Introduction to Grid Security

Size: px

Start display at page:

Download "Introduction to Grid Security"

Abigail Walker
6 years ago
Views:

1 Introduction to Grid Security Mika Silander Helsinki Institute of Physics T Grid Technologies and Applications TKK,

2 Outline Background Functionality overview Virtual Organisations Certification Standardisation Security components Summary References 2

3 Background Traditional security solutions in a new context Challenges due to distributed environment and resources size of user community numerous collaborating but independent organisations amount of resources to be managed History Akenti, Legion, Globus, UNICORE... 3

4 Background/2 Organisations developing security solutions EGEE Middleware Security Working Group (MSWG) and JRA1 Security Group UNICORE KnowARC & NorduGrid Globus Alliance Organisations fostering security standardisation Open Grid Forum (OGF) Bodies defining security standards OASIS, WS-I, W3C, IETF 4

5 Functionality overview Authentication Single Sign-On (SSO) Delegation Authorisation Non-repudiation Integrity Confidentiality Logging & Auditing 5

6 Virtual Organisations 6

7 Virtual Organisations/2 Wikipedia definition A group of individuals or institutions who share the computing resources of a "grid" for a common goal Alleviates need for local account management Resources assigned to VO instead of individual user (account) Users become members of VOs A means for controlled resource sharing Life-cycles (both long and short) 7

8 Virtual Organisations/3 t from g/ s i l O rid.or Grid V Nordu ww.nordug w / rdugridvo No 8

9 OGSA Security initiative Part of the OGSA standard of OGF Assumption: grid collaborations span multiple administrative domains Defines a set of security services needed in grid middleware The services facilitate the administration, expression, publishing, discovery, communication, verification, enforcement and reconciliation of the security policy [6] Goal: to enable Virtual Organisations to enforce their securityrelated policy Leads to multiple policies being enforced concurrently 9

10 Functional capabilities of OGSA Security Illustration from [6]. 10

11 Authentication PKI and X.509 certificates Mutual authentication TLS/SSL communication channels OpenSSL Certificate Revocation Certificate Revocation Lists (CRLs) (Online Credential Status Protocol (OCSP)) 11

12 X.509v3 recap Adapted from [11]. 12

13 Mutual authentication Mutual authentication in SSL, adapted from [11]. 13

14 Certification Certificates for users and hosts X.509 certificates Host certificates Service certificates Certification authorities and policies Certification Practice Statements (see RFC 2527) European Union Grid Policy Management Authority (EU GridPMA) International Grid Trust Federation (IGTF) 14

15 International Grid Trust Federation TAGPMA EUGridPMA APGridPMA Figure from [16]. 15

16 Single Sign-On (SSO) Characteristics of a grid job: More resources may be needed dynamically Many intermediate services participate in the execution of a job Jobs often consist of several smaller subtasks Questions: is a grid user willing to: Type in the pass phrase of her private key to authenticate every time new services are contacted or when new resources are needed? Wait online between authentications when jobs may run for weeks? 16

17 Single Sign-On (SSO)/2 Authentication needs to be done automatically Login once, access multiple times a.k.a. Single Sign-On Solution: Grid users generate a short-lived X.509 proxy certificate using their long-term X.509 user certificate Client programmes use this proxy for all authentications 17

18 Single Sign-On (SSO)/3 Illustration adapted from [7]. 18

19 Grid Security Infrastructure (GSI) Provides Mutual authentication Single Sign-On Delegation Developed by Globus Relies on X.509 certificates for authentication Implements the Generic Security Services-API (GSS-API) Built on top of OpenSSL Required modifications to recognize proxy certificates 19

20 Grid Security Infrastructure (GSI)/2 OpenSSL Now with experimental proxy certificate support (see RFC 3820) GSI-OpenSSH A modified OpenSSH that accepts proxy certificates for authentication 20

21 Grid Security Infrastructure (GSI)/3 Command line tools: Grid-proxy-init Grid-proxy-info Grid-proxy-destroy Creating an RFC 3820 compliant proxy (SSO) ~]$ grid-proxy-init -rfc Your identity: /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander Enter GRID pass phrase for this identity: Creating proxy... Done Your proxy is valid until: Wed Jan 9 04:56:

22 Grid Security Infrastructure (GSI)/4 Contents of the RFC 3820 compliant proxy ~]$ grid-proxy-info subject : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander/CN= issuer : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander identity : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander type : RFC 3820 compliant impersonation proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:59:58 Old legacy (GSI) style proxy [mika@pchip12 ~]$ grid-proxy-info subject : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander/CN=proxy issuer : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander identity : /O=Grid/O=NorduGrid/OU=hip.fi/CN=Mika Silander type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:59:54 22

23 TrustManager An authentication module for X.509 certificate validation in Java applications Typically in Java clients and web service containers e.g. TomCat Maintained currently within EGEE-III as part of the glite middleware Features Proxy certificate support PEM format Periodic reloads of CRLs Periodic reloads of proxy certificates 23

24 Delegation Illustrations from [1]. 24

25 Delegation/2 Variants User-to-service Service-to-service (host-to-host) Types of delegated credentials Legacy (Globus GSI) Full & limited proxy RFC3820 compliant Components related to delegation GSI (non-ws), MyProxy, Globus TK4 delegation service, GridSite 25

26 Delegation protocol Illustration from [5]. 26

27 Multi-step delegation 27

28 MyProxy An online credential repository (OCR) service Manages a user's certificates (user or proxy) Users may later retrieve certificates for themselves, or, Offer them to a Grid portal acting on their behalf Delegates users' rights to Grid portals Portals simplify grid usage but need access rights to act on the user's behalf Portals request rights delegations from OCRs Uses GSI internally for mutual authentication of portals and users in interactions 28

29 MyProxy components MyProxy repository server Client tools myproxy-init, myproxy-logon (proxy certs) myproxy-store, myproxy-retrieve (long-term) myproxy-destroy Implementation languages Complete implementation in C Clients available in Java 29

30 MyProxy interactions initialisation Storing a long lifetime proxy certificate or end user certificate into MyProxy Illustrations from [4,5]. 30

31 MyProxy interactions retrieving a proxy credential Users for themselves, or, users for a web portal Illustrations from [4]. 31

32 MyProxy interactions credential renewal Long running jobs Illustration from [5]. 32

33 Delegation Service The Globus Toolkit v4 delegation component Similar to GSI delegation but in an OGSA style approach Caches delegated credentials for services hosted in the same web services container as the delegation service Supports credential refreshing and removal Notifies registered services about refreshes Supports further delegations 33

34 Delegation Service WSGRAM recap dele gat e it GRAM services del Delegation RFT ega te sudo bm job su local job con trol xfer request client compute element and service host(s) GRAM adapter compute element local sched. GridFTP user job FTP control FTP data GridFTP remote storage element(s) Illustration from [13]. 34

35 Trends in authentication Illustration from [14]. 35

36 Trends in authentication/2 From certificate based authentication to several alternate identity based authentication methods GridShib Shibboleth based authentication to Globus Short-Lived Certificate Service (SLCS) Temporary X.509 user certificates against Shibboleth account and password VOMS Attributes from Shibboleth (VASH) Transition towards SOA solutions E.g. Globus TK v4 Java WS Authentication & Authorisation module 36

37 Authorisation Local account based authorisation GSI LCAS/LCMAPS, glexec and SCAS In between authentication and authorization Virtual Organisation Membership Service (VOMS) Community Authorization Service (CAS) Grid Access Control List (GACL) Apache-inspired Access Control for storage systems, web services 37

