OSG Authentication and Authorization Infrastructure

1
OSG Authentication and Authorization
Infrastructure

• Rob Quick
• September 8, 2006

2
Agenda

• Intro to OSG
• Authentication
• TAGPMA
• DOEGrids CP/CPS
• Cert Types
• Personal
• Host
• Service
• Using Certificates

• Authorization
• VOs and VOMS
• Software on CE
• Role Based Cert Extensions
• Certificate Mapping
• Other Security Procedures

3
The Open Science Grid

• 26 Registered Virtual Organizations
• 64 Compute Resources, 11 Storage Resources (US,
  South America, and Asia)
• Currently 4100 Running Jobs, 4600 Idle Jobs
  (1300 ET Tuesday, Sept 5)
• Current usage largely LHC science
• Interoperation with EGEE, TeraGrid, Regional and
  Campus Grids

4
Authentication
Authentication merely ensures that the individual
is who he or she claims to be, but says nothing
about the access rights of the individual.
5
TAGPMA

• Three Regional Policy Management Authorities for
  Grids
• EUGridPMA
• APGridPMA
• The Americas Grid Policy Management Authority
  (TAGPMA)
• International Grid Trust Federation
• Defining authentication profiles and minimum
  requirements to be trusted globally.
• Currently using IGTF 1.8 Distribution
• Purpose
• Bring together relying parties and certificate
  authorities in the Americas to agree on
  authentication profiles
• Reflect geographic realities
• Develop new profiles for use by members

6
DOEGrids Certificates

• Certificate Authority
• The entity/system that issues X.509 identity
  certificates
• Registration Authority
• The entity that is responsible for identification
  authentication of certificate subjects.
• Formerly iVDGL now OSG (www.grid.iu.edu/osg-ra)
• VO Sponsors
• Local identification of OSG users.
• Each VO is responsible for assuring the identity
  of its users and setting policy related to
  procuring credentials

7
OSG VO Authentication Process

• User requests cert from DOEGrids
• OSG RA confirms identity via
• Digitally Signed Mail
• Phone
• Only if RA and Requester have previously met
• Face to Face Meeting
• RA Approves Certificate

8
Personal Certificate Policies

• Distinguished name must be unique
• Minimum key length 1024
• End Entity must generate private key.
• Certificate lifetime of no more than 12 months.

9
Certificate Types

• Personal
• /DCorg/DCdoegrids/OUPeople/CNRobert Quick
  290407
• usercert.pem - userkey.pem
• Host
• DCorg/DCdoegrids/OUServices/CNfeynman.uits.iup
  ui.edu
• hostcert.pem - hostkey.pem
• Service
• DCorg/DCdoegrids/OUServices/CNfeynman.uits.iup
  ui.edu
• servicecert.pem - servicekey.pem
• Service http, tomcat, container, ldap, etc.

10
Using Certs

• PKCS12
• Personal Information Exchange Syntax Standard
• Certificate Delivered (.p12)
• Privacy Enhanced Mail (.pem)
• Public Key
• openssl pkcs12 -in YourCert.p12 -clcerts -nokeys
  -out HOME/.globus/usercert.pem
• Private Key
• openssl pkcs12 -in YourCert.p12 -nocerts -out
  HOME/.globus/userkey.pem
• Cert Validation During Grid Transactions
• Proxy certificates (RCF 3820)
• Trusted CA CRL downloaded from VDT
• Updated CRLs on each resource or GUMS server

11
Authorization
Authorization allows the user to access resources
based on the users identity.
12
VOs

• Virtual Organizations
• Usually Experiment or Service Based
• Each Responsible for Allow Members
• System Admins choose which VOs to allow based on
  site policy and experimental alignment
• IU Sponsored VOs OSG, OSGEDU, fMRI, iVDGL,
  GridEx, and MIS

13
VOMS

• Virtual Organization Membership Service
• Web Based Tool for Managing VO Membership
• Developed at CERN by EU DataGrid

14
Compute Element Software

• CA Certificates
• Based on IGTF 1.8 Distribution (August 2006)
• Root Certificates and related meta-information
• Certificate Revocation List (CRL) locations
• Contact Information
• Signing Policies
• CRL Updates
• Runs as daemon on each gatekeeper or GUMS server
  updating each day

15
Role Based Certificate Extensions

• Motivation
• Previously all many-to-one local mapping
• All VO Users Mapped to the same local account
• Decreases System Security
• Decreases Data Security
• Hinders Accounting
• Centralized Management of Grid-Identity
• Centralized Identity Mapping
• Need to be able to map Roles within a VO
• Role Based Identity Mapping

16
Role Based Certificate Extensions (Cont)
17
Centralized Mapping Requirements

• PRIMA Module
• Gatekeeper must be equipped with Grid-map callout
  introduced in GT3.2
• Must be able to open outgoing HTTPS connection to
  GUMS server
• GUMS
• Tomcat
• Incoming HTTPS Connections
• MySQL
• Synchronization with VOMS of all VOs

18
Role-Based Identity MappingRequirements

• Each Gatekeeper needs the set of public-key certs
  that are trusted to issue VOMS-extended proxies
• VOMS-proxy-init
• Client
• VOMS Versions 1.2.19 or later
• VOMS server accepting incoming connections from
  every possible VO members workstation

19
Certificate Mapping

• Grid User Management System
• Sites that do not use GRID credentials natively
• UNIX accounts
• Kerberos principals
• Gatekeeper enforce site mapping established by
  GUMS
• Good in heterogeneous environments using multiple
  gatekeepers
• Gridmap File
• Pulls to a local file from VOMS Servers

20
Other Security Concerns

• Local OSG Infrastructure Services
• Risk Assessment Plan
• Public Input to OSG GOC
• security_at_, abuse_at_,incident_at_