Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh.

Published byJulius Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh Tokyo, 25 August 2005

2 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 2 Acknowledgements This presentation includes slides taken from the following talks: –Roberto Barbera at ISSGC05, Vico Equense, July 2005 http://www.dma.unina.it/~murli/GridSummerSchool2005/index.htm http://www.dma.unina.it/~murli/GridSummerSchool2005/index.htm –Richard Sinnott at ISSGC05, Vico Equense, July 2005 –Carl Kesselman, at ISSGC04, Vico Equense, July 2004 http://www.dma.unina.it/~murli/GridSummerSchool2004/index.htm http://www.dma.unina.it/~murli/GridSummerSchool2004/index.htm –David Fergusson at EMBRACE/EGEE Tutorial, Clermont Ferrand, July 2005 http://agenda.cern.ch/fullAgenda.php?ida=a053765http://agenda.cern.ch/fullAgenda.php?ida=a053765 –Joachim Flammer at EMBRACE Tutorial, Clermont-Ferrand, July 2005 Also information from: –Globus Alliance: GT4 Security: Key concepts –http://www.globus.org/toolkit/docs/4.0/security/keyhttp://www.globus.org/toolkit/docs/4.0/security/key

3 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 3 Outline Why Authorisation and Authentication (AA) are the basis of grids Authentication: “AuthN” –“Are you who you claim to be?” Delegation: building distributed systems dynamically Authorisation: “AuthZ” –“What are you allowed to do?” MyProxy: management of certificates

4 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 4 Requirements for AuthN and AuthZ Support multiple VOs across –Administrative domains –National borders –Via Internet Single sign-on –Multiple services –Delegation Scalability: –N,000 users –M,000 CPUs –Without M*N million usernames / passwords… Security INTERNET

5 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 5 Authentication and X.509 certificates

6 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 6 AA and Certificates X 509 Digital certificate is the basis of AA in EGEE Certification Authorities (CAs) –~one per country; builds network of “Registration Authorities” who issue certificates CAs are mutually recognized – to enable international collaboration – International Grid Trust Federation http://www.gridpma.org/http://www.gridpma.org/ For Asia-Pacific region CAs: https://www.apgrid.org/CA/CertificateAuthorities.html https://www.apgrid.org/CA/CertificateAuthorities.html CA certificates – issued to –Users: you get a Certificate and use it to access grid services –Sites providing resources Uses Public Key Infrastructure –Private key – known only to you –Public key included in your certificate

7 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 7 Public Key Infrastructure Basis for authentication, integrity, confidentiality, non-repudiation Asymmetric encryption Digital signatures –A hash derived from the message and encrypted with the signer’s private key –Signature checked decrypting with the signer’s public key Allows key exchange in an insecure medium using a trust mode –Keys trusted only if signed by a trusted third party (Certification Authority) –A CA certifies that a key belongs to a given principal Certificate: held in two parts –Public key + principal information + CA signature –Private key: only the owner (should) use this Encrypted text Private Key Public Key Clear text message

8 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 8 X.509 Certificates An X.509 Certificate contains: –o–owner’s public key; –i–identity of the owner; –i–info on the CA; –t–time of validity; –S–Serial number; –d–digital signature of the CA Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Structure of a X.509 certificate

9 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 9 Certificate Validity The public key from the CA certificate can then be used to verify the certificate. Name Issuer: CA Public Key Signature =? Name: CA Issuer: CA CA’s Public Key CA’s Signature slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Decrypt CA

10 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 10 Grid Security Infrastructure (GSI) de facto standard for Grid middleware Based on PKI To support…. –Single sign-on: to a machine on which your certificate is held –Delegation: a service can act on behalf of a person –Mutual authentication: both sides must authenticate to the other ….GSI introduces proxy certificates –Short-lived certificates signed with the user’s certificate or a proxy –Reduces security risk, enables delegation CA and user included in the proxy.... See practical later

11 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 11 The Grid Security Infrastructure (GSI) every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CA’s; every Grid transaction is mutually authenticated: 1. A sends his certificate; 2. B verifies signature in A’s certificate; 3. B sends to A a challenge string; 4. A encrypts the challenge string with his private key; 5. A sends encrypted challenge to B 6. B uses A’s public key to decrypt the challenge. 7. B compares the decrypted string with the original challenge 8. If they match, B verified A’s identity and A can not repudiate it. A B A’s certificate Verify CA signature Random phrase Encrypt with A’ s private key Encrypted phrase Decrypt with A’ s public key Compare with original phrase Based on X.509 PKI: VERY IMPORTANT Private keys Private keys must be stored only: protected in protected placesAND encrypted in encrypted form

