Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Published byBarnard Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center."— Presentation transcript:

1 Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center

2 Gateway Security Summit : 01/30/2008 2 OSG Security Team Mine Altunay FNAL Doug Olson LBNL Bob Cowles SLAC Don Petravick FNAL

3 Gateway Security Summit : 01/30/2008 3 OSG Security The big picture: –What OSG security does ? Security Infrastructure –Authentication –VOMS –PRIMA/GUMS –gPlazma –gLexec How can someone become part of OSG

4 Gateway Security Summit : 01/30/2008 4 OSG Security A security framework that enables science and promotes autonomous and open science collaboration among VOs, sites, and software providers Operational –Vulnerability analysis, patches, –Incident response Interoperability –Joint policy work, JSPG, MWSG, IGTF –Why we are here – how to build interoperability with other Grids TeraGrid Education –Security tutorials, documents for naïve user

5 Gateway Security Summit : 01/30/2008 5 Globu s Condo r GLexe c RSV Gratia VDT Fermi grid BNL_ATLAS _1 UCSDT2 ATLAS CM S Software Check software vulnerabilities Develop and announce patches Interoperability JSPG, IGTF: Participate in EGEE’s response and operation teams: Security Education for Sites and VOs Raise security awareness Teach OSG policies and best practices workshops, tutorials, grid schools Open Science Grid Job Submissions Policies for Site-VO interoperability Develop policies : AUP, Service Agreements, pilot policies, MOU, membership Inter operability Incident Response and Monitoring Coordinating the response teams, communication with Sites and VOs Banning compromised machines or users, monitoring for suspicious job submissions Fire drills for practice

6 Gateway Security Summit : 01/30/2008 6 Security Infrastructure Authentication –Performed by GSI –OSG distributes IGTF approved root CAs (in VDT) –Sites fetches automatic CRL updates –Sites can update root CAs (optional tool in VDT)

7 Gateway Security Summit : 01/30/2008 7 Authorization VOMS+PRIMA+GUMS VOMS Server Attribute Repository GUMS Server DN/FQAN Mapping (MySQL) Synch periodically to get VO membership Validate Proxy (GSI) Gate keeper Gridmap callout PRIMA Module Batch system Job submission 3 4: request account 5: account mapping 6 1: voms-proxy-init 2: receive VO permissions

8 Gateway Security Summit : 01/30/2008 8 VOMS VO Membership service –VO manages access rights for its members –FQAN: Fully Qualified Attribute Name –Based on RFC 3281 –Example: /oscar.nikhef.nl/mcprod/Role=production/Capability=NULL –Different roles have different permissions Sites must honor VO permissions VOMS registration –via VOMS, or VOMRS or manually Use voms-proxy-init instead of grid-proxy-init – VO specific permissions FQAN inserted into X.509 noncritical extensions

9 Gateway Security Summit : 01/30/2008 9 GUMS: Grid User Management Service Maps user DNs/FQANs to accounts –Replaces grid-map files –Site-wide tool Sites recognize VO permissions Synch with VOMS periodically –Downloads the VO memberships, FQANs –Can work with LDAP instead of VOMS

10 Gateway Security Summit : 01/30/2008 10 GUMS Three types of mapping –personal accounts (manual or from LDAP) –group accounts (multiple DNs to a single UID, like VO -> UID) –pool accounts (dynamically generated) Guarantee that the same UID can be used by only one DN/FQAN at any given time Currently, the pool account is created when a DN/FQAN is first seen, and never released

11 Gateway Security Summit : 01/30/2008 11 GUMS Two kinds of grouping User groups –Map (DN,FQAN) to (uid,gid) Host groups –Connect host with user groups –A M x N configuration –A single host group can be used for Multiple hosts (like "*.usatlas.bnl.gov") Multiple user groups (like “usatlasGroup,atlas,dial")

12 Gateway Security Summit : 01/30/2008 12 gPlazma: Storage Authz SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service 1 2 34 4a 4b 4c 4d 5 7 6 8 910 11 12 13

13 Gateway Security Summit : 01/30/2008 13 CE and SE: Big Picture GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

14 Gateway Security Summit : 01/30/2008 14 Local or Remote Client Proxy with VO Membership | Role Attributes SAZ GUMS Site-wide Assertion Service Site VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout PEP Storage Authorization Service

15 Gateway Security Summit : 01/30/2008 15 Local or Remote Client Proxy with VO Membership | Role Attributes GUMS Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

16 Gateway Security Summit : 01/30/2008 16 SAZ gPLAZMALite Authorization Services suite GUMS Site-wide Assertion Service Site VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout Storage Authorization Service Local or Remote Client Proxy with VO Membership | Role Attributes

17 Gateway Security Summit : 01/30/2008 17 Local or Remote Client Proxy with VO Membership | Role Attributes gPLAZMALite Authorization Services suite GUMS Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout PEP Storage Authorization Service

18 Gateway Security Summit : 01/30/2008 18 gLExec Slide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL When a user submits a grid job to an OSG site, the job always carries the user's credentials. At the execution site, the job is assigned an appropriate userid under which to run. Another option for submitting grid jobs involves the concept of a pilot job. This type of job, once it's in a site's batch slot, coordinates and calls a series of user jobs according to VO priorities at launch time. If the pilot job and the user jobs all run under the same userid, however, the pilot job framework violates the security policies of any site that requires knowledge and control of its resource users. gLExec, a gLite product currently used on European Computing Elements, solves this problem. gLExec is a privileged executable that, given a user credential and an execution command, obtains the appropriate Unix ID from a site's GUMS server and executes the job under that Unix ID. In order to use gLExec within OSG, VOs must configure the pilot job such that it "calls home" to get the associated user credential. The pilot then forwards the credential to gLExec, which uses it to communicate with the site security service, thus returning control to the site.

19 Gateway Security Summit : 01/30/2008 19 gLExec Slide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL

20 Gateway Security Summit : 01/30/2008 20 How to become an OSG member? Join the OSGEDU VO: – Run small applications after learning how to use OSG from schools Be part of the Engagement program and Engage VO: –Support within the Facility to bring applications to production on the distributed infrastructure Be a standalone VO and a Member of the Consortium: –Ongoing use of OSG & participate in one or more activity groups. Open Science Grid

21 Gateway Security Summit : 01/30/2008 21 Documents OSG Security twiki –https://twiki.grid.iu.edu/twiki/bin/view/Securityhttps://twiki.grid.iu.edu/twiki/bin/view/Security OSG Security Plan –http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=389http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=389 Security Awareness for the OSG –http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=573http://osg-docdb.opensciencegrid.org/cgi- bin/ShowDocument?docid=573

Download ppt "Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Similar presentations

Ads by Google