1 / 21

LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002

LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. Outline. Introduction to Grid Security EU DataGrid/DataTAG (EDG/EDT) developments LHC Computing Grid Project (LCG) Phase 1 The main challenges for 2003 Summary.

mickey
Download Presentation

LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LCG/EDG Security- update and plansHEPiX/HEPNT - FNAL23 Oct 2002 David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Grid Security, HEPiX, FNAL

  2. Outline • Introduction to Grid Security • EU DataGrid/DataTAG (EDG/EDT) developments • LHC Computing Grid Project (LCG) Phase 1 • The main challenges for 2003 • Summary D.P.Kelsey, Grid Security, HEPiX, FNAL

  3. Introduction to Grid Security D.P.Kelsey, Grid Security, HEPiX, FNAL

  4. Authentication (1) • Proof of Identity • Grid Security Infrastructure (GSI) • PKI = Public Key Infrastructure • Private/public key pair • Generated by user – “private” key must be kept secret • Asymmetric encryption • X.509 certificate • National Certificate Authority “signs” the public key • Binds to a “name” / identity • No authorisation to use resources D.P.Kelsey, Grid Security, HEPiX, FNAL

  5. Authentication (2) • Uses SSL, certificates and the key-pair • Need to trust the CA(s) • Securely identifies User, Machine, Service • In both directions (mutual authentication) To achieve … • Single sign-on to Grid (via Proxy certificate) • short-lived (no revocation) • To avoid having to register all users at all sites! • Many issues • Revocation, length of keys, period of validity, security of private key, operational procedures, … • Registration authorities (checks identity) D.P.Kelsey, Grid Security, HEPiX, FNAL

  6. Authorisation • Today: based on local mechanisms • e.g. UNIX (uid, gid) or Kerberos • Globus gatekeeper • Maps global identity (Distinguished Name) to local user account • Access control all based on standard UNIX tools • Or Kerberos, AFS etc • Site/System management fully in control • Limited tools for Virtual Organisations (VOs) to manage access to resources D.P.Kelsey, Grid Security, HEPiX, FNAL

  7. EDG/EDT security developments D.P.Kelsey, Grid Security, HEPiX, FNAL

  8. EDG Security news • EU Deliverable 7.5 • Security Requirements and Testbed1 (complete) http://hepwww.rl.ac.uk/kelsey/DataGrid-D7.5.pdf • EU Deliverable 7.6 • Security Design and Testbed2 (January 2003) • Security components • VO/LDAP & VOMS – Authorisation • LCAS, LCMAPS – local authorisation and mapping • Gridmapdir – dynamic leased accounts • Gridsite – certificate-based web management • SlashGrid - dn-based grid homefile system • GACL – Library to parse ACL’s (XML) • edg-security (for database access control) D.P.Kelsey, Grid Security, HEPiX, FNAL

  9. EDG WP6 CA group • The PMA (Policy Management Authority) for EDG • Members: the CA managers (but not just EDG!) • includes CrossGrid, US DOE CA’s… more joining • http://marianne.in2p3.fr/datagrid/ca/ • Establishing “Trust” between CA’s, Grid projects, VOs, Sites • Need approval of site security officers and sysadmins • To (perhaps) bypass normal user registration procedures • Achieved for EDG testbed activities • NOT yet for LCG production-scale deployment • Defining “best practice” and “minimum requirements” • Working with GGF • CP/CPS documents • Registration Authority procedures • Operational procedures D.P.Kelsey, Grid Security, HEPiX, FNAL

  10. Trusted CA’s • 13 trusted CA’s • CERN, Czech Rep, France, Germany, Ireland, Italy, Netherlands, Nordic, Portugal, Russia, Spain, UK, USA • Under consideration • Canada, Greece, Poland, Slovakia • CNRS/France willing to act as short-term “catch-all” • For small number of users/machines • But needs agreed registration procedure(s) • Already doing so for Austria, Israel, Switzerland, Romania, Taiwan… D.P.Kelsey, Grid Security, HEPiX, FNAL

