Upload
maryann-harrell
View
225
Download
0
Tags:
Embed Size (px)
Citation preview
6-Dec-02 D.P.Kelsey, DataGrid Security 1
EU DataGrid SecurityUK Security Workshop
5-6 Dec 2002, NeSC
David KelseyCLRC/RAL, UK
6-Dec-02 D.P.Kelsey, DataGrid Security 2
Overview
• GridPP/EU DataGrid (EDG)/CERN LCG• DataGrid Security – Introduction• Security Requirements• Authentication issues• Authorisation issues• Deployment issues• DataGrid Security Solutions• Summary
6-Dec-02 D.P.Kelsey, DataGrid Security 4
GridPPProvide architecture and middleware
Use the Grid with simulated data
Use the Grid with real data
Future LHC Experiments
Running US Experiments
£17M PPARC project toBuild Grid for UK PP
Sep 01 – Aug 04
6-Dec-02 D.P.Kelsey, DataGrid Security 5
Main Partners
• CERN – International (Switzerland/France)
• CNRS - France
• ESA/ESRIN – International (Italy)
• INFN - Italy
• NIKHEF – The Netherlands
• PPARC - UK
6-Dec-02 D.P.Kelsey, DataGrid Security 6
Research and Academic Institutes•CESNET (Czech Republic)•Commissariat à l'énergie atomique (CEA) – France•Computer and Automation Research Institute, Hungarian Academy of Sciences (MTA SZTAKI)•Consiglio Nazionale delle Ricerche (Italy)•Helsinki Institute of Physics – Finland•Institut de Fisica d'Altes Energies (IFAE) - Spain•Istituto Trentino di Cultura (IRST) – Italy•Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany•Royal Netherlands Meteorological Institute (KNMI)•Ruprecht-Karls-Universität Heidelberg - Germany•Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands•Swedish Research Council - Sweden
Assistant PartnersIndustrial Partners•Datamat (Italy)•IBM-UK (UK)•CS-SI (France)
6-Dec-02 D.P.Kelsey, DataGrid Security 7
Project Scope
• To develop, implement and exploit a large-scale data and CPU-oriented computational GRID.
• 9.8 M Euros EU funding over 3 years (Jan 01 – Dec 03)• 90% for middleware and 3 application areas
– HEP– Earth Observation– Bio-medical
• Three year phased developments & demos (2001-2003)• Related EU projects:
– DataTAG (2002-2003)– CrossGrid (2002-2004)
6-Dec-02 D.P.Kelsey, DataGrid Security 8
DataGrid SecurityIntroduction
• No single Work Package (security is everywhere!)– 3 security sub-groups
• Authentication, Authorisation, & Co-ordination
• Based on Globus GSI– But adding our own extra functionality
• EU Deliverables (documents)– Security Requirements and first implementation
• (D7.5) – completed May 2002
– Security Design and 2nd implementation (D7.6) (Jan 2003)
• Many topics not covered today!
6-Dec-02 D.P.Kelsey, DataGrid Security 9
Security Requirements• 112 documented in D7.5 document
– 72 essential, 37 desirable aims, 3 long-term aim– Authentication (17), Authorisation (32), Auditing(5), Non-
repudiation (3), Delegation (8), Confidentiality (18), Integrity (4), Networking (2), Manageability (4), Usability (8), Interoperability (5), Scalability (1), Performance (5)
• Includes– Virtual Organisations (VO’s) – Role based authorisation
• Authorise resources as well as users– Local Authorisation
• Decisions and keep ACL’s local to data– Confidentiality
• Encrypted medical data• Don’t know who is in a VO
– International Collaboration – must inter-operate!
6-Dec-02 D.P.Kelsey, DataGrid Security 10
Authentication
• 13 approved National Certificate Authorities– includes Registration Authorities – check identity– 5 new CA’s under consideration
• CNRS (France) acts as “catch-all” CA for countries with none– With appropriate RA mechanisms
• Matrix of “Trust” (work ongoing) – much work!– CA Mgrs check each other against agreed list of
minimum requirements– Software tools being developed to aid this process
• Cross-Domain Authentication between Grid projects– USA (DOE) and CrossGrid are members of the CA
group and Trust matrix
6-Dec-02 D.P.Kelsey, DataGrid Security 11
Authentication (2)
DataGrid CA Features matrix
6-Dec-02 D.P.Kelsey, DataGrid Security 12
Authentication issues
• Don’t mix Authentication and Authorisation– But authentication often includes some implicit
authorisation• How to define list of “trusted” CA’s?
