02D.P.Kelsey, Security Plans, GridPP416 Authorisation issues (2) We need more functionality –“Dynamic policy-based Access control” –Users with more than one allowed role –Move away from Unix uid based security? (and grid mapfile?) –One mechanism for all Grid services (and callable from) Users may belong to multiple VO’s –Authorisation may need to be based on “joins” The development of new technology will take some years Global vs Local authorisation mechanisms –need to negotiate policy – Global/VO/Local

17 9-May-02D.P.Kelsey, Security Plans, GridPP417 DataGrid Authorisation Future plans (as of March 2002) Improve existing VO LDAP system –Better VO Directory management –Support of replicas of VO Directories –Users belonging to more than one VO can choose –Support for users’ attributes in the VO Directories e.g. the AUP signing information (with expiration date...) Evaluation of Globus CAS (see before) and PERMIS –n.b. CAS alpha – only for GridFTP –http://www.permis.org(EU funded project)http://www.permis.org –Policy-based (XML) Role-based Access control Standards based PMI using Attribute certificates

18 9-May-02D.P.Kelsey, Security Plans, GridPP418 DataGrid Authorisation(2) Recent discussions following 1 st alpha release CAS Problems with Globus CAS –Resource ACL’s all stored centrally in CAS –CAS gives a “yes”/“no” answer to request for access –Needs modification to application EDG proposal (to be discussed next week) –ACL’s LOCAL to resource (scaling, consistency) –CAS acts as a VO membership service (and no ACL’s) Member of VO, group, role –Returns certificate with “capability” Format under discussion (XML vs list of DN’s) How to issue service certificates? –From national CA or signed by Host certificate

19 9-May-02D.P.Kelsey, Security Plans, GridPP419 Issues – Deployment Site legal issues – user single signing VO’s need to manage their members and sites/resource providers negotiate with VO’s –Only system which will scale Sites cannot manage large number of Grid users –Not just a technical problem! –Must develop procedures to allow this to happen –VO/experiments not used to managing resources –Will Computer Centres give up full control?

20 9-May-02D.P.Kelsey, Security Plans, GridPP420 Control via Restricted Delegation Will Computer Centres give up full control? Today –Computer centres register users (lots of rules and checks) but then allow them to do almost anything! In the GRID future –Computer centres will register VO’s VO’s manage their users –“Trust” established between VO’s and Sites –The applications will be tightly controlled Using e.g. Community restricted delegation and signed apps –The actual user does not matter (but must have audit trail) Control the “What” and not the “Who”

Download ppt "9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK"

Similar presentations

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.

GRID Security Infrastructure: Overview and problems PKI-COORD Meeting, Amsterdam November 26, 2001 Yuri Demchenko.
GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.

GSI – Grid Security Infrastructure and the EU DataGrid Authentication Infrastructure For the EDG CACG: David Groep.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
A conceptual model of grid resources and services Authors: Sergio Andreozzi Massimo Sgaravatto Cristina Vistoli Presenter: Sergio Andreozzi INFN-CNAF Bologna.

A conceptual model of grid resources and services Authors: Sergio Andreozzi Massimo Sgaravatto Cristina Vistoli Presenter: Sergio Andreozzi INFN-CNAF Bologna.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Similar presentations

Ads by Google