EU DataGrid Security UK Security Workshop 56 Dec 2002, NeSC

1
EU DataGrid SecurityUK Security Workshop5-6 Dec
2002, NeSC

• David KelseyCLRC/RAL, UKd.p.kelsey_at_rl.ac.uk

2
Overview

• GridPP/EU DataGrid (EDG)/CERN LCG
• DataGrid Security Introduction
• Security Requirements
• Authentication issues
• Authorisation issues
• Deployment issues
• DataGrid Security Solutions
• Summary

3
(No Transcript)
4
17M PPARC project toBuild Grid for UK PPSep 01
Aug 04
GridPP
Provide architecture and middleware
Future LHC Experiments
Running US Experiments
Use the Grid with simulated data
Use the Grid with real data
5
Main Partners

• CERN International (Switzerland/France)
• CNRS - France
• ESA/ESRIN International (Italy)
• INFN - Italy
• NIKHEF The Netherlands
• PPARC - UK

6
Assistant Partners

• Industrial Partners
• Datamat (Italy)
• IBM-UK (UK)
• CS-SI (France)

• Research and Academic Institutes
• CESNET (Czech Republic)
• Commissariat à l'énergie atomique (CEA) France
• Computer and Automation Research Institute, 
  Hungarian Academy of Sciences (MTA SZTAKI)
• Consiglio Nazionale delle Ricerche (Italy)
• Helsinki Institute of Physics Finland
• Institut de Fisica d'Altes Energies (IFAE) -
  Spain
• Istituto Trentino di Cultura (IRST) Italy
• Konrad-Zuse-Zentrum für Informationstechnik
  Berlin - Germany
• Royal Netherlands Meteorological Institute (KNMI)
• Ruprecht-Karls-Universität Heidelberg - Germany
• Stichting Academisch Rekencentrum Amsterdam
  (SARA) Netherlands
• Swedish Research Council - Sweden

7
Project Scope

• To develop, implement and exploit a large-scale
  data and CPU-oriented computational GRID.
• 9.8 M Euros EU funding over 3 years (Jan 01 Dec
  03)
• 90 for middleware and 3 application areas
• HEP
• Earth Observation
• Bio-medical
• Three year phased developments demos
  (2001-2003)
• Related EU projects
• DataTAG (2002-2003)
• CrossGrid (2002-2004)

8
DataGrid SecurityIntroduction

• No single Work Package (security is everywhere!)
• 3 security sub-groups
• Authentication, Authorisation, Co-ordination
• Based on Globus GSI
• But adding our own extra functionality
• EU Deliverables (documents)
• Security Requirements and first implementation
• (D7.5) completed May 2002
• Security Design and 2nd implementation (D7.6)
  (Jan 2003)
• Many topics not covered today!

9
Security Requirements

• 112 documented in D7.5 document
• 72 essential, 37 desirable aims, 3 long-term aim
• Authentication (17), Authorisation (32),
  Auditing(5), Non-repudiation (3), Delegation (8),
  Confidentiality (18), Integrity (4), Networking
  (2), Manageability (4), Usability (8),
  Interoperability (5), Scalability (1),
  Performance (5)
• Includes
• Virtual Organisations (VOs) Role based
  authorisation
• Authorise resources as well as users
• Local Authorisation
• Decisions and keep ACLs local to data
• Confidentiality
• Encrypted medical data
• Dont know who is in a VO
• International Collaboration must inter-operate!

10
Authentication

• 13 approved National Certificate Authorities
• includes Registration Authorities check
  identity
• 5 new CAs under consideration
• CNRS (France) acts as catch-all CA for
  countries with none
• With appropriate RA mechanisms
• Matrix of Trust (work ongoing) much work!
• CA Mgrs check each other against agreed list of
  minimum requirements
• Software tools being developed to aid this
  process
• Cross-Domain Authentication between Grid projects
• USA (DOE) and CrossGrid are members of the CA
  group and Trust matrix

11
Authentication (2)
DataGrid CA Features matrix
12
Authentication issues

• Dont mix Authentication and Authorisation
• But authentication often includes some implicit
  authorisation
• How to define list of trusted CAs?
• CP/CPS important
• Audit of CA procedures 3rd party? (not done
  yet)
• GGF GridCP and CA-OPs WGs important here
• Scaling problems
• How many CAs can we cope with? (we will reach
  20)
• Or should the VOs issue Authentication certs?
• Or use Kerberos at the site and generate certs
  online
• Some US HEP sites not happy with user-held
  private keys

