240 likes | 403 Views
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004. David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk. Outline. Update since October 2003 (Vancouver HEPiX) Introduction Policy Procedures & Operations Technology Future work. Introduction LCG & EGEE. LCG today.
E N D
LCG/EGEE Security UpdateHEPiX, Fall 2004BNL, 18 October 2004 David KelseyCCLRC/RAL, UKd.p.kelsey@rl.ac.uk
Outline Update since October 2003 (Vancouver HEPiX) • Introduction • Policy • Procedures & Operations • Technology • Future work David Kelsey, LCG/EGEE Security, HEPiX
Introduction LCG & EGEE David Kelsey, LCG/EGEE Security, HEPiX
LCG today David Kelsey, LCG/EGEE Security, HEPiX
Build a large-scale production grid service to: Underpin European science and technology Link with and build on national, regional and international initiatives Foster international cooperation both in the creation and the use of the e-infrastructure Collaboration Pan-European Grid Operations, Support and training Network infrastructure(GÉANT) The next generation of grids:EGEE Enabling Grids for E-science in Europe AHM2004, Nottingham, September 2004 - 5
EGEE Activities • 48 % service activities (Grid Operations, Support and Management, Network Resource Provision) • 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development) • 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation) 32 Million Euros EU funding over 2 years starting 1st April 2004 Emphasis in EGEE is on operating a production grid and supporting the end-users AHM2004, Nottingham, September 2004 - 6
Security Activities in EGEE(LCG) CA Coordination NA4 NA4 Middleware NA4 NA4 Solutions/Recommendations Req. JRA3 JRA1 Applications Req. Security Req. Req. Middleware Security Group Joint Security Policy Group Req. OSCT Req. “Joint Security Policy Group” defines policy and proceduresand inputs requirements to MWSG(For LCG/GDB and EGEE/SA1) (Cross Membership of US OSG Sec Team) Operations SA1 LCG OSG David Kelsey, LCG/EGEE Security, HEPiX
Security Policy David Kelsey, LCG/EGEE Security, HEPiX
LCG Security Policy • During 2003/04, the LCG project agreed a first version of its Security Policy • Written by the Joint Security Policy Group • Approved by the Grid Deployment Board/PEB • A single common policy for the whole project • But does not override local policies • An important step forward for a production Grid • The policy • Defines Attitude of the project towards security and availability • Gives Authority for defined actions • Puts Responsibilities on individuals and bodies • Now being used by EGEE and (some) national Grids David Kelsey, LCG/EGEE Security, HEPiX
LCG Policy GOC Guides New since Oct 2003 picture from Ian Neilson Incident Response Certification Authorities Audit Requirements Usage Rules Security & Availability Policy Application Development & Network Admin Guide User Registration & VO Management http://cern.ch/proj-lcg-security/documents.html David Kelsey, LCG/EGEE Security, HEPiX
Security Procedures & Operations David Kelsey, LCG/EGEE Security, HEPiX
Security Procedures • Incident Response • Open Science Grid leading this area • See talks in Friday morning’s Operations session • LCG/EGEE Operational Security • Operational Security Coordination Team (OSCT) • Again: see Friday’s talk • User Registration & VO Management • Requirements for 4 LHC Experiments • Presented at May 2004 (Edinburgh) HEPiX (M.Dimou) David Kelsey, LCG/EGEE Security, HEPiX
User Registration and VO Membership Management • Requirements document (V2.7) • https://edms.cern.ch/document/428034 • approved by GDB in May 2004 • Task force created to propose the solution • Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … • Recent Meeting at CERN • 15-17 September, 2004 http://cern.ch/dimou/lcg/registrar/TF/meetings/2004-09-15/ • Technical solution now agreed David Kelsey, LCG/EGEE Security, HEPiX
User Registration (1) • Every user (4 LHC expts) must register in CERN HR db first • Already true for the majority • Advantages of using existing procedures • No duplication of effort or personal data • External users (e.g. people never coming to CERN) and short-term users (e.g. external summer students) • Need a simple, speedy and robust procedure • Non-VO people • e.g.testers/experiment independent people • must register in CERN HR (e.g. via LCG/IT) • Eventual aim is to use the experiment participation end-date in CERN HR to trigger immediate suspension from the VO David Kelsey, LCG/EGEE Security, HEPiX