12 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 12 Use Delegation to Establish Dynamic Distributed System Compute Center VO Service slide based on presentation given by Carl Kesselman at GGF Summer School 2004

13 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 13 User Authorisation to Access Resource slide based on presentation given by Carl Kesselman at GGF Summer School 2004

14 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 14 Authentication, Authorisation in LCG Authentication –User certificate signed by CA –Connects to UI by ssh –Downloads certificate –Invokes Proxy server –Single logon – to UI - then Grid Security Infrastructure identifies user to other machines Authorisation –User joins Virtual Organisation –VO negotiates access to Grid nodes and resources –Authorisation tested by CE –gridmapfile maps user to local account UI CA VO mgr Personal/ once VO database Gridmapfiles on CE GSI VO service Daily update LCG

15 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 15 “Compute element” “Worker nodes” Local resource management system: Condor / PBS / LSF master Globus gatekeeper Job request Info system Logging gridmapfile I.S. Logging

16 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 16 Building on AuthN Authorisation… What are you allowed to do? … and how is this controlled?? In gLite the answer will be VOMS Virtual Organisation Management System

17 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 17 EGEE VO management face to face LCG User is authorised as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init gLite, using VOMS In future… User can be in multiple VOs –Aggregate rights VO can have groups –Different rights for each  Different groups of experimentalists  … –Nested groups VO has roles –Assigned to specific purposes  E,g. system admin  When assume this role Proxy certificate carries the additional attributes voms-proxy-init

18 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 18 VOMS: virtual organisation management system single login using voms-proxy-init only at the beginning of the session (was grid-proxy-init) backward compatibility: the extra VO related information is in the user's proxy certificate, which can be still used with non VOMS-aware services multiple VOs: the user may "log-in" into multiple VOs and create an aggregate proxy certificate, which enables her to access resources in any of them

19 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 19 Introduction to VOMS VOMS Features –Single login using (proxy-init) only at the beginning of a session  Attaches VOMS attributes to user proxy –Expiration time  The authorization information is only valid for a limited period of the time as the proxy certificate itself –Multiple VO  User may log-in into multiple VOs and create an aggregate proxy certificate, which enables him/her to access resources in any one of them –Backward compatibility  The extra VO related information is in the user’s proxy certificate  User’s proxy certificate can be still used with non VOMS-aware service –Security  All client-server communications are secured and authenticated

20 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 20 Groups The number of users of a VO can be very high: –E.g. the experiment ATLAS has 2000 members Make VO manageable by organizing users in groups: –VO BIOMED-FRANCE  Group Paris Sorbonne University oGroup Prof. de Gaulle Central University  Group Lyon  Group Marseille Groups can have a hierarchical structure Group membership is added automatically to your proxy when doing a voms-proxy-init

21 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 21 Groups rights Assign rights to certain members of the groups –using Access Control Lists (ACL) like in a file system  Allow / Deny Create user Delete user Get ACL Set ACL List user Remove ACL –Specifying unit for entry:  The local database administrator  A specific user (not necessarily a member of this VO)  Anyone who has a specific VOMS attribute FQAN  Anyone who presents a certificate issued by a known CA (Including host and service certificates)  Absolutely anyone, even unauthenticated clients

22 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 22 Roles Roles are specific roles a user has and that distinguishes him from others in his group: –Software manager –Administrator –Manager Difference between roles and groups: –Roles have no hierarchical structure – there is no sub-role –Roles are not used in ‘normal operation’  They are not added to the proxy by default when running voms-proxy-init  But they can be added to the proxy for special purposes when running voms-proxy-init Example: –User Yannick has the following membership  VO=BIOMED-FRANCE, Group=Paris, Role=SoftwareManager –During normal operation the role is not taken into account, e.g. Yannick can work as a normal user –For special things he can obtain the role “Software Manager”

23 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 23 gLite VOMS Authz DB is a RDBMS (both MySQL and Oracle are currently supported).

