Title: Grid Security for Site Authorization in EDG VOMS, Java Security and LCMAPS
1Grid Security forSite Authorization in EDGVOMS,
Java Security and LCMAPS
- David Groep, NIKHEFdavidg_at_nikhef.nl
- EDG Security Coordination
- A. Frohner CERN
- D. Kouril - CESNET
- F. Bonnassieux - CNRS
- R. Alfieri, R. Cecchini, V. Ciaschini, L.
dell'Agnello, A. Gianoli , F. Spataro - INFN - O. Mulmo KDC
- D.L. Groep, M. Steenbakkers, W. Som de Cerff,
O. Koeroo, G. Venekamp NIKHEF - L. Cornwall, D. Kelsey, J. Jensen RAL
- A. McNab University of Manchester
- P. Broadfoot, G. Lowe University of Oxford
- http//hep-project-grid-scg.web.cern.ch/
2Talk Outline
- Introduction
- Authorization requirements
- VO Membership Service
- Java Security for Hosted Environments
- Native Mechanisms (LCAS, LCMAPS)
- Conclusions
3Authentication only the first step
- EDG security infrastructure based on X.509
certificates (PKI) - Authentication
- Needs trusted third parties 16 national
certification authorities - Policies and procedures ? mutual thrust
- Users identified with identity certificates
signed by a national CA - See also next talk by Dave Kelsey
- Authorization
- Several entities involved
- Resource Providers (e.g. computer centres,
storage providers, NRENs) - Virtual Organizations (e.g. LHC experiments
collaborations) - Cannot decide Authorization for grid users only
on local site basis
4Users Authorization in Globus
host cert(long life)
service
user
crl update
user cert(long life)
grid-proxy-init
proxy cert(short life)
grid-mapfile
authentication info
5Users Authorization in EDG 1.4.x
host cert(long life)
service
user
crl update
user cert(long life)
VO-LDAP
registration
VO-LDAP
grid-proxy-init
VO-LDAP
mkgridmap
proxy cert(short life)
grid-mapfile
VO-LDAP
authentication info
6VOMS Overview
- Provides info about the users relationship with
his VO(s) - groups, compulsory groups, roles (admin,
student, ...), capabilities (free form string),
temporal bounds - Features
- single login voms-proxy-init only at the
beginning of the session (replaces
grid-proxy-init) - expiration time the authorization information is
only valid for a limited period of time (possibly
different from the proxy certificate itself) - backward compatibility the extra VO related
information is in the users proxy certificate,
which can be still used with non VOMS-aware
services - multiple VOs the user may authenticate himself
with multiple VOs and create an aggregate proxy
certificate - security all client-server communications are
secured and authenticated.
7Users Authorization in EDG 2.x
host cert(long life)
service
user
crl update
user cert(long life)
VO-VOMS
registration
VO-VOMS
voms-proxy-init
VO-VOMS
proxy cert(short life)
VO-VOMS
authz cert(short life)
authentication authorization info
edg-java-security
LCASLCMAPS
8Pseudo-Certificate Format
- The pseudo-cert is inserted in a non-critical
extension of the users proxy - 1.3.6.1.4.1.8005.100.100.1
- It will become an Attribute Certificate
- One for each VOMS Server contacted
/CIT/OINFN/LCNAF/CNVincenzo
Ciaschini/EmailVincenzo.Ciaschini_at_cnaf.infn.it/
C IT/OINFN/CNINFN CA
users identity
/CIT/OINFN/OUgatekeeper/LPR
/CNgridce.pr.infn.it/Emailalfieri_at_pr.infn.it /C
IT/OINFN/CNINFN CA VO CMS URI
http//vomscms.cern.ch
server identity
TIME1 020710134823Z TIME2 020711134822Z GROUP
montecarlo ROLE administrator CAP 100 GB disk
users info
SIGNATURE .........L...B....3H.......".h.r...C
'..S......o.g..n8S'x..\..A.t5....90'Q.V.I..../.Z
V.e.RP.....X.r.......qEbb...A...
9VOMS Architecture
vomsd
GSI
voms-proxy-init
DB
soap SSL
JDBC
https
DBI
mkgridmap
https
MySQL db with history and audit records
- User query server and client (C)
- Java Web Service based administration interface
- Perl client (batch processing)
- Web browser client (generic administrative tasks)
- Web server interface for mkgridmap
VOMS server
10Authorization
11Authorization for Web Services
- Java TrustManager can secure both web sites and
web services - Based on Apache Tomcat Catalina servlet container
- SOAP client, as an extension of the Axis
SocketFactoryFactory - HTTP client, as an API that creates HTTPS
connections.
