Presentation is loading. Please wait.

Presentation is loading. Please wait.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

Published byJuliana Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX2 Overview LCG Security Group –Mandate and membership Meetings and web pages Policies and procedures Security technology for LCG-1 –including overview of EDG Authorization Future plans

3 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX3 LCG Security Group Mandate To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security –GDB makes the decisions To continue work on the mandate of GDB WG3 –Policies and procedures on Registration, Authentication, Authorization and Security To produce and maintain –Implementation Plan (first 3 months, then for 12 months) –Acceptable Use Policy/Usage Guidelines –LCG-1 Security Policy Where necessary recommend the creation of focussed task- forces made-up of appropriate experts –E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board)

4 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX4 Membership Experiment representatives/VO managers –Alberto Masoni, ALICE –Rich Baker, Anders Waananen, ATLAS –David Stickland, Greg Graham, CMS –Joel Closier, LHCb Site Security Officers –Denise Heagerty (CERN), Dane Skow (FNAL) Site/Resource Managers –Dave Kelsey (RAL) - Chair Security middleware experts/developers –Roberto Cecchini (INFN), Akos Frohner (CERN) LCG management and the CERN LCG team –Ian Bird, Ian Neilson Non-LHC experiments/Grids –Many sites also involved in other projects –Bob Cowles (SLAC)

5 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX5 Meetings, Web etc Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 LCG Security Group Web site http://proj-lcg-security.web.cern.ch/ Meetings –Started in April 2003 –Met 10 times to date 4 face to face and 6 phone conferences Report to the monthly GDB meetings http://agenda.cern.ch/displayLevel.php?fid=3l181

6 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX6 Policies and procedures 6 documents approved to date (see LCG SEC web) Security and Availability Policy for LCG –Prepared jointly with GOC task force Approval of LCG-1 Certificate Authorities Audit Requirements for LCG-1 Rules for Use of the LCG-1 Computing Resources Agreement on Incident Response for LCG-1 User Registration and VO Management 4 more still to be written (by GOC task force) LCG Procedures for Resource Administrators LCG Guide for Network Administrators LCG Procedure for Site Self-Audit LCG Service Level Agreement Guide

7 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX7 LCG-1 security technology Based on EDG release 2.0 Authentication (X.509 PKI) –List of trusted national CA’s (from EDG) –Plus online authentication: FNAL KCA, MyProxy Authorization –VO (LDAP) databases (shared with EDG) Run at NIKHEF, managed by VO-managers (one per expt) –mkgridmap tool to create Grid mapfiles –Map to local user account (real or pool) AuthZ components –VOMS, LCAS/LCMAPS, US CMS VOX –Under development –To be used when available, tested and proved

8 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX8 EDG Authorization some slides from Akos Frohner – CERN (Roberto Cecchini leads the VOMS group)

9 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 9 Registration user user cert (long life ) VO-VOMS CA low frequency high frequency registration newconfirmedaccepteddone VO membership request (user) email address confirmation (user) allow create email to the requestor: email address confirmation email to the administrator: new request notification denied deny email to the requestor: request is accepted/denied (VO admin) web email http://lcg-registrar.cern.ch/

10 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 10 Multi-VO registration VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency registration VO administration operations u create/delete (sub)group/role/capability u add/remove member of g/r/c u get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member

11 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 11 “Login” user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init edg-voms-proxy-init -voms iteam u /tmp/x509_up (normal proxy location) u backward compatible proxy format

12 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 12 Multi-VO “Login” VO-VOMS user user cert (long life ) VO-VOMS CA low frequency high frequency authz cert (short life) proxy cert (short life) voms-proxy-init voms-proxy-init -voms iteam -voms wp6 u single proxy certificate is generated u each VO provides a separate VOMS credential first one is the default VO u each VOMS credential contains multiple group/role entries first one is the default group

13 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 13 Old-style Service VO-VOMS service VO-VOMS CA low frequency high frequency host cert (long life ) crl update gridmap-file mkgridmap Old-style services still use the gridmap-file for authorization u gridftp u EDG 1.4.x services u EDG 2.x service in compatibility mode no advantage, but everything works as before... GSI

14 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 14 Job Submission user CE user cert low frequency high frequency host cert proxy authz VO information system 1. VO affiliation ( AccessControlBase) 4. CEs for VOs in authz? 3. job submission MyProxy server WMS 2. cert upload

15 2003/Sept - Update on EDG Security (VOMS) - Ákos Frohner - n° 15 MyProxy server Running a Job CE cert (long term) host cert proxy authz VO WMS 1. cert download LCAS/ LCMAPS authentication & authorization info 2. job start LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups u default VO = default UNIX group u other VO/group/role = other UNIX group(s) voms-proxy-init

16 23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX16 Future plans (LCG SEC) We are working on a Risk Analysis document –To help set priorities for the year ahead Many of the agreements to date are for LCG-1 (2003) –Need reviewing for 2004 and beyond Authentication –Must agree the future PMA bodies for CA’s EGEE likely to take over this role for Europe –Online CA services, credential repositories KCA, VSC, MyProxy, … Authorization –VOMS likely to be included in LCG-2 –local AuthZ (LCAS/LCMAPS, US CMS VOX) and VOMS-aware services User Registration and VO Management –Workshop at CERN 15-17 December 2003 Also reviewing the AuthZ technology

Download ppt "23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK"

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK

20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Similar presentations

Ads by Google