  11. Authorisation • VO/LDAP shown in Catania HEPiX • Now we (EDT for EDG) are developing VOMS • Virtual Organisation Membership Service • See Luciano Gaido’s slides (EDG meeting Budapest) and VOMS architecture report (EDT meeting 8Oct02) • Some of these follow • LCAS & plug-ins and GACL to apply Access Control • Easy management of ACL’s still missing D.P.Kelsey, Grid Security, HEPiX, FNAL

  12. current implementation (LDAP) • Support for users belonging to more than one VO • –vooption togrid-proxy-initcommand; • the VO name is inserted in the Subject of the proxy certificate (D field); • requires a patch to Globus code (and a change to mkgridmap); • under test the interaction with RB; • availability: 30 September ’02. D.P.Kelsey, Grid Security, HEPiX, FNAL

  13. Authentication Request OK Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS client VO Membership Service • Client and server authenticate themselves and establish a secure communication channel using standard Globus API. • The Client sends the request to the Server. • The Server checks the request and sends back the required info (signed by itself). • The Client checks the validity of the info received. • Steps 1—4 are repeated for each Server the Client wants to contact. • The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers. C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy D.P.Kelsey, Grid Security, HEPiX, FNAL

  14. VOMS D.P.Kelsey, Grid Security, HEPiX, FNAL

  15. LCG Phase 1 D.P.Kelsey, Grid Security, HEPiX, FNAL

  16. LCG 1 security • LCG Phase 1 – deploy a production quality Grid • from July 2003 • Planning now – documents by December 2002 • Must be ready by summer 2003 • Security planning • User Registration • Authentication • Authorisation • Security Policy • Operational issues D.P.Kelsey, Grid Security, HEPiX, FNAL

  17. User Registration • Users would like to register just once (per VO) • Sign one form • One single “Acceptable Use” description • Sites need • Sufficient recorded information about the user • VO databases – managed by whom? (expt offices?) • Behind-the-scenes creation of new user accounts • Or willingness to use dynamic leased accounts • VO’s need • Tools to manage users, roles, groups • Who owns the databases – VOs and/or Sites? D.P.Kelsey, Grid Security, HEPiX, FNAL

  18. Authentication • Scaling of establishing list of trusted CA’s • Currently one per country (many countries!) • Often issued by CA’s serving larger community than HEP • CERN and FNAL proposing a Kerberos-based CA • User authenticates via kerberos to the KCA • KCA then issues short-lived X.509 certs • Not yet “trusted” by EDG/LCG • Some sites will not accept long-lived private keys held by users • Credential repositories (MyProxy, aVOMS) • Smartcards • Specialised additional authentication (e.g. Cryptocard) • Doesn’t scale! • Support multiple levels of authentication • Credential renewal for long-running batch jobs D.P.Kelsey, Grid Security, HEPiX, FNAL

  19. Authorisation • Technology immature • What will be ready for LCG phase 1? • Need input from the experiments • Who manages access? • To sites • To resources • To individual files, objects • Sites authorise VO’s • VO’s authorise users, roles, groups • Much will be definition of procedures • Aim for independence from technologies • Move to OGSA, ws-security, … • Sites need to trust VO procedures D.P.Kelsey, Grid Security, HEPiX, FNAL

  20. Operational issues • Communication between sites • Intrusion detection • Incident tracking • Auditing and reporting D.P.Kelsey, Grid Security, HEPiX, FNAL

  21. Summary • EDG/EDT – much progress during 2002 • More functionality in 2003 • GGF and other Grid projects also important • Current procedures work well for Testbed scale • LCG Phase 1 (and BaBar Grid) • Need improved procedures for production scale • Need to plan for and support • Multiple authentication and authorisation technologies • Will need full consultation with Sites and VOs (experiments) to agree policies and establish trust • MUST be pragmatic • LCG Phase 1 MUST work D.P.Kelsey, Grid Security, HEPiX, FNAL

More Related