170 likes | 305 Views
DataGrid Security WS Summary. Targets: Identify requirements from WP's Define security services/components for M9 How to handle security in the future Listen to what is happening elsewhere. Issues for WP1. Use GSI job submission to LRMS between community scheduler and Condor-G
E N D
DataGrid Security WS Summary Targets: • Identify requirements from WP's • Define security services/components for M9 • How to handle security in the future • Listen to what is happening elsewhere Summary of Security Workshop - DataGRID WP4 workshop
Issues for WP1 • Use GSI • job submission to LRMS • between community scheduler and Condor-G • Between user and scheduler(but may also be a web portal based on `plain’ PKI) • Credentials should be valid for long time (days or weeks) • For re-submission and while waiting for a cluster • Might use MyProxy service (operates like `quasi CA’) • Information needed (from WP4) • Which clusters may be used (M9: publishing grid-mapfiles in GIS?) • (aggregate or approx.) accounting needed for scheduling policy(possible not needed for M9, later definite `yes’) Summary of Security Workshop - DataGRID WP4 workshop
Issues for WP2 • Will co-exist with existing uid/gid mechanisms • Replica Manager will get you the files locally and use uid/gid's from there • The Replica Mngr needs more permissions,but there are only few • Will need access control on • Replica Catalogue • Replica Manager • DataMover • Storage Elements • Problem with all objects in one file (Objectivity) Summary of Security Workshop - DataGRID WP4 workshop
Issues for WP3 • Some of the information is personal → legal requirement to protect: • Accounting information • Grid map file Summary of Security Workshop - DataGRID WP4 workshop
Issues for WP4 See presentation of Lionel for details Some key points: • Host certs for nodes (secure logging/auditing/configure)makes for O(105) host certificates • Mapping of grid to local credentialsmaybe automatically generated but persistent uid’s? • Should cert- or authorization revocation kill job? • User ban lists, propagated through DataGrid? • Site regulations: who is liable for a break-in? • NAT and process access to the outside world Summary of Security Workshop - DataGRID WP4 workshop
Issues for WP5 • WAN access to storage only via Replica Manager • No remote user access from programsthis triggered Ingo who wants jobs to access object databases and remote CEs and SEs from within a job and not specify anything in the JDL! • Will use uid/gid in local fabric (again) • Can use grid map file but will not manage it(maybe except for Replica Manager entries) Summary of Security Workshop - DataGRID WP4 workshop
Issues for Applications • Want single sign-on and authentication once • Authorization, accounting and quota per role • Via experiment secretariat for HEP • people migrate, also physically • Want to apply policies (per role): • e.g. data not to be copied to other side for privacy (bio) • Encryption of job submission (biologists are paranoid) • Encryption of data optional • Marking data read-only • QoS commitments and trust (also in face of local changes) • Light-weight access for O(105) biologists Summary of Security Workshop - DataGRID WP4 workshop
Application status of LHCb MC • Currently 19 different accounts for production • Need manual intervention to get access to resrcs Special for current situation: • Web server and servlets to do job submissionneed write access to local storageweb server should be accessible • Log job info to htdocs directory in central place • Long-lived credentials (>72hrs) Summary of Security Workshop - DataGRID WP4 workshop
Plans for M9 • Authentication • 1 cert per user issues by national CA • Host certs also from national CA • No more Globus certs • Policy checks by CA group • Tools for automatic CA configuration (incl. CRLs) • No support for K5/K4/AFS • Renewal of credentials needed (MyProxy?) • Light-weight access for BioMed Summary of Security Workshop - DataGRID WP4 workshop
Plans for M9 • Authorization • GSI more or less OK • Via Grid map file • No group accounts • Groups and roles are required in some way Globus CAS will not be ready • Access and accounts: via WP management and WP6 • Auditing • Auditing must be there • Write to syslog • Need to keep audit trail Summary of Security Workshop - DataGRID WP4 workshop
Plans for M9 • Incident monitoring • WP6 will (should?) provide the DataGrid CSIRT • Accounting • Shared task of WP4 and WP1 • Information services • Secure MDS from Globus (not critical) • List of allowed clusters needed for schedulingexpose map file?? Summary of Security Workshop - DataGRID WP4 workshop
Plans for M9 • Storage • WAN access to files only by Replica Manager • Experiments (LHCb) want AFS like access,but mean a exp. software install on worker nodes • HEP applications was to update remote DBs from within a job • Firewalls and NAT • Ports should preferably be static Summary of Security Workshop - DataGRID WP4 workshop
Authorization tools • INFN LDAP grid map management • User and group info in directory, used by local admins to generate the grid map file • User DNs associated with groups and domains • OU manager access still problem (standardization!) • gridmapdir patch to Globus • Works like DHCP leases from account pools • Supports multiple pools or groups • Expiry of leases is challenging! • http://www.hep.grid.ac.uk/gridmapdir Summary of Security Workshop - DataGRID WP4 workshop
Agreed Long Term Statements • Local control should always be retained • Authorization and its revocation is key problem • A policy language is needed • Including conditional authorization, e.g. from 9am-5pm • Accounting and auditing infrastructure needed • Aware of firewalls & NAT and of attack risks Summary of Security Workshop - DataGRID WP4 workshop
Aaaarch Research Task Force • Next Generation AAA Architecturebased on mesh of interconnected AAA servers • RFCs 2903 – 2906 & drafts • Provide nice overview of different architectures: • Agents query service to allow user access • Service pulls info from UHO AAA server • UHO AAA pushes tokens for user to access service • Working on policy language http://www.aaaarch.org/ Summary of Security Workshop - DataGRID WP4 workshop
Some Open Issues • Need all channels encryption or integrity? • Does the scheduler need authentication itself(does the scheduler have more rights than its end-user?) • Authorization service universal problem • Who managers authorization information • Revocation of authorization • How often do you check this • Scalability • Access permissions on user or group level (which group) Summary of Security Workshop - DataGRID WP4 workshop
More Open Issues • Files vs. Objects (all data in Objectivity owner by one uid)DataGrid will not bring more security to insecure solutions • Are jobs to use other services than `Grid’ services?Or: how to prevent this! • Attacks, cracking, DDoS, …How to secure the security infrastructure Summary of Security Workshop - DataGRID WP4 workshop