130 likes | 204 Views
This presentation by the National Center for Supercomputing Applications provides insights on setting up trust in Virtual Organizations (VOs), authentication policies, authorization methods, security tools, Kerberos integration, user registration services, and community authorization services in the grid computing environment.
E N D
Grid Security Overview presented byVon WelchNational Center for Supercomputing Applications
A New VO: Day 0 • People and resources spread around the campus, state, country or globe • Each resource local site rules under which they have to play • Resources may have deployed authentication mechanisms (Kerberos, AFS) that aren’t going away • No common database of users, passwords across VO
VO Security Goal • Main challenge of VO security is setting up trust among this group of previously unconnected resource providers • Resource providers must establish trust of: • The technology • The users - authentication, behavior • Each other - incident response, logging, practices, communication, etc. • The the VO - authorization being appropriately given
Steps to Establishing Trust • Identify the right people • Need to be able to speak authoritatively on security policies for resources • Might need to be site authorities for stringent sites or sites with large number of resources involved • Involve them as early as possible • Foster understanding of technologies through documentation, discussion • Identify security requirements of users, sites, other stakeholders • Decide policies on authentication, authorization, logging, etc • Site AAA Research Group in GGF has documents capturing a example set of requirements
Authentication Policy • Globus provides basic authentication mechanism • GSI based on X.509 certificates • Pick a certificate authority (CA) • Choose an existing CA(s) • Find those that conform to requirements • And can server user community • Roll their own • Registration authority (RA) structure to cover all users • Draft policies for operation (certificate policy) • Documentation for users
Authorization Policy • Who get what access? • Globus provides simple ACL-based method (grid-mapfile) • Policy will change over time, as users and resources come and go • Who decides? • How is information distributed to resources?
Security Tools • Certificate Management • Getting users “signed up” to use the Grid • Getting the user’s Grid credentials to wherever they’re needed in the system • Authorization/Access Control • Tools for storing and providing access to system-wide authorization information • Central data store for supporting decentralized control mechanisms
Kerberos Integration • Institutions that already have a Kerberos realm can use KX.509 and KCA to provide local users with Grid proxy certificates without using a Certificate Authority. • When users authenticate with Kerberos, they may obtain proxy certificates in addition to their Kerberos tickets. • KCA is a Kerberized certification service, and KX.509 is a Kerberized client that generates and stores proxy certificates. • Unlike MyProxy, KX.509 and KCA create credentials for users, so remote sites must be configured to trust the local KCA service’s certification authority. • PKINIT is a service that allows users to use Grid certificates to authenticate to a Kerberos realm.
User Registration Service • Portal extensions (CGI scripts) that automate user registration requests. • Solicits basic data from user. • Generates cert request from ESG CA (implemented with “simple CA” from GT). • Admin interface allows CA admin to accept/reject request. • Generates a certificate and stores in MyProxy service. • Gives user ID/password for MyProxy. • Benefits • Users never have to deal with certificates. • Portal can get user cert from MyProxy when needed. • Database is populated with user data. • Orginally written for ESG, being generalized for reuse in other projects!
Community Authorization Service (CAS) • GT component to allow fine-grain file control access • Central DB stores information on users, groups, files and rights • Cas-proxy-init • Uses existing proxy to contact CAS server and get CAS credential listing user rights • Administrative tools for managing DB • Hooks in GT 3.2 GridFTPd to enforce rights
VOMS • Similarto GT CAS • Database of user roles and capabilities • Administrative tools • Client interface • voms-proxy-init • Uses client interface to produce an attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server • Works with non-VOMS services, but gives more info to VOMS-aware services • Allows VOs to centrally manage user roles and capabilities for GRAM access
EDG-mkgridmap • Builds grid-mapfiles from LDAP directory or VOMS server • Allows central storage and distribution of user database • Scripts are run to automatically contact central DB and build local grid-mapfile
VOX and VOMRS Extends VOMS to include an ESG-like registration service • Web registration interface • Builds user database with extended fields • Populates VOMS server