180 likes | 290 Views
Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF. David Groep NIKHEF, Amsterdam based on a presentation by David Kelse y CLRC/RAL, UK. The EU DataGrid. DataGrid: generic Grid middleware and test bed for High Energy Physics Earth Observation and ozone modelling
E N D
Security in DataGrid12 Mar 2002TERENA GRID-AN BoF David GroepNIKHEF, Amsterdam based on a presentation by David Kelsey CLRC/RAL, UK Security in DataGrid
The EU DataGrid • DataGrid: generic Grid middleware and test bed for • High Energy Physics • Earth Observation and ozone modelling • Bio-informatics & bio-medicine • Middleware components (on top of Globus): • scheduling and accounting • data replication and management • monitoring • data storage • fabric and farm management Security in DataGrid
Security in DataGrid • No allocated effort, so groups distributed over WP’s: • CA Coordination (Test bed WP6)Started before the project (end 2000), well established • Ad-hoc Authorization (Test bed WP6)Interim solutions for distributing collaboration user lists and “virtual organization directories”. • Security Coordination (“Networking” WP7)Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development Security in DataGrid
Start with … Authentication Security in DataGrid
WP6 CACG • 11 DataGrid Testbed1 CA’s • See WP6 web • Much effort to run these – growing number of cert requests • Several moving to OpenCA • US DOE ScienceGrid CA • Operational since January 2002 • Approved as a DataGrid “trusted” CA (& vice-versa!) • First test of transatlantic authentication last month • Karlsruhe CA (CrossGrid and HEP Germany) • To be incorporated later • Seems to attract Grid CA issues that should have gone to GGF! Security in DataGrid
Authentication (2) • One of the EDG CA’s (CNRS)acts as a “catch-all” CA • CP/CPS will get explicit statements about RA’s • Matrix of Trust (work ongoing) – much work! • Feature matrix • Acceptance matrix(WP6 CA Mgrs check each other against min. requirements) BUT: • Still another 7 CrossGrid countries with no CA • And many other LHC countries • Scaling problems! • Automate the feature checking • Continue to work with GGF in the GridCP group Security in DataGrid
Authentication (3) DataGrid CA Features matrix Security in DataGrid
CA Acceptance Matrix • Detailed reports per CA • Guidelines for “national” site admins • To be done: – versioning of CP/CPS – invalidation after CP/CPS updates Security in DataGrid
And now … Authorisation Security in DataGrid
GSI – Grid map file • Resource Authorization based on access lists • Maps “Grid name” (cert subject DN) → local UID • In effect after successful authentication triode:davidg:1002$ cat /etc/grid-security/grid-mapfile "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg "/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn "/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon "/C=IT/O=INFN/L=Torino/CN=Piergiorgio Cerello/Email=Piergiorgio.Cerello@to.infn.it" aliprod Security in DataGrid
mkgridmap and VO’s • Virtual Organizations (VOs) define user groups“ATLAS”, “LHCb”, “OzoneModelling”, … • Directory with user lists maintained by VO admin • Resource owners extract list from “allowed” VOs • optional: AND with one other directory (AUP!) • periodically generated (once per day) Security in DataGrid
o=xyz,dc=eu-datagrid, dc=org o=testbed,dc=eu-datagrid, dc=org ou=People ou=People ou=Testbed1 ou=??? CN=John Smith CN=Mario Rossi CN=John Smith Authentication Certificate Authentication Certificate Authentication Certificate CN=Franz Elmer CN=Franz Elmer mkgridmap ban list grid-mapfile local users grid-mapfile generation VODirectory “AuthorizationDirectory” Security in DataGrid
Entries in VO Directory • VO Membership list dn: cn=Roberto Barbera,ou=People,o=alice,dc=eu-datagrid,dc=org objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: pkiUser sn: Barbera cn: Roberto Barbera mail: roberto.barbera@ct.infn.it labeledURI: ldap://security.fi.infn.it/cn=Roberto%20Barbera,o=infn,c=it?userCertificate • (sub) groups dn: ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org objectClass: domain objectClass: organizationalUnit objectClass: groupofnames . . . . owner: cn=manager,o=lhcb,dc=eu-datagrid,dc=org • VO administrators • sub-group administrators Security in DataGrid
Authorisation WP6 Authorisation group (R. Cecchini – INFN) • Future plans • Evaluation of CAS and PERMIS • Better VO Directory management; • Support of replicas of VO Directories; • Support for users’ attributes in the VO Directories: • e.g. the AUP signing information (with expiration date...) Security in DataGrid
Authorisation (2) • Globus Community Authorisation Server (CAS) • Long awaited! • Hot news – alpha release by end of next week • PERMIS (http://www.permis.org) • EU funded project • Univ of Salford (UK) – member of SecureGrid • Policy-based Role-based (XML) Access control Security in DataGrid
GridMapDir (WP6 - McNab) • Account sharing mechanism for local UIDs • Modifier version of GSI allows mapping to ‘account pools’ (à la DHCP) • nice when VO directories are large and not all users go to all sites • difficult to recycle accounts (files!) • sucessfully deployed in EDG TB1 Security in DataGrid
Authorisation issues • We need more functionality • “Dynamic policy-based Access control” • Users with more than one allowed role • Move away from Unix uid based security (and grid mapfile) • Applicable to all Grid services (and callable from) • Users may belong to multiple VO’s • Authorisation may need to be based on “joins” • Global & Local authorisation mechanisms • need to negotiate policy – Global/VO/Local • We should aim for a limited number of compatible authorisation mechanisms • Job for Architecture group and WP7 Security • OGSA? Security in DataGrid
Future plans • The EU review encouraged us to do more on security • It is already happening! • WP6 CA group • continue Acceptance matrix and work with GGF • WP6 Authorisation group • Test and evaluate CAS and PERMIS • WP7Sec D7.6 (M25) “Security Design and TB2 report” • Work going on in all middleware WP’s on security • WP7Sec & Architecture group need to • Coordinate activities • Check that mechanisms are “secure” Security in DataGrid