Title: EU DataGrid Security UK Security Workshop 56 Dec 2002, NeSC
1EU DataGrid SecurityUK Security Workshop5-6 Dec
2002, NeSC
- David KelseyCLRC/RAL, UKd.p.kelsey_at_rl.ac.uk
2Overview
- GridPP/EU DataGrid (EDG)/CERN LCG
- DataGrid Security Introduction
- Security Requirements
- Authentication issues
- Authorisation issues
- Deployment issues
- DataGrid Security Solutions
- Summary
3(No Transcript)
417M PPARC project toBuild Grid for UK PPSep 01
Aug 04
GridPP
Provide architecture and middleware
Future LHC Experiments
Running US Experiments
Use the Grid with simulated data
Use the Grid with real data
5Main Partners
- CERN International (Switzerland/France)
- CNRS - France
- ESA/ESRIN International (Italy)
- INFN - Italy
- NIKHEF The Netherlands
- PPARC - UK
6Assistant Partners
- Industrial Partners
- Datamat (Italy)
- IBM-UK (UK)
- CS-SI (France)
- Research and Academic Institutes
- CESNET (Czech Republic)
- Commissariat à l'énergie atomique (CEA) France
- Computer and Automation Research Institute,
Hungarian Academy of Sciences (MTA SZTAKI) - Consiglio Nazionale delle Ricerche (Italy)
- Helsinki Institute of Physics Finland
- Institut de Fisica d'Altes Energies (IFAE) -
Spain - Istituto Trentino di Cultura (IRST) Italy
- Konrad-Zuse-Zentrum für Informationstechnik
Berlin - Germany - Royal Netherlands Meteorological Institute (KNMI)
- Ruprecht-Karls-Universität Heidelberg - Germany
- Stichting Academisch Rekencentrum Amsterdam
(SARA) Netherlands - Swedish Research Council - Sweden
7Project Scope
- To develop, implement and exploit a large-scale
data and CPU-oriented computational GRID. - 9.8 M Euros EU funding over 3 years (Jan 01 Dec
03) - 90 for middleware and 3 application areas
- HEP
- Earth Observation
- Bio-medical
- Three year phased developments demos
(2001-2003) - Related EU projects
- DataTAG (2002-2003)
- CrossGrid (2002-2004)
8DataGrid SecurityIntroduction
- No single Work Package (security is everywhere!)
- 3 security sub-groups
- Authentication, Authorisation, Co-ordination
- Based on Globus GSI
- But adding our own extra functionality
- EU Deliverables (documents)
- Security Requirements and first implementation
- (D7.5) completed May 2002
- Security Design and 2nd implementation (D7.6)
(Jan 2003) - Many topics not covered today!
9Security Requirements
- 112 documented in D7.5 document
- 72 essential, 37 desirable aims, 3 long-term aim
- Authentication (17), Authorisation (32),
Auditing(5), Non-repudiation (3), Delegation (8),
Confidentiality (18), Integrity (4), Networking
(2), Manageability (4), Usability (8),
Interoperability (5), Scalability (1),
Performance (5) - Includes
- Virtual Organisations (VOs) Role based
authorisation - Authorise resources as well as users
- Local Authorisation
- Decisions and keep ACLs local to data
- Confidentiality
- Encrypted medical data
- Dont know who is in a VO
- International Collaboration must inter-operate!
10Authentication
- 13 approved National Certificate Authorities
- includes Registration Authorities check
identity - 5 new CAs under consideration
- CNRS (France) acts as catch-all CA for
countries with none - With appropriate RA mechanisms
- Matrix of Trust (work ongoing) much work!
- CA Mgrs check each other against agreed list of
minimum requirements - Software tools being developed to aid this
process - Cross-Domain Authentication between Grid projects
- USA (DOE) and CrossGrid are members of the CA
group and Trust matrix
11Authentication (2)
DataGrid CA Features matrix
12Authentication issues
- Dont mix Authentication and Authorisation
- But authentication often includes some implicit
authorisation - How to define list of trusted CAs?
- CP/CPS important
- Audit of CA procedures 3rd party? (not done
yet) - GGF GridCP and CA-OPs WGs important here
- Scaling problems
- How many CAs can we cope with? (we will reach
20) - Or should the VOs issue Authentication certs?
- Or use Kerberos at the site and generate certs
online - Some US HEP sites not happy with user-held
private keys
13Authorisation
- Testbed 0 (2000-01)
- Based on Globus GSI and Grid Mapfile
- Maps certificate DN to one UNIX user account
- No groups or roles
- Unix UID/GID-based access control
- Testbed 1 (2001-02)
- DataGrid Virtual Organisation (VO) support
- LDAP based VO directories
- Tools to manage grid mapfile automation gt groups
- Leasing of dynamic user accounts
- mods to Globus mapping code
- Testbed 2 (2002-03)
- DataGrid VOMS, LCAS, GACL, (see later)
14EDG Authorisation LDAPgrid-mapfile generation
VODirectory
AuthorizationDirectory
15VOMS
- Virtual Organisation Membership Service
- Modify grid-proxy-init command
- voms-proxy-init vo ltMyVOgt -role lttodaysrolegt
- Can request from multiple VO servers
- Creates users proxy certificate
- But containing signed VO membership and roles
- Roles, Groups, Capabilities
- All possible
16VO Membership Service
- Client and server authenticate themselves and
establish a secure communication channel using
standard Globus API. - The Client sends the request to the Server.
- The Server checks the request and sends back the
required info (signed by itself). - The Client checks the validity of the info
received. - Steps 14 are repeated for each Server the Client
wants to contact. - The Client creates a proxy certificate with an
extension (non critical) containing all the info
received from the contacted VOMS Servers.
CIT/OINFN /LCNAF/CNPinco Palla/CNproxy
17VOMS
18Security Developments
- Security components developed (see EDG web)
- CA Trust Matrix tools
- VO/LDAP VOMS Authorisation
- LCAS, LCMAPS local authorisation and mapping
- Gridmapdir dynamic leased accounts
- Gridsite certificate-based web management
- SlashGrid - dn-based grid homefile system
- GACL Library to parse ACLs (XML)
- edg-java-security (for Data Management)
19 SlashGrid GACL(McNab HEP Manchester)
- Framework for creating Grid-aware filesystems
- different types of filesystem provided by
dynamically loaded plugins - Uses CMU Coda kernel module
- Source, binaries and API notes
http//www.gridpp.ac.uk/slashgrid/ - GACL
- a C library for manipulating Grid Access Control
Lists, written in XML-based Access Control
Languages. - http//www.gridpp.ac.uk/gacl/
- n.b. also GridSite for certificate-base web
authorisation
20Authorisation
dn
User
VOMS
dn attrs
service
service
authenticate
Java
C
authr
LCAS
pre-proc
pre-proc
acl
acl
map
authr
LCMAPS
LCAS
Coarse-grainede.g. Spitfire WP2
Fine-grainede.g. RepMeC WP2/WP3
Coarse-grainede.g. CE, Gatekeeper WP4
Fine-grainede.g. SE, /grid WP5
21Grid Deployment - issues
- Legal, political, site security policies, etc.
- The user does not (need to) know where the jobs
will run - Cannot sign registration forms everywhere
- Acceptable Use policies (Rules)
- What is needed for User Registration?
- We have a solution for EDG testbed
- But not yet for full production (LCG considering
this) - What is acceptable to Site Security Officers?
- GGF Site-AAA research group
- An extremely important area could kill the
Grid!
22Issues Deployment (2)Virtual Organisation
Management
- VOs need to manage their members and
sites/resource providers negotiate with VOs - Only system which will scale
- Sites cannot manage large number of Grid users
- Not just a technical problem!
- Must develop procedures to allow this to happen
- VOs not used to managing resources
- Will Computer Centres give up (full) control?
23Summary
- Authentication
- Cross-Domain Trust is the big problem
- will it continue to scale?
- Authorisation
- The most IMPORTANT area
- This is where the identity and rights need to be
checked - Technology is immature
- Need VO management procedures/tools
- Many operational, legal, deployment issues
- To establish Trust between Sites/VOs/users
- EDG has several solutions available for use!
24Web links
- GridPP http//www.gridpp.ac.uk
- DataGrid http//www.eu-datagrid.org
- LCG http//lcg.web.cern.ch/LCG/
- GGF Security Area http//www.globalgridforum.org/
2_SEC/SEC.htm - DataGrid Security Requirements document http//h
epwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf