Presentation is loading. Please wait.

Presentation is loading. Please wait.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

Published byMarsha Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK"— Presentation transcript:

1 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL2 Outline Introduction to Grid Security EU DataGrid/DataTAG (EDG/EDT) developments LHC Computing Grid Project (LCG) Phase 1 –The main challenges for 2003 Summary

3 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL3 Introduction to Grid Security

4 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL4 Authentication (1) Proof of Identity Grid Security Infrastructure (GSI) PKI = Public Key Infrastructure –Private/public key pair Generated by user – “private” key must be kept secret Asymmetric encryption –X.509 certificate National Certificate Authority “signs” the public key Binds to a “name” / identity No authorisation to use resources

5 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL5 Authentication (2) Uses SSL, certificates and the key-pair –Need to trust the CA(s) Securely identifies User, Machine, Service –In both directions (mutual authentication) To achieve … Single sign-on to Grid (via Proxy certificate) –short-lived (no revocation) To avoid having to register all users at all sites! Many issues –Revocation, length of keys, period of validity, security of private key, operational procedures, … –Registration authorities (checks identity)

6 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL6 Authorisation Today: based on local mechanisms –e.g. UNIX (uid, gid) or Kerberos Globus gatekeeper –Maps global identity (Distinguished Name) to local user account Access control all based on standard UNIX tools –Or Kerberos, AFS etc Site/System management fully in control Limited tools for Virtual Organisations (VOs) to manage access to resources

7 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL7 EDG/EDT security developments

8 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL8 EDG Security news EU Deliverable 7.5 –Security Requirements and Testbed1 (complete) http://hepwww.rl.ac.uk/kelsey/DataGrid-D7.5.pdf http://hepwww.rl.ac.uk/kelsey/DataGrid-D7.5.pdf EU Deliverable 7.6 –Security Design and Testbed2 (January 2003) Security components –VO/LDAP & VOMS – Authorisation –LCAS, LCMAPS – local authorisation and mapping –Gridmapdir – dynamic leased accounts –Gridsite – certificate-based web management –SlashGrid - dn-based grid homefile system –GACL – Library to parse ACL’s (XML) –edg-security (for database access control)

9 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL9 EDG WP6 CA group The PMA (Policy Management Authority) for EDG –Members: the CA managers (but not just EDG!) –includes CrossGrid, US DOE CA’s… more joining –http://marianne.in2p3.fr/datagrid/ca/http://marianne.in2p3.fr/datagrid/ca/ Establishing “Trust” between CA’s, Grid projects, VOs, Sites –Need approval of site security officers and sysadmins To (perhaps) bypass normal user registration procedures –Achieved for EDG testbed activities NOT yet for LCG production-scale deployment Defining “best practice” and “minimum requirements” –Working with GGF –CP/CPS documents –Registration Authority procedures –Operational procedures

10 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL10 Trusted CA’s 13 trusted CA’s –CERN, Czech Rep, France, Germany, Ireland, Italy, Netherlands, Nordic, Portugal, Russia, Spain, UK, USA Under consideration –Canada, Greece, Poland, Slovakia CNRS/France willing to act as short-term “catch-all” –For small number of users/machines –But needs agreed registration procedure(s) –Already doing so for Austria, Israel, Switzerland, Romania, Taiwan…

11 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL11 Authorisation VO/LDAP shown in Catania HEPiX Now we (EDT for EDG) are developing VOMS –Virtual Organisation Membership Service See Luciano Gaido’s slides (EDG meeting Budapest) and VOMS architecture report (EDT meeting 8Oct02)slidesVOMS architecture –Some of these follow LCAS & plug-ins and GACL to apply Access Control Easy management of ACL’s still missing

12 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL12 current implementation (LDAP) Support for users belonging to more than one VO – –vo option to grid-proxy-init command; –the VO name is inserted in the Subject of the proxy certificate (D field); –requires a patch to Globus code (and a change to mkgridmap); –under test the interaction with RB; –availability: 30 September ’02.

13 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL13 VO Membership Service 1.Client and server authenticate themselves and establish a secure communication channel using standard Globus API. 2.The Client sends the request to the Server. 3.The Server checks the request and sends back the required info (signed by itself). 4.The Client checks the validity of the info received. 5.Steps 1—4 are repeated for each Server the Client wants to contact. 6.The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers. Query Authentication Request Auth DB VOMS pseudo- cert C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert

14 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL14 VOMS

15 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL15 LCG Phase 1

16 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL16 LCG 1 security LCG Phase 1 – deploy a production quality Grid –from July 2003 Planning now – documents by December 2002 –Must be ready by summer 2003 Security planning –User Registration –Authentication –Authorisation –Security Policy –Operational issues

17 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL17 User Registration Users would like to register just once (per VO) –Sign one form –One single “Acceptable Use” description Sites need –Sufficient recorded information about the user VO databases – managed by whom? (expt offices?) –Behind-the-scenes creation of new user accounts Or willingness to use dynamic leased accounts VO’s need –Tools to manage users, roles, groups Who owns the databases – VOs and/or Sites?

18 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL18 Authentication Scaling of establishing list of trusted CA’s –Currently one per country (many countries!) –Often issued by CA’s serving larger community than HEP CERN and FNAL proposing a Kerberos-based CA –User authenticates via kerberos to the KCA –KCA then issues short-lived X.509 certs –Not yet “trusted” by EDG/LCG Some sites will not accept long-lived private keys held by users –Credential repositories (MyProxy, aVOMS) –Smartcards –Specialised additional authentication (e.g. Cryptocard) Doesn’t scale! Support multiple levels of authentication Credential renewal for long-running batch jobs

19 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL19 Authorisation Technology immature –What will be ready for LCG phase 1? –Need input from the experiments Who manages access? –To sites –To resources –To individual files, objects Sites authorise VO’s –VO’s authorise users, roles, groups Much will be definition of procedures –Aim for independence from technologies Move to OGSA, ws-security, … Sites need to trust VO procedures

20 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL20 Operational issues Communication between sites Intrusion detection Incident tracking Auditing and reporting

21 23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL21 Summary EDG/EDT – much progress during 2002 –More functionality in 2003 –GGF and other Grid projects also important Current procedures work well for Testbed scale LCG Phase 1 (and BaBar Grid) –Need improved procedures for production scale Need to plan for and support –Multiple authentication and authorisation technologies Will need full consultation with Sites and VOs (experiments) to agree policies and establish trust MUST be pragmatic –LCG Phase 1 MUST work

Download ppt "23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK

12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Similar presentations

Ads by Google