160 likes | 303 Views
LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003. David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk. Overview. LCG Security Group Mandate and membership Meetings and web pages Policies and procedures Security technology for LCG-1 including overview of EDG Authorization Future plans.
E N D
LCG Security UpdateHEPiX-HEPNT, TRIUMF, 23 October 2003 David KelseyCCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, LCG Security Update, HEPiX
Overview • LCG Security Group • Mandate and membership • Meetings and web pages • Policies and procedures • Security technology for LCG-1 • including overview of EDG Authorization • Future plans D.P.Kelsey, LCG Security Update, HEPiX
LCG Security GroupMandate • To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security • GDB makes the decisions • To continue work on the mandate of GDB WG3 • Policies and procedures on Registration, Authentication, Authorization and Security • To produce and maintain • Implementation Plan (first 3 months, then for 12 months) • Acceptable Use Policy/Usage Guidelines • LCG-1 Security Policy • Where necessary recommend the creation of focussed task-forces made-up of appropriate experts • E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board) D.P.Kelsey, LCG Security Update, HEPiX
Membership • Experiment representatives/VO managers • Alberto Masoni, ALICE • Rich Baker, Anders Waananen, ATLAS • David Stickland, Greg Graham, CMS • Joel Closier, LHCb • Site Security Officers • Denise Heagerty (CERN), Dane Skow (FNAL) • Site/Resource Managers • Dave Kelsey (RAL) - Chair • Security middleware experts/developers • Roberto Cecchini (INFN), Akos Frohner (CERN) • LCG management and the CERN LCG team • Ian Bird, Ian Neilson • Non-LHC experiments/Grids • Many sites also involved in other projects • Bob Cowles (SLAC) D.P.Kelsey, LCG Security Update, HEPiX
Meetings, Web etc • Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 • LCG Security Group Web site http://proj-lcg-security.web.cern.ch/ • Meetings • Started in April 2003 • Met 10 times to date • 4 face to face and 6 phone conferences • Report to the monthly GDB meetings http://agenda.cern.ch/displayLevel.php?fid=3l181 D.P.Kelsey, LCG Security Update, HEPiX
Policies and procedures 6 documents approved to date (see LCG SEC web) • Security and Availability Policy for LCG • Prepared jointly with GOC task force • Approval of LCG-1 Certificate Authorities • Audit Requirements for LCG-1 • Rules for Use of the LCG-1 Computing Resources • Agreement on Incident Response for LCG-1 • User Registration and VO Management 4 more still to be written (by GOC task force) • LCG Procedures for Resource Administrators • LCG Guide for Network Administrators • LCG Procedure for Site Self-Audit • LCG Service Level Agreement Guide D.P.Kelsey, LCG Security Update, HEPiX
LCG-1 security technology • Based on EDG release 2.0 • Authentication (X.509 PKI) • List of trusted national CA’s (from EDG) • Plus online authentication: FNAL KCA, MyProxy • Authorization • VO (LDAP) databases (shared with EDG) • Run at NIKHEF, managed by VO-managers (one per expt) • mkgridmap tool to create Grid mapfiles • Map to local user account (real or pool) • AuthZ components • VOMS, LCAS/LCMAPS, US CMS VOX • Under development • To be used when available, tested and proved D.P.Kelsey, LCG Security Update, HEPiX
EDG Authorization some slides from Akos Frohner – CERN (Roberto Cecchini leads the VOMS group) D.P.Kelsey, LCG Security Update, HEPiX
high frequency low frequency CA Registration http://lcg-registrar.cern.ch/ user user cert(long life) VO-VOMS registration web denied deny VO membershiprequest (user) email addressconfirmation (user) create allow new confirmed accepted done (VO admin) email to the administrator:new request notification email to the requestor:email address confirmation email to the requestor:request is accepted/denied email
high frequency low frequency CA Multi-VO registration user user cert(long life) VO-VOMS registration VO administration operations • create/delete (sub)group/role/capability • add/remove member of g/r/c • get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member VO-VOMS VO-VOMS VO-VOMS
high frequency low frequency CA “Login” user user cert(long life) VO-VOMS voms-proxy-init proxy cert(short life) edg-voms-proxy-init -voms iteam • /tmp/x509_up<UID> (normal proxy location) • backward compatible proxy format authz cert(short life)
high frequency low frequency CA Multi-VO “Login” voms-proxy-init -voms iteam -voms wp6 • single proxy certificate is generated • each VO provides a separate VOMS credentialfirst one is the default VO • each VOMS credential contains multiple group/role entriesfirst one is the default group user user cert(long life) VO-VOMS VO-VOMS voms-proxy-init VO-VOMS proxy cert(short life) VO-VOMS authz cert(short life)
high frequency low frequency CA CA CA Old-style Service host cert(long life) service crl update VO-VOMS VO-VOMS Old-style services still use the gridmap-file for authorization • gridftp • EDG 1.4.x services • EDG 2.x service in compatibility mode no advantage, but everything works as before... mkgridmap VO-VOMS gridmap-file VO-VOMS GSI
high frequency low frequency Job Submission host cert informationsystem CE user 1. VO affiliation(AccessControlBase) user cert 4. CEs for VOs in authz? WMS 3. job submission proxy VO authz MyProxyserver 2. cert upload
MyProxyserver Running a Job LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups • default VO = default UNIX group • other VO/group/role = other UNIX group(s) host cert CE cert(long term) voms-proxy-init WMS proxy VO 2. job start authz 1. cert download authentication & authorization info LCAS/LCMAPS
Future plans (LCG SEC) • We are working on a Risk Analysis document • To help set priorities for the year ahead • Many of the agreements to date are for LCG-1 (2003) • Need reviewing for 2004 and beyond • Authentication • Must agree the future PMA bodies for CA’s • EGEE likely to take over this role for Europe • Online CA services, credential repositories • KCA, VSC, MyProxy, … • Authorization • VOMS likely to be included in LCG-2 • local AuthZ (LCAS/LCMAPS, US CMS VOX) and VOMS-aware services • User Registration and VO Management • Workshop at CERN 15-17 December 2003 • Also reviewing the AuthZ technology D.P.Kelsey, LCG Security Update, HEPiX