13
Authorisation

• Testbed 0 (2000-01)
• Based on Globus GSI and Grid Mapfile
• Maps certificate DN to one UNIX user account
• No groups or roles
• Unix UID/GID-based access control
• Testbed 1 (2001-02)
• DataGrid Virtual Organisation (VO) support
• LDAP based VO directories
• Tools to manage grid mapfile automation gt groups
• Leasing of dynamic user accounts
• mods to Globus mapping code
• Testbed 2 (2002-03)
• DataGrid VOMS, LCAS, GACL, (see later)

14
EDG Authorisation LDAPgrid-mapfile generation
VODirectory
AuthorizationDirectory
15
VOMS

• Virtual Organisation Membership Service
• Modify grid-proxy-init command
• voms-proxy-init vo ltMyVOgt -role lttodaysrolegt
• Can request from multiple VO servers
• Creates users proxy certificate
• But containing signed VO membership and roles
• Roles, Groups, Capabilities
• All possible

16
VO Membership Service

• Client and server authenticate themselves and
  establish a secure communication channel using
  standard Globus API.
• The Client sends the request to the Server.
• The Server checks the request and sends back the
  required info (signed by itself).
• The Client checks the validity of the info
  received.
• Steps 14 are repeated for each Server the Client
  wants to contact.
• The Client creates a proxy certificate with an
  extension (non critical) containing all the info
  received from the contacted VOMS Servers.

CIT/OINFN /LCNAF/CNPinco Palla/CNproxy
17
VOMS
18
Security Developments

• Security components developed (see EDG web)
• CA Trust Matrix tools
• VO/LDAP VOMS Authorisation
• LCAS, LCMAPS local authorisation and mapping
• Gridmapdir dynamic leased accounts
• Gridsite certificate-based web management
• SlashGrid - dn-based grid homefile system
• GACL Library to parse ACLs (XML)
• edg-java-security (for Data Management)

19
SlashGrid GACL(McNab HEP Manchester)

• Framework for creating Grid-aware filesystems
• different types of filesystem provided by
  dynamically loaded plugins
• Uses CMU Coda kernel module
• Source, binaries and API notes
  http//www.gridpp.ac.uk/slashgrid/
• GACL
• a C library for manipulating Grid Access Control
  Lists, written in XML-based Access Control
  Languages.
• http//www.gridpp.ac.uk/gacl/
• n.b. also GridSite for certificate-base web
  authorisation

20
Authorisation
dn
User
VOMS
dn attrs
service
service
authenticate
Java
C
authr
LCAS
pre-proc
pre-proc
acl
acl
map
authr
LCMAPS
LCAS
Coarse-grainede.g. Spitfire WP2
Fine-grainede.g. RepMeC WP2/WP3
Coarse-grainede.g. CE, Gatekeeper WP4
Fine-grainede.g. SE, /grid WP5
21
Grid Deployment - issues

• Legal, political, site security policies, etc.
• The user does not (need to) know where the jobs
  will run
• Cannot sign registration forms everywhere
• Acceptable Use policies (Rules)
• What is needed for User Registration?
• We have a solution for EDG testbed
• But not yet for full production (LCG considering
  this)
• What is acceptable to Site Security Officers?
• GGF Site-AAA research group
• An extremely important area could kill the
  Grid!

22
Issues Deployment (2)Virtual Organisation
Management

• VOs need to manage their members and
  sites/resource providers negotiate with VOs
• Only system which will scale
• Sites cannot manage large number of Grid users
• Not just a technical problem!
• Must develop procedures to allow this to happen
• VOs not used to managing resources
• Will Computer Centres give up (full) control?

23
Summary

• Authentication
• Cross-Domain Trust is the big problem
• will it continue to scale?
• Authorisation
• The most IMPORTANT area
• This is where the identity and rights need to be
  checked
• Technology is immature
• Need VO management procedures/tools
• Many operational, legal, deployment issues
• To establish Trust between Sites/VOs/users
• EDG has several solutions available for use!

24
Web links

• GridPP http//www.gridpp.ac.uk
• DataGrid http//www.eu-datagrid.org
• LCG http//lcg.web.cern.ch/LCG/
• GGF Security Area http//www.globalgridforum.org/
  2_SEC/SEC.htm
• DataGrid Security Requirements document http//h
  epwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf