1 / 15

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL (dlolson@lbl.gov) PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org. Contents. Overview of OSG Why we use X.509 PKI How we use it What’s wrong with it Comments.

Download Presentation

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Open Science Grid Use of PKI:Wishing it was easyA brief and incomplete introduction. Doug Olson, LBNL (dlolson@lbl.gov) PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org

  2. Contents • Overview of OSG • Why we use X.509 PKI • How we use it • What’s wrong with it • Comments D. Olson, NIST PKI Workshop

  3. D. Olson, NIST PKI Workshop

  4. www.opensciencegrid.org 21 registered Scientific Virtual Organizations 51 Compute resources, 6 Storage resources (~ 20 additional on integration grid) O(1000) running and O(1000) pending jobs (low usage due to growing pains) Strongest driver today is LHC science program. Many other science programsare also users and participants. Interoperation with EGEE, Teragrid, numerous regional & campus grids. 85% of DOEGrids PKI certificates, ~ 1000 OU=People, 3000 OU=Services D. Olson, NIST PKI Workshop

  5. How is Trust Established?(or What does “Trust” mean?) • $1B+ science programs have 10+ years scientific, political, technical development phase during which collaborations are established. • Many MOUs are signed detailing responsibilities • Construction of machine/accelerator/telescope/… • Construction of experimental equipment/detectors • Computational resource commitments • Membership in a scientific collaboration is controlled with governing procedures • The research program defines who is supposed to work together. •  PKI is a technical detail of the computing plans •  The definition of which organizations must trust each other was established before anyone who understands PKI got involved, so the question is “How to trust?” more than “Who to trust?” • However, OSG promotes an opportunistic computing model and would like to match VOs and resource providers with little or no advance agreements. •  “Trust” within the PKI means what are the acceptable range of policies and procedures so the computing resource providers and scientists can work together. D. Olson, NIST PKI Workshop

  6. Why do we use PKI? • Globus GSI • We have built and are growing a grid and use whatever security infrastructure is available and practical. • Interoperability with the world-wide open science community is essential. • Technical aspects • Functioning CA/RA • This means Globus pre-WS GSI (& WS GSI) X.509 • Additional supporting infrastructure has been deployed: VOMS, GUMS, Prima, CA/CRL distribution • Bureaucratic aspects • Ability to establish and maintain trust by sites, VOs, users • Accredited CAs • Therefore: TAGPMA and IGTF D. Olson, NIST PKI Workshop

  7. How do we use PKI? • DOEGrids PKI operated by ESnet is our primary provider. • CN=<X>,OU={People|Services},DC=doegrids,DC=org • OSG has asked TAGPMA to accredit CA’s used in the grid community in the america’s and to provide us with the accredited list. • We operate the distributed human RA network to authenticate requests. Signed email & telephone. • End Entities hold private keys. • OU=Services certs used as SSL certs for host & service identification. • Virtual Organizations (VOs) manage users via VOMS servers, using DN of EE and issuer as identifier, and holding additional attributes for authorization. • User gets a short lived proxy certificate with an extension holding authZ attributes signed by the VOMS server D. Olson, NIST PKI Workshop

  8. How do we use PKI? (Validation, AuthZ) • Certificate validation environment during grid transaction • Proxy certificates (RFC 3820) • Trusted CA certs & CRL URLs downloaded from VDT • CRL updates using EDG tools on each resource (from EU DataGrid, now EGEE2) • CRLs are only for long lived certs. No tools for revoking just a delegated proxy certificate. • Resource authZ • “Recommended” means is to do Role Based AuthZ by use of Prima & GUMS to interpret VOMS extended proxy certs and map to local UID/GID based on attributes signed by VOMS server. • Many sites use classic pre-WS GSI and tools to download grid-mapfile entries from VOMS servers D. Olson, NIST PKI Workshop

  9. What is wrong with it (1) • Previous slide: In other words, there was a lot of missing infrastructure for using PKI for user authN/authZ for grid transactions. • Incomplete infrastructure for managing user private keys • Just files in users home directory(ies) • Standardization of end-user environment in open science community is impossible • Myproxy helps • substitution of private key/passphrase with username/password (huh???) • Reduce or eliminate end-user private key management • Short Lived Certificate Service (SLCS) profile is moving through TAGPMA, IGTF that will apply to services like KCA (at FNAL & PSC), and a MyProxy-based CA issuing short-lived certs. D. Olson, NIST PKI Workshop

  10. What is wrong with it (2) • X.509 needs mapping to resource security infrastructure (uid/gid), which is site specific • Gridmap-file • but proxy does not follow process group, except for reliance upon same uid and it is common practice to map entire VO to single uid. • Maps only DN so same person wanting different roles needs different DNs • Or VOMS/Prima/GUMS infrastructure for role-based access control • Ownership of long lived data??? • Use short lived proxies to allow single sign-on • then do credential renewal to get long enough lifetime • Revocation is cumbersome & slow • Symmetric with initial authentication & certificate issuance • Site requirements for incident response need faster mechanism to suspend a users privileges • Certificate lifecycle management is rocky for us, but not the biggest trouble • … D. Olson, NIST PKI Workshop

  11. Comments • PKI “works reasonably” for server certificates • Infrastructure surrounding PKI for end user certificates is incomplete and ad-hoc • I hope you all paid close attention to Angela Sasse’s talk yesterday. • I think people understand username/password and email addresses and this should be enough ID tokens for end users. • AuthZ infrastructure being tied to PKI suffers from mismatch between user requirements and underlying resource functionality, i.e., the trouble is not due to PKI, just coupled because of PKI-based ID D. Olson, NIST PKI Workshop

  12. Extra Slides D. Olson, NIST PKI Workshop

  13. Example EGEE grid job http://roc.grid.sinica.edu.tw/doc/LCG-2-UserGuide.html#SECTION00053100000000000000 D. Olson, NIST PKI Workshop

  14. A large workflow example From: Pegasus: Mapping Scientific Workflows onto the Grid Ewa Deelman, James Blythe, Yolanda Gil, Carl Kesselman, Gaurang Mehta, Sonal Patil, Mei-Hui Su, Karan Vahi, Miron Livny Scientific Programming, January 2005 http://pegasus.isi.edu/pegasus/publications/sciprog_submitted.pdf D. Olson, NIST PKI Workshop

  15. Authorization infrastructure http://www.fnal.gov/docs/products/voprivilege/ D. Olson, NIST PKI Workshop

More Related