Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF - PowerPoint PPT Presentation

1 / 18

About This Presentation

Title:

Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF

Description:

No allocated effort, so groups distributed over WP's: CA Coordination (Test bed WP6) ... O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten' kristaj ' ... – PowerPoint PPT presentation

Number of Views:24

Avg rating:3.0/5.0

Slides: 19

Provided by: ppd75

Category:

more less

Transcript and Presenter's Notes

Title: Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF

1
Security in DataGrid12 Mar 2002TERENA GRID-AN
BoF

David GroepNIKHEF, Amsterdam
based on a presentation by David Kelsey
CLRC/RAL, UK

2
The EU DataGrid

DataGrid generic Grid middleware and test bed
for
High Energy Physics
Earth Observation and ozone modelling
Bio-informatics bio-medicine
Middleware components (on top of Globus)
scheduling and accounting
data replication and management
monitoring
data storage
fabric and farm management

3
Security in DataGrid

No allocated effort, so groups distributed over
WPs
CA Coordination (Test bed WP6)Started before the
project (end 2000), well established
Ad-hoc Authorization (Test bed WP6)Interim
solutions for distributing collaboration user
lists and virtual organization directories.
Security Coordination (Networking
WP7)Requirements gathering and design of a first
security architecture. Definition of security
guidelines for middleware development

4
Start with

Authentication

5
WP6 CACG

11 DataGrid Testbed1 CAs
See WP6 web
Much effort to run these growing number of cert
requests
Several moving to OpenCA
US DOE ScienceGrid CA
Operational since January 2002
Approved as a DataGrid trusted CA (
vice-versa!)
First test of transatlantic authentication last
month
Karlsruhe CA (CrossGrid and HEP Germany)
To be incorporated later
Seems to attract Grid CA issues that should have
gone to GGF!

6
Authentication (2)

One of the EDG CAs (CNRS) acts as a catch-all
CA
CP/CPS will get explicit statements about RAs
Matrix of Trust (work ongoing) much work!
Feature matrix
Acceptance matrix (WP6 CA Mgrs check each other
against min. requirements)
BUT
Still another 7 CrossGrid countries with no CA
And many other LHC countries
Scaling problems!
Automate the feature checking
Continue to work with GGF in the GridCP group

7
Authentication (3)
DataGrid CA Features matrix
8
CA Acceptance Matrix

Detailed reports per CA
Guidelines for national site admins
To be done versioning of CP/CPS
invalidation after CP/CPS updates

9
And now

Authorisation

10
GSI Grid map file

Resource Authorization based on access lists
Maps Grid name (cert subject DN) ? local UID
In effect after successful authentication

triodedavidg1002 cat /etc/grid-security/grid-ma
pfile "/Odutchgrid/Ousers/Onikhef/CNDavid
Groep" davidg "/Odutchgrid/Ousers/Onikhef/CNMa
rtijn Steenbakkers" martijn "/Odutchgrid/Ousers/
Onikhef/CNKrista Joosten" kristaj "/Odutchgrid/
Ousers/Ouva/OUwins/CNVladimir Korkhov"
vkorkhov "/Odutchgrid/Ousers/Onikhef/CNJeffrey
Templon" templon "/CIT/OINFN/LTorino/CNPiergi
orgio Cerello/EmailPiergiorgio.Cerello_at_to.infn.it
" aliprod
11
mkgridmap and VOs

Virtual Organizations (VOs) define user
groupsATLAS, LHCb, OzoneModelling,
Directory with user lists maintained by VO admin
Resource owners extract list from allowed VOs
optional AND with one other directory (AUP!)
periodically generated (once per day)

12
grid-mapfile generation
VODirectory
AuthorizationDirectory
13
Entries in VO Directory

VO Membership list
dn cnRoberto Barbera,ouPeople,oalice,dceu-dat
agrid,dcorg
objectClass person
objectClass organizationalPerson
objectClass inetOrgPerson
objectClass pkiUser
sn Barbera
cn Roberto Barbera
mail roberto.barbera_at_ct.infn.it
labeledURI ldap//security.fi.infn.it/cnRoberto
20Barbera,oinfn,cit?userCertificate
(sub) groups
dn outb1users,olhcb,dceu-datagrid,dcorg
objectClass domain
objectClass organizationalUnit
objectClass groupofnames
. . . .
owner cnmanager,olhcb,dceu-datagrid,dcorg

14
Authorisation

WP6 Authorisation group (R. Cecchini INFN)
Future plans
Evaluation of CAS and PERMIS
Better VO Directory management
Support of replicas of VO Directories
Support for users attributes in the VO
Directories
e.g. the AUP signing information (with expiration
date...)

15
Authorisation (2)

Globus Community Authorisation Server (CAS)
Long awaited!
Hot news alpha release by end of next week
PERMIS (http//www.permis.org)
EU funded project
Univ of Salford (UK) member of SecureGrid
Policy-based Role-based (XML) Access control

16
Spitfire Security Mechanism
Servlet Container
SSLServletSocketFactory
RDBMS
Trusted CAs
TrustManager
Revoked Certsrepository
Security Servlet
ConnectionPool
Authorization Module
Does user specify role?
Role repository
Translator Servlet
Role
Connectionmappings
Map role to connection id
17
WP4 Subsystems and relationships (D4.2)
18
GridMapDir (WP6 - McNab)

Account sharing mechanism for local UIDs
Modifier version of GSI allows mapping to
account pools (à la DHCP)
nice when VO directories are large and not all
users go to all sites
difficult to recycle accounts (files!)
sucessfully deployed in EDG TB1

19
SlashGrid (WP6 - McNab)

Framework for creating Grid-aware filesystems
different types of filesystem provided by
dynamically loaded plugins.
Source, binaries and API notes
http//www.gridpp.ac.uk/slashgrid/
certfs.so plugin provides local storage governed
by Access Control Lists based on DNs.
Since most ACLs would have just one entry, this
is equivalent to file ownership by DN rather than
UID.
Also, a GridFTP plugin could provide secure
replacement for NFS.

20
Authorisation issues