1 / 11

Overview of the New Security Model

Overview of the New Security Model. Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, 12-15 May 2003. Overview. focus is on VOMS details are in D7.6 Security Design. CA. proxy cert:. request. dn, cert, Pkey,. VOMS cred. (short lifetime). certificate:. dn, ca, Pkey.

tvarela
Download Presentation

Overview of the New Security Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, 12-15 May 2003

  2. Overview focus is on VOMSdetails are in D7.6 Security Design CA proxy cert: request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey certificate user VOMS re-newal delegation: request cert+key VOMS cred: MyProxy (long lifetime) VO, group(s), role(s) delegation: cert+key (short lifetime) proxy cert proxy cert proxy cert proxy cert proxy cert auth auth auth auth auth GSI mod_ssl TrustManager TrustManager GSI authz authz pre-process: pre-process: pre-process: parameters-> parameters-> parameters-> LCAS WebServices Authz obj.id + req. op. dn,attrs,acl, req.op obj.id + req. op. obj.id + req. op. dn,attrs,acl, req.op ->yes/no ->yes/no map map LCMAPS dn -> DB role authz authz authz dn -> userid, krb ticket obj.id -> acl GACL: GACL: dn,attrs,acl, req.op obj.id -> acl obj.id -> acl ->yes/no doit dn,attrs,acl, req.op dn,attrs,acl, req.op doit ->yes/no ->yes/no doit doit doit coarse grained fine grained coarse grained fine grained fine grained (e.g. gatekeeper) (e.g. RepMec) (e.g. GridSite) (e.g. SE, /grid) (e.g. Spitfire) web C Java

  3. high frequency low frequency CA CA CA User’s Authorization in EDG 1.4.x host cert(long life) service user crl update user cert(long life) VO-LDAP registration VO-LDAP grid-proxy-init VO-LDAP mkgridmap proxy cert(short life) grid-mapfile VO-LDAP authentication info

  4. high frequency low frequency CA CA CA User’s Authorization in EDG 2.x host cert(long life) service user crl update user cert(long life) VO-VOMS registration registration VO-VOMS voms-proxy-init VO-VOMS proxy cert(short life) service cert(short life) VO-VOMS authz cert(short life) authz cert(short life) authentication & authorization info edg-java-security LCAS

  5. VOMS Overview • Provides info about the user’s relationship with his VO(‘s) • groups, roles (admin, student, ...), capabilities (free form string), temporal bounds • Features • single login:voms-proxy-init only at the beginning of the session (replaces grid-proxy-init); • expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself); • backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services; • multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate; • security: all client-server communications are secured and authenticated.

  6. Tomcat & java-sec Perl CLI axis VOMSimpl Web interface servlet VOMS Architecture vomsd GSI voms-proxy-init soap + SSL DB JDBC https DBI mkgridmap https VOMS server MySQLdb – with history and audit records • User query server and client (C++) • Java Web Service based administration interface • Perl client (batch processing) • Web browser client (generic administrative tasks) • Web server interface for mkgridmap

  7. Migration to VOMS voms-ldap-sync voms-ldap-sync VO-LDAP VOMS VO-LDAP VOMS edg-mkgridmap edg-mkgridmap grid-proxy-init grid-proxy-init grid-mapfile grid-mapfile service user service user proxy proxy phase 0. phase 1. testing the VOMS servers user management on VOMS VOMS VOMS VO-LDAP edg-mkgridmap voms-proxy-init grid-proxy-init voms-proxy-init grid-mapfile service user service user proxy (voms) proxy (voms) phase 2. phase 3. compatibility mode: mixed services fully migrated: only VOMS-aware services

  8. Auth/Authz in Services • GSI based or compatible authentication • grid-mapfile or VOMS based authorization (can be both) • policy or ACL based access control • coarse and fine grained solutions • access control description’s syntax is not standard • implemented alternatives: • edg-java-security for Java web services • GSI/LCAS/LCMAPS for native C/C++ services • mod_ssl/GACL for Apache based web services • (Slahgrid for transparent filesystem ACLs)

  9. Local Site Authorization • Local Centre Authorization Service (LCAS) • Handles authorization requests to local fabric • authorization decisions based on proxy user certificate and job specification; • supports grid-mapfile mechanism. • Plug-in framework (hooks for external authorization plugins) • allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db) • plugin for VOMS (to process authorization data) • Local Credential Mapping Service (LCMAPS) • provides local credentials needed for jobs in fabric • mapping based on user identity, VO affiliation, local site policy

  10. edg-java-security • Trust manager • GSI compatible authentication • Adapters to HTTP and SOAP • Currently deployed for Tomcat4 • Authorization Manager • Authorization and mapping for Java services • Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file • Handles VOMS attributes

  11. TODO • Test the pieces in the Testbeds • Implement the missing pieces and Discarding the unused • Common syntax and semantics for access control configurations • Substitution of VOMS certificates by Attribute Certificates (RFC3281) • Support for time cyclic/bound permissions and roles • Database replication • Use the security model -> get real life use cases

More Related