1 / 14

DataGrid Security Wrapup

DataGrid Security Wrapup. Linda Cornwall 4 th March 2004. DataGrid Security Co-ordination Group. No single work-package to tackle Grid security But WP2 has a security task and team Security Coordination Group (SCG) was formed in late 2001 Lead by David Kelsey

Download Presentation

DataGrid Security Wrapup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DataGrid Security Wrapup Linda Cornwall 4th March 2004

  2. DataGrid Security Co-ordination Group • No single work-package to tackle Grid security • But WP2 has a security task and team • Security Coordination Group (SCG) was formed in late 2001 • Lead by David Kelsey • Mandate of SCG (sub-group of WP7) • To produce the Deliverables of WP7 on Security • To help coordinate security activities in WPs 1 to 7 • To liaise with WP6 CA & Authorization groups (and others) • To contribute to the architecture of the EU DataGrid (ATF) • SCG has larger scope than originally foreseen • At least one representative per middleware WP • Collaboration with DataTAG and national Grid projects

  3. SCG Achievements - overview • Authentication: Certification Authorities (CAs) for EDG and others • WP6 Certificate Authorities Coordination Group • DataGrid Security Requirements (D7.5, May 2002) • 112 requirements in many areas… • Authentication, Authorization, Auditing, Non-repudiation, Delegation, Confidentiality, Integrity, Network, Manageability, Usability, Interoperability, Scalability, Performance, Robustness • Priority attached – DataGrid Requirements, Aims within EDG, Long Term aims • Several joint meetings with WP8, 9 and 10 for VO use cases • Security Design (D7.6, March 2003) (Large UK contribution) • Final Security Report (D7.7, January 2004) • includes comparison with initial requirements

  4. Summary of the EDG Security design • Users are issued with a PKI certificate from their local (country) Certification Authority. • Users become a member of one or more `Virtual Organisation’ (VO) • Users are issued with authorization credentials by the VOs to which they belong • Authorization rules are enforced by the local sites or resources • Various Language dependent tools have been developed

  5. Overview of the EDGSecurity Components (D7.6) CA proxy cert: request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey certificate user VOMS re-newal delegation: request cert+key VOMS cred: MyProxy (long lifetime) VO, group(s), role(s) delegation: cert+key (short lifetime) proxy cert proxy cert proxy cert proxy cert proxy cert auth auth auth auth auth GSI mod_ssl TrustManager TrustManager GSI authz authz pre-process: pre-process: pre-process: parameters-> parameters-> parameters-> LCAS WebServices Authz obj.id + req. op. dn,attrs,acl, req.op obj.id + req. op. obj.id + req. op. dn,attrs,acl, req.op ->yes/no ->yes/no map map LCMAPS dn -> DB role authz authz authz dn -> userid, krb ticket obj.id -> acl GACL: GACL: dn,attrs,acl, req.op obj.id -> acl obj.id -> acl ->yes/no doit dn,attrs,acl, req.op dn,attrs,acl, req.op doit ->yes/no ->yes/no doit doit doit coarse grained fine grained coarse grained fine grained fine grained (e.g. gatekeeper) (e.g. RMC) (e.g. GridSite) (e.g. SE, /grid) (e.g. Spitfire) web C Java

  6. Achievements - Authentication • PKI based Certification Authorities (CAs) for EDG and other Grid Projects • DataTAG, CrossGrid, LCG – including a global service for particle physics • Same CAs used by many national projects • Tools to carry out Authentication in languages other than `C’ (GSI) • java (edg-java-security trustmanger) • Apache web services (mod_ssl)

  7. Authorization – Early on • VO LDAP server was developed to manage VO membership • This produced a grid-mapfile • Tool for leasing Pool Accounts to users defined in the grid-mapfile obtained from the VO LDAP server • Combination of these allowed users access to resources without a specific account on that particular host. • This provides very course grain authorization according to a VO based identity

  8. Authorization VOMS • Virtual Organisation Membership Service (VOMS) developed jointly between EDG and DataTAG projects. • Allows for the managements of VO membership for both Users and Services and the issuing of Credentials proving • VO membership, Groups, Roles and Capabilities • VOMS credentials are in the form of a extension to the GSI proxy • VOMS proxy

  9. `Local’ Authorization • Various tools have been developed within EDG to allow access in the local environment. • LCAS and LCMAPS for authorization in C/C++ services • Java authorization Manager • Coarse grained authorization mapping • Credential extraction and checking to allow fined grained authorization by the service • GridSite – Authorization in Web services environment • GACL `Grid Access Control Language’ for defining access control based on Grid Credentials

  10. Requirements analysis (EDG 2.1) • DataGrid Requirements • Success  • Mostly satisfied  • Not satisfied  FS= fully, PS=partially, NS=not… satisfied “Partially” means not all WPs and/or not all languages

  11. Summary of progress • Authentication – lots of success! • Large amount of progress in Authorization mechanisms • Need to be fully integrated with other middleware • Confidentiality – area where we largely failed. • Depended on Authorization integration being complete, and data being stored in encrypted form • More of a problem for e.g. Bio Medical applications than particle physics • Interoperability – also largely successful. • Based on GSI • Worked closely with the international community, GGF • Some other areas need much more work – security largely turned off in EDG testbed 2.1 • Liable to denial of service attacks • Areas like non-repudiation need more attention.

  12. Lessons learned • Be careful collecting requirements • In hindsight, the D7.5 requirements were rather ambitious • The expectations of the applications were documented but there was not sufficient analysis of the difficulty of integration • Security must be an integral part of all development • from the start • Building and maintaining “trust” between projects and continents takes time • Not just about middleware • Integration of security into existing systems is complex • When designing middleware `think security’ • Don’t rely on adding it later • There must be a dedicated activity dealing with security • EGEE planning has already benefited from our experience

  13. Exploitation • Authentication • The CA infrastructure will continue • EGEE will manage the EDG PKI in a new EU PMA • LCG driving the requirements for global physics authentication • Grid CAs to be registered in new TERENA CA repository (TACAR) • eInfrastructure and eIRG meetings (Ireland) to consider this topic • A general EU Grid PKI infrastructure? • DataGrid people will continue in EGEE and GGF • Security Policy issues • DataGrid people already active in defining LCG policy and procedures • Important input to EGEE and eIRG

  14. Exploitation (2) • Authorization • EDG components and people will continue in EGEE, LCG and other projects • VOMS is part of LCG-2 • The HEP applications need roles and groups • Integration with SlashGrid, ACLs (GACL) and GridSite • Joint work with UK GridPP, using VOMS and working with PERMIS team • Greater exploitation of the various Authorization tools will possible when they are fully integrated with other middleware • Work in GGF security area groups will continue • EDG providing reference implementations in OGSA-AuthZ • WS-security, VOMS, LCAS, GridSite, SlashGrid etc • XML policy, XACML, VOMS Attribute Certificates, SAML • Will continue to drive and track standards • Publication of the work is ongoing

More Related