1 / 18

Enhancing Security in Data Grid: Authentication & Authorization

Discussion on securing Data Grid with emphasis on authentication, authorization, and maintaining secure VO directories and user attributes. Explore key challenges and strategies.

erikwillis
Download Presentation

Enhancing Security in Data Grid: Authentication & Authorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security in DataGrid12 Mar 2002TERENA GRID-AN BoF David GroepNIKHEF, Amsterdam based on a presentation by David Kelsey CLRC/RAL, UK Security in DataGrid

  2. The EU DataGrid • DataGrid: generic Grid middleware and test bed for • High Energy Physics • Earth Observation and ozone modelling • Bio-informatics & bio-medicine • Middleware components (on top of Globus): • scheduling and accounting • data replication and management • monitoring • data storage • fabric and farm management Security in DataGrid

  3. Security in DataGrid • No allocated effort, so groups distributed over WP’s: • CA Coordination (Test bed WP6)Started before the project (end 2000), well established • Ad-hoc Authorization (Test bed WP6)Interim solutions for distributing collaboration user lists and “virtual organization directories”. • Security Coordination (“Networking” WP7)Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development Security in DataGrid

  4. Start with … Authentication Security in DataGrid

  5. WP6 CACG • 11 DataGrid Testbed1 CA’s • See WP6 web • Much effort to run these – growing number of cert requests • Several moving to OpenCA • US DOE ScienceGrid CA • Operational since January 2002 • Approved as a DataGrid “trusted” CA (& vice-versa!) • First test of transatlantic authentication last month • Karlsruhe CA (CrossGrid and HEP Germany) • To be incorporated later • Seems to attract Grid CA issues that should have gone to GGF! Security in DataGrid

  6. Authentication (2) • One of the EDG CA’s (CNRS)acts as a “catch-all” CA • CP/CPS will get explicit statements about RA’s • Matrix of Trust (work ongoing) – much work! • Feature matrix • Acceptance matrix(WP6 CA Mgrs check each other against min. requirements) BUT: • Still another 7 CrossGrid countries with no CA • And many other LHC countries • Scaling problems! • Automate the feature checking • Continue to work with GGF in the GridCP group Security in DataGrid

  7. Authentication (3) DataGrid CA Features matrix Security in DataGrid

  8. CA Acceptance Matrix • Detailed reports per CA • Guidelines for “national” site admins • To be done: – versioning of CP/CPS – invalidation after CP/CPS updates Security in DataGrid

  9. And now … Authorisation Security in DataGrid

  10. GSI – Grid map file • Resource Authorization based on access lists • Maps “Grid name” (cert subject DN) → local UID • In effect after successful authentication triode:davidg:1002$ cat /etc/grid-security/grid-mapfile "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg "/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn "/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon "/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/Email=Piergiorgio.Cerello@to.infn.it" aliprod Security in DataGrid

  11. mkgridmap and VO’s • Virtual Organizations (VOs) define user groups“ATLAS”, “LHCb”, “OzoneModelling”, … • Directory with user lists maintained by VO admin • Resource owners extract list from “allowed” VOs • optional: AND with one other directory (AUP!) • periodically generated (once per day) Security in DataGrid

  12. o=xyz,dc=eu-datagrid, dc=org o=testbed,dc=eu-datagrid, dc=org ou=People ou=People ou=Testbed1 ou=??? CN=John Smith CN=Mario Rossi CN=John Smith Authentication Certificate Authentication Certificate Authentication Certificate CN=Franz Elmer CN=Franz Elmer mkgridmap ban list grid-mapfile local users grid-mapfile generation VODirectory “AuthorizationDirectory” Security in DataGrid

  13. Entries in VO Directory • VO Membership list dn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=org objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: pkiUser sn: Barbera cn: Roberto Barbera mail: roberto.barbera@ct.infn.it labeledURI: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate • (sub) groups dn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org objectClass: domain objectClass: organizationalUnit objectClass: groupofnames . . . . owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org • VO administrators • sub-group administrators Security in DataGrid

  14. Authorisation WP6 Authorisation group (R. Cecchini – INFN) • Future plans • Evaluation of CAS and PERMIS • Better VO Directory management; • Support of replicas of VO Directories; • Support for users’ attributes in the VO Directories: • e.g. the AUP signing information (with expiration date...) Security in DataGrid

  15. Authorisation (2) • Globus Community Authorisation Server (CAS) • Long awaited! • Hot news – alpha release by end of next week • PERMIS (http://www.permis.org) • EU funded project • Univ of Salford (UK) – member of SecureGrid • Policy-based Role-based (XML) Access control Security in DataGrid

  16. GridMapDir (WP6 - McNab) • Account sharing mechanism for local UIDs • Modifier version of GSI allows mapping to ‘account pools’ (à la DHCP) • nice when VO directories are large and not all users go to all sites • difficult to recycle accounts (files!) • sucessfully deployed in EDG TB1 Security in DataGrid

  17. Authorisation issues • We need more functionality • “Dynamic policy-based Access control” • Users with more than one allowed role • Move away from Unix uid based security (and grid mapfile) • Applicable to all Grid services (and callable from) • Users may belong to multiple VO’s • Authorisation may need to be based on “joins” • Global & Local authorisation mechanisms • need to negotiate policy – Global/VO/Local • We should aim for a limited number of compatible authorisation mechanisms • Job for Architecture group and WP7 Security • OGSA? Security in DataGrid

  18. Future plans • The EU review encouraged us to do more on security • It is already happening! • WP6 CA group • continue Acceptance matrix and work with GGF • WP6 Authorisation group • Test and evaluate CAS and PERMIS • WP7Sec D7.6 (M25) “Security Design and TB2 report” • Work going on in all middleware WP’s on security • WP7Sec & Architecture group need to • Coordinate activities • Check that mechanisms are “secure” Security in DataGrid

More Related