– CP/CPS important– Audit of CA procedures – 3rd party? (not done yet)– GGF GridCP and CA-OPs WG’s important here
• Scaling problems– How many CA’s can we cope with? (we will reach ~20)– Or should the VO’s issue Authentication certs?– Or use Kerberos at the site and generate certs online
• Some US HEP sites not happy with user-held private keys
6-Dec-02 D.P.Kelsey, DataGrid Security 13
Authorisation• Testbed 0 (2000-01)
– Based on Globus GSI and Grid Mapfile• Maps certificate DN to one UNIX user account• No groups or roles• Unix UID/GID-based access control
• Testbed 1 (2001-02)– DataGrid “Virtual Organisation” (VO) support
• LDAP based VO directories• Tools to manage grid mapfile automation –> groups• Leasing of dynamic user accounts
– mods to Globus mapping code• Testbed 2 (2002-03)
– DataGrid VOMS, LCAS, GACL,… (see later)
6-Dec-02 D.P.Kelsey, DataGrid Security 14
EDG Authorisation LDAPgrid-mapfile generation
o=testbed,dc=eu-datagrid, dc=org
CN=Franz Elmer
ou=People
CN=John Smith
mkgridmap
grid-mapfile
VOVODirectoryDirectory
““AuthorizatioAuthorizationn
Directory”Directory”
CN=Mario Rossi
o=xyz,dc=eu-datagrid, dc=org
CN=Franz ElmerCN=John Smith
Authentication
Certificate
Authentication
Certificate
Authentication
Certificate
ou=People ou=Testbed1
ou=???
local users ban list
6-Dec-02 D.P.Kelsey, DataGrid Security 15
VOMS
• Virtual Organisation Membership Service• Modify grid-proxy-init command
– voms-proxy-init –vo <MyVO> -role <todaysrole>
– Can request from multiple VO servers– Creates users proxy certificate
• But containing signed VO membership and roles
• Roles, Groups, Capabilities– All possible
6-Dec-02 D.P.Kelsey, DataGrid Security 16
VO Membership Service
1. Client and server authenticate themselves and establish a secure communication channel using standard Globus API.
2. The Client sends the request to the Server.
3. The Server checks the request and sends back the required info (signed by itself).
4. The Client checks the validity of the info received.
5. Steps 1—4 are repeated for each Server the Client wants to contact.
6. The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers.
Query
Authentication
Request
AuthDB
VOMSpseudo-
cert
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo-
cert
6-Dec-02 D.P.Kelsey, DataGrid Security 17
VOMS
6-Dec-02 D.P.Kelsey, DataGrid Security 18
Security Developments
• Security components developed (see EDG web)– CA Trust Matrix tools– VO/LDAP & VOMS – Authorisation– LCAS, LCMAPS – local authorisation and mapping– Gridmapdir – dynamic leased accounts– Gridsite – certificate-based web management– SlashGrid - dn-based grid homefile system– GACL – Library to parse ACL’s (XML)– edg-java-security (for Data Management)
6-Dec-02 D.P.Kelsey, DataGrid Security 19
SlashGrid & GACL(McNab – HEP Manchester)
• Framework for creating “Grid-aware” filesystems– different types of filesystem provided by dynamically
loaded plugins– Uses CMU Coda kernel module– Source, binaries and API notes: http://
www.gridpp.ac.uk/slashgrid/• GACL
– a C library for manipulating Grid Access Control Lists, written in XML-based Access Control Languages.
– http://www.gridpp.ac.uk/gacl/• n.b. also GridSite for certificate-base web authorisation
6-Dec-02 D.P.Kelsey, DataGrid Security 20
User VOMS
service
authr
map
pre-proc
authr
LCAS
LCMAPS
pre-proc
LCAS
Coarse-grainede.g. Spitfire
WP2
service
dn
dn + attrs
Fine-grainede.g. RepMeC
WP2/WP3
Coarse-grainede.g. CE, Gatekeeper
WP4
Fine-grainede.g. SE, /grid
WP5
Java C
Authorisation
authenticate
acl acl
6-Dec-02 D.P.Kelsey, DataGrid Security 21
Grid Deployment - issues
• Legal, political, site security policies, etc.– The user does not (need to) know where the
jobs will run• Cannot sign registration forms everywhere
– Acceptable Use policies (Rules)• What is needed for User Registration?
– We have a solution for EDG testbed• But not yet for full production (LCG considering this)
– What is acceptable to Site Security Officers?• GGF Site-AAA research group
– An extremely important area – could kill the Grid!
6-Dec-02 D.P.Kelsey, DataGrid Security 22
Issues – Deployment (2)Virtual Organisation
Management• VO’s need to manage their members and
sites/resource providers negotiate with VO’s– Only system which will scale
• Sites cannot manage large number of Grid users
– Not just a technical problem!– Must develop procedures to allow this to
happen– VO’s not used to managing resources– Will Computer Centres give up (full) control?
6-Dec-02 D.P.Kelsey, DataGrid Security 23
Summary• Authentication
– Cross-Domain Trust is the big problem• will it continue to scale?
• Authorisation– The most IMPORTANT area
• This is where the identity and rights need to be checked
– Technology is immature– Need VO management procedures/tools
• Many operational, legal, deployment issues– To establish Trust between Sites/VO’s/users
• EDG has several solutions – available for use!
6-Dec-02 D.P.Kelsey, DataGrid Security 24
Web links
• GridPP http://www.gridpp.ac.uk• DataGrid http://www.eu-datagrid.org• LCG http://lcg.web.cern.ch/LCG/• GGF Security Area
http://www.globalgridforum.org/2_SEC/SEC.htm
• DataGrid Security Requirements document
http://hepwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf