Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester

Published byCalvin Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester"— Presentation transcript:

1 Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Outline u Certificates and VO servers u New VOMS system u Using VOMS u Access Control: GACL u mod_gridsite u mod_slashgrid? u Usage Control: PBS and Unix disk quotas u “Usage peering” and retrospective usage targets u Genuine accounting u Future security work

3 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Certificates and VO servers u EDG users and hosts are identified by X.509 certificates, signed by one of ~20 “national” Certificate Authorities. n Jobs use a short term certificate derived from this: GSI Proxy. u X.509 defines how user’s public key and the CA’s signature of key + the user’s name is stored. n This provides authentication: equivalent to an ID Card. u Simplest way to build authorization and access control using this, is with a list of authorized users for a resource. u This is what EDG currently does with LDAP VO servers. n Lists of members for each Virtual Organisation (ATLAS, BaBar etc) are published. n Sites make local authorized user lists (grid-mapfile) from this. u However, scaling and latency issues since all sites must fetch list of all users currently authorized

4 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Virtual Organisation Membership Service: VOMS u Instead of publishing lists of VO and group membership, supply signed attribute certificates to users: Ticket rather than ID Card. u Users can then present these attribute certificates to sites/resources and obtain access with group privilege, role etc. u Certificates can be included in GSI proxy certificates as extensions n “A ticket in your ID card wallet.” u Multiple attribute certificates can be used simultaneously, even from different VOMS servers and VOs. u Potential to allow users to create ad-hoc groups within VO, and to discard unnecessary VOMS credentials at delegation steps. u Implementation is backwards compatible with normal Globus and HTTPS use of certificates n so still compatible with other Grid projects and HTTPS webservers.

5 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Using VOMS u Virtual Organisation sets up a VOMS server n This has a list of members of the VO, and what groups, roles and capabilities they have. n They can be listed in more than group. u Instead of using grid-proxy-init to make temporary proxy “each day”, users use voms-proxy-init command u This contacts VOMS server and creates proxy with VOMS extensions n Main body of proxy proves identity n VOMS extension(s) prove VO and group memberships. u Users can choose which subset of their groups to include in proxy n Useful for privacy (bio applications esp.) and to avoid giving unnecessary rights to jobs.

6 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Access Control: GACL u When going beyond simple lists of users, need a more flexible way of writing access control policies that can include individuals, VO-LDAP or VOMS groups. u GridSite, SlashGrid and Storage Element use GACL, simple Access Control Lists written in XML. u Simplicity important because these fileserver / filesystem applications involve very many access control evaluations. u However, GACL isn’t a recognised standard and something standards-based would be better. n Could go to, say, an equivalent subset of XACML. u Proposed OGSA Authorization WG in GGF may endorse some way of using (probably) XACML as an “Authorization Language.”

7 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 GridSite u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers n Originally produced for www.gridpp.ac.uk u GACL ACL’s control level of read and write access to file/directory n Write access by HTML forms (interactive) or HTTP PUT (programmatic) n Programmatic access makes webserver export something looking more like a filesystem: GET (read), PUT (write), HEAD (stat), DELETE (unlink) u New 0.9 architecture provides extended functionality via Apache module. u Support for efficient HTTP GET and PUT operations. u ACLs enforced at low level inside Apache request processing n so now available for coarse grained access control to PHP, CGI, JSP etc as well as HTML.

8 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 mod_gridsite mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars

9 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 SlashGrid u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n client-side daemon manages access and remote file fetching: cf AFS cache daemon on clients. u Supports access control by GACL. u Remote filesystems possible: curlfs plugin maps remote HTTP(S) server into local filesystem. u However, existing SlashGrid implementation uses coda kernel module n (Mostly) Linux specific. n Difficult to permit partial reads of remote files. u Various options for other kernel->SlashGrid connectors considered: n In particular, OpenAFS kernel module and NFS.