- Authorization Mngr gives attributes based on
userDN and VOMS extensions - For web services
- Service uses proxy of host
- For browser interaction
- Must use long-lived host certto be TLS compliant
12Services secured by EDG-Java-Sec
- Spitfireuniform access to SQL database services
(MySQL, DB/2, Oracle) - Replica Location Service, RepMeC, Giggle
metadata and replica information services - VOMS server
- R-GMARelational Grid Monitoring Architecture
Information System - Basis for new OGSA/WebServices components
13Authorization for Native Environments
- All systems for running Grid jobs and storing
files are UNIX based - Need for interface between Grid rights and local
rights - Two-phase process
- Authorization of users LCAS
- Acquiring and enforcing local (UNIX-style)
credentials LCMAPS - Why the split?
- Authorization decisions may be applied for more
than single resources - Credential mapping may be time-consuming and
heavy - Internal service securitycredential mapping
needs root privileges, authorization can do
without
14LCAS Local Centre AuthZ Service
- Authorization using
- Authentication VO data
- Job description
- Site policy
exec/bin/catarguments/etc/passwd
GateKeeper
GridFTPServer
- Plug-in frameworkcurrently shipping modules
- Allowed-users list
- Banned-users list
- wall-clock limitations
GateKeeper
Job Manager
Node
Node
Node
Node
Node
Node
Node
Node
Node
other clusters
15LCMAPS Local Credential MAPping
- Provides local credentials needed for jobs within
the fabric - Plug-in framework, driven by (site specific)
policy - Mapping based
- user identity
- VO affiliation, groups and roles
- site-local policy
- Supports multiple credential types
- Traditional POSIX in-process LDAP, via fixed
or PoolAccounts - AFS tokens
- true Kerberos5
16LCMAPS new functionality
- Local UNIX groups based on VOMS group membership
and roles - More than one VO and group/role per grid user
- No pre-allocation of pool accounts to specific
groups - New mechanisms
- groups-on-demand
- support for central user directories (primarily
LDAP) - Why do we continue to need LCAS?
- Centralized site decisions on authorized users
for multiple fabrics - Coordinated access control across multiple CEs
and SEs - (and save on expensive account allocation
mechanisms in LCMAPS)
17Conclusions
- EDG provides extensive Grid authorization
infrastructure today - LCAS and Java-security already deployed
- VOMS and LCMAPS ready for deployment (confirmed
for June 03) - Updates for various services in October 03
- User Side
- Support for large, fast-changing user community
- Roles and groups within the experiment VOs
- Multiple affiliations and roles per user
- Resource Side
- Minimal effort on resource provider side
- More smooth integration in Grid computing at
large - Retains tracability and auditability at all levels
18More Information
- EDG Security Coordination Group
- Web site http//hep-project-grid-scg.web.cern.ch/
- VOMS
- Web site http//grid-auth.infn.it/
- CVS site http//cvs.infn.it/cgi-bin/cvsweb.cgi/
Auth/ - Developers mailing list sec-grid_at_infn.it
- PoolAccounts
- Web site http//www.gridpp.ac.uk/authz/gridmapdi
r/ - LCAS-LCMAPS
- Web site http//www.dutchgrid.nl/DataGrid/wp4/
- CVS site http//datagrid.in2p3.fr/cgi-bin/cvsweb.
cgi/fabric_mgt/gridification/lcas/ - http//datagrid.in2p3.fr/cgi-bin/cvswe
b.cgi/fabric_mgt/gridification/lcmaps/ - Maillist hep-proj-grid-fabric-gridify_at_cern.ch
- EDG Java Security
- Web site http//edg-wp2.web.cern.ch/edg-wp2/secur
ity/
19Some Related Works
- CAS (Globus Team)
- Proxy generated by CAS server, not by user (no
direct traceability) - Proxy not backward compatible
- Attributes are permissions (resources access
controlled by VO) - Permis (Salford Univ., England)
- ACs stored in a repository at the local site
- Good policy engine
- VOMS complementary (flexible VOMS AC PERMIS
pol. engine) - Akenti (US Gov.)
- Target Web sites, not easy migration in a VO
environment
20LCMAPS Site Policy and Preferences
FALSE
LocalAccount
VOMS-group
PoolAccount
LDAP
TRUE
path /opt/edg/lib/lcmaps/modules localaccount
"lcmaps_localaccount.mod \
-gridmapfile /etc/grid-security/grid-mapfile" pool
account "lcmaps_poolaccount.mod -gridmapfile
/etc/grid-security/grid-mapfile" posix_enf
"lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid
32" voms "lcmaps_voms.mod -vomsdir
/etc/grid-security/certificates \
-certdir /etc/grid-security/certificates" stand
ard voms -gt poolaccount localaccount localaccou
nt -gt posix_enf poolaccount -gt ldapldap -gt
posix_enf