WP4 Security and AAA issues

1
WP4 Security and AA(A) issues

• For WP4 David Groep
• hep-proj-grid-fabric_at_cern.ch

2
WP4 self-organization (1)

• Configuration management
• What should a system look like, what is installed
• Systems Installation
• Bootstrapping and installing software packages on
  10.000 nodes
• Resource Management
• Queuing system, task scheduling, quotas n budget

3
WP4 self-organization (2)

• Monitoring
• Performance and functional monitoring
• Fault Tolerance Exception Recovery
• Detect exceptions using monitoring information
  and schedule recovery actions, make self-healing
  nodes
• Gridification
• Job authorization, credential mapping,
  information abstraction and network accessibility

4
Internal and external AAA

• External AAA
• interaction of a compute centre with global
  grid ? through WP1 (ComputeElement) and WP2
  (StorageElement)
• Internal AAA
• recognizing trusted components and operators
• authorization for jobs and files
• access to information services
• Protecting jobs and files whilst in the fabric
  (uid issues)

5
A use case for job submission

• Accept a job from ComputeElement (the Grid)
• Check authorization w.r.t. extra local policies
• Assign necessary local credentials
• Have the job run on the local fabric

6
Gridification of a Compute Centre
Externally visible
Job Rep.
Local to the fabric
GridJobMediating Serv
7
Job life cycle in a fabric

• GjMS Grid-job Mediating Service
• Accept jobs from ComputeElement and shuffle them
  through the AAA chain
• LCAS Local Community Authorization Service
• Authorize a job or store request to run on this
  fabric
• Based on community-wide CAS (VOs) add extra
  constrains like budgets, ban lists, wall clock
  limitations
• LCMAPS Local Credential Mapping Service
• Obtain the usual credentials for running
  (uid/gid)
• Issues additional credentials for AFS, K5, .

8
Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck
9
FLIDS (Fabric-local ID service)

• within a fabric only a local certifying entity
  will be sufficiently trusted
• Signing authority for LCAS accepted (job)
  requests
• Identify trusted operators for installation of
  new systems
• Identify and certify hosts within a fabric
• FLIDS is (a tree of) certification authorities
• Some of those automated CAs
• Sign certificates when request is singed by
  trusted operator

10
Information and Configuration

• A configuration database existscontaining the
  desired state of the local fabric
• Contains sensitive information
• Prevent unauthorized read access
• Prevent snooping information sent to other hosts
• PM9 (and possibly beyond?)web-server XML over
  HTTPS
• Write access limited to special operator
  interface only

11
Another FLIDS application

• Adding a new host to a fabric
• Possibly in a hostile environment
• We have a trusted operator with an install disk
• Need to get initial configuration information
• Which includes,e.g., a ssh host key

Next slide is for your reference only (dont be
baffled by it)
12
(No Transcript)
13
Issues not (yet) addressed

• Information services
• Use whatever security framework WP3 chooses
• Will likely not publish list of authorized users
• Networking issues
• WP4 does not envision using network-layer
  security
• IPv6 is being studied, but only for address space
  issues
• GridGATE is not a VPN router and is not doing
  IPsec

14
Gridification of a Compute Centre
Externally visible
Grid Info Serv (WP3)
GridGATEprotocol gateway
ComputeElmt
GriFIS
Job Rep.
Local to the fabric
GridJobMediating Serv
Fabric-localID-service
Local CredentialMapping Serv
LCAS
AuthZ plugins
Policy list
User Rep.
QuotaCheck