10 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 mod_slashgrid u Old SlashGrid daemon has to: n listen on a socket for filesystem operations (from kernel) n manage a hierarchy of files, including access control n support third party plugins in C, Java, other languages u This sounds very like a web server. u Apache 2.0 transports/filters stack allows non-HTTP protocols n eg mod_ftp and even mod_pop3 has been written. u Rework SlashGrid as an Apache module, exporting GridSite web server “filesystem” via local TCP NFS rather than HTTP. n We get remote filesystems “for free” via mod_proxy and mod_cache n Access control already done, via mod_gridsite. n Can now write third-party filesystem plugins in C/C++, Perl, Python, Java, PHP, Bash - anything you can write web server CGI/dynamic content in.

11 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 mod_gridsite + mod_slashgrid mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_perl, CGI, PHP mod_jk: JSP with Tomcat HTTP mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars mod_proxy, mod_cache: remote servers mod_slashgrid: NFS with env vars according to UID credentials kernel: NFS local mount of /grid

12 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Usage Control: PBS and Unix quotas u Of Security’s “Authentication, Authorization and Accounting”, we have made significant progress with the first two. n But without Accounting, individual users can monopolise resources. u First step towards Accounting is local Usage Control: “quotas” etc. u Can already implement basic usage control using PBS and Unix quotas, resource limits etc. n Since users allocated to one of a pool of accounts for their VO, could set up pool accounts with appropriate Unix groups, quotas etc. n This has been investigated by some Testbed sites in various ways. u However, this is quite inflexible and imposes static upper limits rather than allocating some amount of resources for the job duration. u Ideally should be integrated into the job description and management somehow, so know how much is allowed and to clean up afterwards.

13 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 “Usage Peering” and retrospective targets u On what accounting basis will sites put genuine resources of their own into the Grid? n (This is much simpler if resources are earmarked for a specific user community - eg Tier 1A partitions - but difficulty is for Tier 2 sites.) u One way is for sites (or groups of sites) to peer with each other in terms of usage over some accounting period. n For example, University A peers with College B, agreeing that during the accounting period, members of A and B will get equal amounts of usage of each others sites. n Could also do this with groups/collaborations: eg University A joins “C-Grid” by making a certain amount of its resources available to other “C-Grid” sites in return for the same total use of other “C-Grid” sites. u Can do this with existing technology by putting non-local members of “College B” or “C-Grid” into Unix groups and manually throttling CPU, disk etc use during accounting period to fit agreed targets.

14 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Genuine accounting u Genuine accounting may include: per-user measurement of use, enforcement of “credit limits”, charging, getting a price for a job and brokering based on price. u Would be possible to do things purely economically with this in place: n eg University A gets £1,000,000 of equipment from SRIF and rents it out to users on the open market. Uses the income to buy access to resources when its own users need it. s (Money was invented to save us from “peering” a.k.a “a barter economy.”) n In that kind of Grid, can choose how to operate between that and the other extreme position: “our equipment that only we use.” u Even though optimisation / brokering / ”marketing” outside of the scope of Security, but we need to provide the local accounting tools needed. u The “choke points” we’ve put in place for Access Control are very suited to Usage Control and usage recording.

15 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Future Developments u EU DataGrid and GridPP-1 nearing end of lifespans u Security part of GridPP-2 proposal includes completion of Authorization work and implementing systems required for Accounting. u This will need to be co-ordinated with: n LCG requirements - already recognised the need for Usage Control as an urgent requirement from applications. n EGEE work - again, Security Taskforce recognised Usage Control and Accounting as significant area that is missing. n GGF - various accounting and economic models working groups already running, with large UK contributions from Manchester and London e-Science centres.

16 Andrew McNab - Security - 1 July 2003 GridPP / EDG / WP6 Summary u VOMS provides users with authorization credentials n more scalable than current VO-LDAP system u GACL represents Grid access control policies (“access control lists”) in XML. u GridSite enforces these for web/fileservers. u SlashGrid being brought into this system as Apache module n more portable and better able to handle partial remote file access. u Basic Usage Control possible using Unix mechanisms. u “Usage Peering” with retrospective targets would provide a way of doing accounting in the near term. u Aim to provide more advanced accounting tools for LCG etc in GridPP-2.

Download ppt "Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester"

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Similar presentations

Ads by Google