LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002

1
LCG/EDG Security- update and plansHEPiX/HEPNT
- FNAL23 Oct 2002

• David KelseyCLRC/RAL, UKd.p.kelsey_at_rl.ac.uk

2
Outline

• Introduction to Grid Security
• EU DataGrid/DataTAG (EDG/EDT) developments
• LHC Computing Grid Project (LCG) Phase 1
• The main challenges for 2003
• Summary

3
Introduction to Grid Security
4
Authentication (1)

• Proof of Identity
• Grid Security Infrastructure (GSI)
• PKI Public Key Infrastructure
• Private/public key pair
• Generated by user private key must be kept
  secret
• Asymmetric encryption
• X.509 certificate
• National Certificate Authority signs the public
  key
• Binds to a name / identity
• No authorisation to use resources

5
Authentication (2)

• Uses SSL, certificates and the key-pair
• Need to trust the CA(s)
• Securely identifies User, Machine, Service
• In both directions (mutual authentication)
• To achieve
• Single sign-on to Grid (via Proxy certificate)
• short-lived (no revocation)
• To avoid having to register all users at all
  sites!
• Many issues
• Revocation, length of keys, period of validity,
  security of private key, operational procedures,
  
• Registration authorities (checks identity)

6
Authorisation

• Today based on local mechanisms
• e.g. UNIX (uid, gid) or Kerberos
• Globus gatekeeper
• Maps global identity (Distinguished Name) to
  local user account
• Access control all based on standard UNIX tools
• Or Kerberos, AFS etc
• Site/System management fully in control
• Limited tools for Virtual Organisations (VOs) to
  manage access to resources

7
EDG/EDT security developments
8
EDG Security news

• EU Deliverable 7.5
• Security Requirements and Testbed1 (complete)
  http//hepwww.rl.ac.uk/kelsey/DataGrid-D7.5.pdf
• EU Deliverable 7.6
• Security Design and Testbed2 (January 2003)
• Security components
• VO/LDAP VOMS Authorisation
• LCAS, LCMAPS local authorisation and mapping
• Gridmapdir dynamic leased accounts
• Gridsite certificate-based web management
• SlashGrid - dn-based grid homefile system
• GACL Library to parse ACLs (XML)
• edg-security (for database access control)

9
EDG WP6 CA group

• The PMA (Policy Management Authority) for EDG
• Members the CA managers (but not just EDG!)
• includes CrossGrid, US DOE CAs more joining
• http//marianne.in2p3.fr/datagrid/ca/
• Establishing Trust between CAs, Grid projects,
  VOs, Sites
• Need approval of site security officers and
  sysadmins
• To (perhaps) bypass normal user registration
  procedures
• Achieved for EDG testbed activities
• NOT yet for LCG production-scale deployment
• Defining best practice and minimum
  requirements
• Working with GGF
• CP/CPS documents
• Registration Authority procedures
• Operational procedures

10
Trusted CAs

• 13 trusted CAs
• CERN, Czech Rep, France, Germany, Ireland, Italy,
  Netherlands, Nordic, Portugal, Russia, Spain, UK,
  USA
• Under consideration
• Canada, Greece, Poland, Slovakia
• CNRS/France willing to act as short-term
  catch-all
• For small number of users/machines
• But needs agreed registration procedure(s)
• Already doing so for Austria, Israel,
  Switzerland, Romania, Taiwan

11
Authorisation

• VO/LDAP shown in Catania HEPiX
• Now we (EDT for EDG) are developing VOMS
• Virtual Organisation Membership Service
• See Luciano Gaidos slides (EDG meeting Budapest)
  and VOMS architecture report (EDT meeting 8Oct02)
• Some of these follow
• LCAS plug-ins and GACL to apply Access Control
• Easy management of ACLs still missing

12
current implementation (LDAP)

• Support for users belonging to more than one VO
• vo option to grid-proxy-init command
• the VO name is inserted in the Subject of the
  proxy certificate (D field)
• requires a patch to Globus code (and a change to
  mkgridmap)
• under test the interaction with RB
• availability 30 September 02.

13
VO Membership Service

1. Client and server authenticate themselves and
   establish a secure communication channel using
   standard Globus API.
2. The Client sends the request to the Server.
3. The Server checks the request and sends back the
   required info (signed by itself).
4. The Client checks the validity of the info
   received.
5. Steps 14 are repeated for each Server the Client
   wants to contact.
6. The Client creates a proxy certificate with an
   extension (non critical) containing all the info
   received from the contacted VOMS Servers.

CIT/OINFN /LCNAF/CNPinco Palla/CNproxy
14
VOMS
15
LCG Phase 1
16
LCG 1 security

• LCG Phase 1 deploy a production quality Grid
• from July 2003
• Planning now documents by December 2002
• Must be ready by summer 2003
• Security planning
• User Registration
• Authentication
• Authorisation
• Security Policy
• Operational issues

17
User Registration

• Users would like to register just once (per VO)
• Sign one form
• One single Acceptable Use description
• Sites need
• Sufficient recorded information about the user
• VO databases managed by whom? (expt offices?)
• Behind-the-scenes creation of new user accounts
• Or willingness to use dynamic leased accounts
• VOs need
• Tools to manage users, roles, groups
• Who owns the databases VOs and/or Sites?

18
Authentication

• Scaling of establishing list of trusted CAs
• Currently one per country (many countries!)
• Often issued by CAs serving larger community
  than HEP
• CERN and FNAL proposing a Kerberos-based CA
• User authenticates via kerberos to the KCA
• KCA then issues short-lived X.509 certs
• Not yet trusted by EDG/LCG
• Some sites will not accept long-lived private
  keys held by users
• Credential repositories (MyProxy, aVOMS)
• Smartcards
• Specialised additional authentication (e.g.
  Cryptocard)
• Doesnt scale!
• Support multiple levels of authentication
• Credential renewal for long-running batch jobs

19
Authorisation

• Technology immature
• What will be ready for LCG phase 1?
• Need input from the experiments
• Who manages access?
• To sites
• To resources
• To individual files, objects
• Sites authorise VOs
• VOs authorise users, roles, groups
• Much will be definition of procedures
• Aim for independence from technologies
• Move to OGSA, ws-security,
• Sites need to trust VO procedures

20
Operational issues

• Communication between sites
• Intrusion detection
• Incident tracking
• Auditing and reporting

21
Summary

• EDG/EDT much progress during 2002
• More functionality in 2003
• GGF and other Grid projects also important
• Current procedures work well for Testbed scale
• LCG Phase 1 (and BaBar Grid)
• Need improved procedures for production scale
• Need to plan for and support
• Multiple authentication and authorisation
  technologies
• Will need full consultation with Sites and VOs
  (experiments) to agree policies and establish
  trust
• MUST be pragmatic
• LCG Phase 1 MUST work