24 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 24 “MyProxy” You may need: –To interact with a grid from many machines  And you realise that you must NOT, EVER leave your certificate where anyone can find and use it…. Its on a USB drive only. –To use a portal, and delegate to the portal the right to act on your behalf (by logging in to an account that can make a proxy certificate for you) –To run jobs that might last longer than the lifetime of a short-lived proxy Solution: you can store a long-lived proxy in a “MyProxy repository” and derive a proxy certificate when needed.

25 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 25 Grid authentication with MyProxy UI Local WS MyProxy Server GENIUS Server (UI) grid-proxy-init myproxy-init any grid service myproxy-get-delegation output the Grid execution WEB Browser

26 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 26 MyProxy Consists of a server and a set of client tools that can be used to delegate and retrieve credentials to and from a server. MyProxy Client commands: myproxy-init myproxy-info // myproxy-info -s -d myproxy-destroy myproxy-get-delegation // myproxy-get-delegation -s -d –t -o -a myproxy-change-pass-phrase The myproxy-init command allows you to create and send a delegated proxy to a MyProxy server for later retrieval; in order to launch it you have to assure you’re able to execute the grid-proxy-init or vomsproxy-init command. myproxy-init -s -t -d –n The myproxy-init command stores a user proxy in the repository specified by (the –s option). Default lifetime of proxies retrieved from the repository will be set to (see -t) and no password authorization is permitted when fetching the proxy from the repository (the -n option). The proxy is stored under the same user-name as is your subject in your certificate (-d).

27 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 27 Summary -1 Digital credentials and the “Grid Security Infrastructure” (GSI) are the basis of AuthN and AuthZ Need to establish trust, so  Resource can trust user  User can trust the resource The basis: –both users and sites trust Certificate Authorities –CAs trust each other –CAs sign user and site certificates Protect your certificate: it is your grid identity

28 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 28 Summary -2 The EGEE multi-VO grid is built on –Authentication based on X.509 digital certificates  Issued by CAs that are internationally recognised (hence we can have international collaboration)  With proxy extensions –Authorisation  gLite will be using VOMS – not yet, in GILDA VOMS supports –multiple groups, roles within a VO –Aggregation of rights by a user who is a member of several VOs MyProxy –Secure storage of certificates and proxies –Delegation so services can create and use a proxy on your behalf

29 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 29 User Responsibilities Keep your private key secure. Do not loan your certificate to anyone. Report to your local/regional contact if your certificate has been compromised. Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. IT IS YOUR PASSPORT AND CREDIT CARD

30 Enabling Grids for E-sciencE INFSO-RI-508833 Authorisation and Authentication in gLite, Tokyo, August 2005 30 References VOMS Available at http://infnforge.cnaf.infn.it/voms/http://infnforge.cnaf.infn.it/voms/ Alfieri, Cecchini, Ciaschini, Spataro, dell'Agnello, Fronher, Lorentey, From gridmap-file to VOMS: managing Authorization in a Grid environment Vincenzo Ciaschini, A VOMS Attribute Certificate Profile for Authorization GSI Available at www.globus.orgwww.globus.org A Security Architecture for Computational Grids. I. Foster, C. Kesselman, G. Tsudik, S. Tuecke. Proc. 5th ACM Conference on Computer and Communications Security Conference, pp. 83-92, 1998. A National-Scale Authentication Infrastructure. R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, J. Volmer, V. Welch. IEEE Computer, 33(12):60-66, 2000. RFC S.Farrell, R.Housley, An internet Attribute Certificate Profile for Authorization, RFC 3281

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Authorisation and Authentication in gLite Mike Mineter National e-Science Centre, Edinburgh."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Practical using EGEE middleware: AA and simple job submission.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
Introduction of Grid Security

Introduction of Grid Security
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Www.euchinagrid.org Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.

Liang ZHAO, PKU EUChinaGrid 3 rd Tutorial Nov.25, 2006 Authentication and Authorization in gLite Liang ZHAO Peking University.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
GRID workshop Enabling Grids for E-sciencE www.eu-egee.org iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.

GRID workshop Enabling Grids for E-sciencE iag.iucc.ac.il PKI, Certificates and CAs – Oh My! Hank Nussbacher Israel InterUniversity Computation.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Basics for the User Guy Warner NeSC Training Team An Induction to EGEE for GOSC.

Similar presentations

Ads by Google