1 / 16

LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003

LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003. David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk. Overview. LCG Security Group Mandate and membership Meetings and web pages Policies and procedures Security technology for LCG-1 including overview of EDG Authorization Future plans.

lionel
Download Presentation

LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LCG Security UpdateHEPiX-HEPNT, TRIUMF, 23 October 2003 David KelseyCCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, LCG Security Update, HEPiX

  2. Overview • LCG Security Group • Mandate and membership • Meetings and web pages • Policies and procedures • Security technology for LCG-1 • including overview of EDG Authorization • Future plans D.P.Kelsey, LCG Security Update, HEPiX

  3. LCG Security GroupMandate • To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security • GDB makes the decisions • To continue work on the mandate of GDB WG3 • Policies and procedures on Registration, Authentication, Authorization and Security • To produce and maintain • Implementation Plan (first 3 months, then for 12 months) • Acceptable Use Policy/Usage Guidelines • LCG-1 Security Policy • Where necessary recommend the creation of focussed task-forces made-up of appropriate experts • E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board) D.P.Kelsey, LCG Security Update, HEPiX

  4. Membership • Experiment representatives/VO managers • Alberto Masoni, ALICE • Rich Baker, Anders Waananen, ATLAS • David Stickland, Greg Graham, CMS • Joel Closier, LHCb • Site Security Officers • Denise Heagerty (CERN), Dane Skow (FNAL) • Site/Resource Managers • Dave Kelsey (RAL) - Chair • Security middleware experts/developers • Roberto Cecchini (INFN), Akos Frohner (CERN) • LCG management and the CERN LCG team • Ian Bird, Ian Neilson • Non-LHC experiments/Grids • Many sites also involved in other projects • Bob Cowles (SLAC) D.P.Kelsey, LCG Security Update, HEPiX

  5. Meetings, Web etc • Agenda, presentations, minutes etc http://agenda.cern.ch/displayLevel.php?fid=68 • LCG Security Group Web site http://proj-lcg-security.web.cern.ch/ • Meetings • Started in April 2003 • Met 10 times to date • 4 face to face and 6 phone conferences • Report to the monthly GDB meetings http://agenda.cern.ch/displayLevel.php?fid=3l181 D.P.Kelsey, LCG Security Update, HEPiX

  6. Policies and procedures 6 documents approved to date (see LCG SEC web) • Security and Availability Policy for LCG • Prepared jointly with GOC task force • Approval of LCG-1 Certificate Authorities • Audit Requirements for LCG-1 • Rules for Use of the LCG-1 Computing Resources • Agreement on Incident Response for LCG-1 • User Registration and VO Management 4 more still to be written (by GOC task force) • LCG Procedures for Resource Administrators • LCG Guide for Network Administrators • LCG Procedure for Site Self-Audit • LCG Service Level Agreement Guide D.P.Kelsey, LCG Security Update, HEPiX

  7. LCG-1 security technology • Based on EDG release 2.0 • Authentication (X.509 PKI) • List of trusted national CA’s (from EDG) • Plus online authentication: FNAL KCA, MyProxy • Authorization • VO (LDAP) databases (shared with EDG) • Run at NIKHEF, managed by VO-managers (one per expt) • mkgridmap tool to create Grid mapfiles • Map to local user account (real or pool) • AuthZ components • VOMS, LCAS/LCMAPS, US CMS VOX • Under development • To be used when available, tested and proved D.P.Kelsey, LCG Security Update, HEPiX

  8. EDG Authorization some slides from Akos Frohner – CERN (Roberto Cecchini leads the VOMS group) D.P.Kelsey, LCG Security Update, HEPiX

  9. high frequency low frequency CA Registration http://lcg-registrar.cern.ch/ user user cert(long life) VO-VOMS registration web denied deny VO membershiprequest (user) email addressconfirmation (user) create allow new confirmed accepted done (VO admin) email to the administrator:new request notification email to the requestor:email address confirmation email to the requestor:request is accepted/denied email

  10. high frequency low frequency CA Multi-VO registration user user cert(long life) VO-VOMS registration VO administration operations • create/delete (sub)group/role/capability • add/remove member of g/r/c • get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member VO-VOMS VO-VOMS VO-VOMS

  11. high frequency low frequency CA “Login” user user cert(long life) VO-VOMS voms-proxy-init proxy cert(short life) edg-voms-proxy-init -voms iteam • /tmp/x509_up<UID> (normal proxy location) • backward compatible proxy format authz cert(short life)

  12. high frequency low frequency CA Multi-VO “Login” voms-proxy-init -voms iteam -voms wp6 • single proxy certificate is generated • each VO provides a separate VOMS credentialfirst one is the default VO • each VOMS credential contains multiple group/role entriesfirst one is the default group user user cert(long life) VO-VOMS VO-VOMS voms-proxy-init VO-VOMS proxy cert(short life) VO-VOMS authz cert(short life)

  13. high frequency low frequency CA CA CA Old-style Service host cert(long life) service crl update VO-VOMS VO-VOMS Old-style services still use the gridmap-file for authorization • gridftp • EDG 1.4.x services • EDG 2.x service in compatibility mode no advantage, but everything works as before... mkgridmap VO-VOMS gridmap-file VO-VOMS GSI

  14. high frequency low frequency Job Submission host cert informationsystem CE user 1. VO affiliation(AccessControlBase) user cert 4. CEs for VOs in authz? WMS 3. job submission proxy VO authz MyProxyserver 2. cert upload

  15. MyProxyserver Running a Job LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups • default VO = default UNIX group • other VO/group/role = other UNIX group(s) host cert CE cert(long term) voms-proxy-init WMS proxy VO 2. job start authz 1. cert download authentication & authorization info LCAS/LCMAPS

  16. Future plans (LCG SEC) • We are working on a Risk Analysis document • To help set priorities for the year ahead • Many of the agreements to date are for LCG-1 (2003) • Need reviewing for 2004 and beyond • Authentication • Must agree the future PMA bodies for CA’s • EGEE likely to take over this role for Europe • Online CA services, credential repositories • KCA, VSC, MyProxy, … • Authorization • VOMS likely to be included in LCG-2 • local AuthZ (LCAS/LCMAPS, US CMS VOX) and VOMS-aware services • User Registration and VO Management • Workshop at CERN 15-17 December 2003 • Also reviewing the AuthZ technology D.P.Kelsey, LCG Security Update, HEPiX

More Related