User Registration (2) • VO registration expiry date • Not exceeding 1 year from date of VO registration • Less if institute-contract/CERN HR registration expires before then • Personal User Data will only reside in CERN HR • There is no automatic membership of VO • User has to complete a form and the VO manager has to approve • Authorized personnel at resource centres will have read access to the VO registration info David Kelsey, LCG/EGEE Security, HEPiX
User Registration (3) • When VO expiry date is reached, the VO membership is immediately suspended • Advance warning will be sent to the user • There will be other possible reasons for suspension • E.g. following security problems David Kelsey, LCG/EGEE Security, HEPiX
Technical Solution agreed • 15-17 Sep meeting decisions: • The VO registration database • Will be VOMRS component from US CMS VOX • VOMRS needs development to meet new requirements (FNAL working on this) • VOMRS manages the groups and roles -> VOMS • CERN is working on VOMRS interconnection to the CERN HR DB (Oracle) • The dynamic Authorization will be VOMS • Groups and roles • Non-LHC VO’s may use the VOMS-admin component (an alternative admin UI) • Time to implement not yet agreed • Aiming for early in 2005 David Kelsey, LCG/EGEE Security, HEPiX
Security Technology David Kelsey, LCG/EGEE Security, HEPiX
Authentication: EU Grid PMA CAs 27 Accredited CAs • Green: Accredited • Yellow: Recent approvals or still under discussion • Slovenia just approved • Austria & Bulgaria soon? Other Accredited CAs: • DoEGrids (US) • GridCanada • ASCCG (Taiwan) • ArmeSFO (Armenia) • CERN • Russia (HEP) • FNAL Service CA (US) • Israel • Pakistan “Catch-all” CAs operated by CNRS (for EGEE) US DOE (for LCG) SEE-GRID (for SE Europe) David Kelsey, LCG/EGEE Security, HEPiX
AuthZ – VOMS & LCAS high frequency low frequency CA CA CA host cert(long life) service user crl update user cert(long life) VO-VOMS registration registration VO-VOMS voms-proxy-init VO-VOMS proxy cert(short life) service cert(short life) VO-VOMS authz cert(short life) authz cert(short life) authentication & authorization info LCAS David Kelsey, LCG/EGEE Security, HEPiX
gLite security • Aims at being • Modular – add new modules later • Agnostic – modules will evolve • Standard – start with transport-level security but intend to move to WS-Security when it matures • Interoperable - at least for AuthN & AuthZ Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules Security architecture: https://edms.cern.ch/document/487004/ AHM2004, Nottingham, September 2004 - 21
EGEE AuthZ Policy Policy comes from many stakeholders Graphics from Globus Alliance& GGF OGSA-WG David Kelsey, LCG/EGEE Security, HEPiX
Future Work • Policy • Working on more general policy (with OSG) • No longer LCG-specific • EU eInfrastructure Reflection Group (18 Nov 04) • Acceptable Use Policy and Authorization for EU eScience • Procedures • Operational Security, including Incident Response • User Registration • Technology • Authentication • Asia/Pacific & Americas PMAs being created • Credential Repositories • Authorization – dynamic role-based access control • VOMRS & VOMS • Local control and policy, e.g. via LCAS/LCMAPS • Security requirements, Operational Constraints • Very important to get Site input to operations and middleware development (all feedback is very welcome!) David Kelsey, LCG/EGEE Security, HEPiX
References • LCG/EGEE Joint Security Policy Group http://proj-lcg-security.web.cern.ch/ • EGEE JRA3 (Security)http://egee-jra3.web.cern.ch/ • Open Science Grid Securityhttp://www.opensciencegrid.org/techgroups/security/ • EU DataGrid Securityhttp://hep-project-grid-scg.web.cern.ch/ • LCG Guide to Application, Middleware and Network Securityhttps://edms.cern.ch/document/452128 • EU eInfrastructure Reflection Grouphttp://www.e-irg.org/ • EU Grid PMA (CA coordination)http://www.eugridpma.org/ • TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/ David Kelsey, LCG/EGEE Security, HEPiX