38 GSI authorisation problem 38

39 GSI and Web Services Adapted from [12]. 39

40 glite LCAS/LCMAPS Local Centre Authorization Service (LCAS) Performs authorization before job is run on the local computing element Based on grid credentials of incoming job submission Local Credential MAPping Service (LCMAPS) Maps credentials to local accounts in computing elements: DN to unix account (like GSI gridmap-file) DN to dynamic pool accounts VOMS groups, roles, capabilities to UNIX groups DN to Kerberos and AFS tokens Maintains credential mappings of running jobs in an internal persistent Job Repository 40

41 glexec and LCAS/LCMAPS 41

42 SCAS+LCAS/LCMAPS 42

43 Grid Access Control List (GACL) Access control based on Grid identity XML based language for expressing ACLs in Storage Elements Apache inspired GACL definition files Per file basis:.gacl MyFileName Per directory basis:.gacl MyDirName On directory creation, default ACLs in file:.gacl 43

44 Grid Access Control List (GACL)/2 GACL file evaluation order 1).gacl MyFileOrDirName 2).gacl 3)../.gacl etc Structure of.gacl -files Who is allowed to do what <gacl> <entry> <who section> <what section> </entry> <entry> <who section> <what section> </entry> </gacl> 44

45 Grid Access Control List (GACL)/3 <any-user/> Who section Credentials or predefined users Implicit AND if several entries are given <person> <dn>/o=grid/ou=some.org/cn=john Smith</dn> </person> <dn-list> #a file containing a list of DNs <url>/etc/grid-security/allowedgacl_dns</url> </dn-list> <voms> <voms>dn of VOMS server</voms> <vo>vo name</vo> <group>group name</group> <role>role name</role> <capability>capability name</capability> </voms> 45

46 Grid Access Control List (GACL)/4 What section What section format: One allow section One deny section Denials override allowed operations Operations defined for Files Directories <allow> operation1 operation2... </allow> <deny> operation3 operation4... </deny> Example for a file: <allow> <read/> <write/> <list/> </allow> <deny> <admin/> </deny> GACL definition file itself 46

47 Virtual Organisation Membership Service (VOMS)[10] What problem does VOMS address? Issues credentials vouching for users': group memberships roles capabilities Credentials are Attribute Certificates (RFC 3281) Embedded into user's proxy certificates Tagged as non-critical extensions Attributes themselves are single strings (Fully-Qualified Attribute Names) 47

48 Virtual Organisation Membership Service (VOMS)/2 Groups are hierarchical Roles A member of a subgroup is automatically a member of all the higher level containment groups Are inherited from ancestor groups: if user has role R in ancestor group and is member of a subgroup, he also possesses role R in the subgroup. The opposite does not hold. Capabilities Inheritance as in roles In practise, not used 48

49 Virtual Organisation Membership Service (VOMS)/3 User registration in VOMS User requests first an ordinary user certificate from a Certificate Authority VO membership (+roles, capabilities) is requested from the organisation running the VO Becoming a member of a VO takes effect only when the membership info is retrieved from VOMS (Attribute Certificate) It is up to Grid resource providers to decide whether or not to honour user attributes asserted by VOMS 49

50 Notes on VOMS VOMS doesn't support the delegation of users' attributes to other grid users nor services But: a group administrator may include new members to a group and this way give the group's access rights to further users VOMS supports non-repudiation in that all requests are logged VOMS helps implementing coarse-grained access control No target file names, job identifiers or the like are expressible 50

51 VOMS components Login service standalone for efficiency client: voms-proxy-init, ~-destroy, ~-info Administrative service for VO membership management Web service with API Command line and web user interface Migration tools gridmap-file to VOMS servers LDAP to VOMS servers 51

52 VOMS components/2 52

53 Login procedure with VOMS Illustration from [3]. 53

54 A proxy certificate with VOMS AC Illustration from [15]. 54

55 Login to multiple VOs Illustration from [3]. 55

56 Community Authorization Service (CAS) For a centralized access control of a VO's grid resources Issues authorization assertions (SAML) to users granting them access to resources Services enforce access control according to site policy (coarse grained) and CAS assertions according to VO policy (finer-grained) Currently, CAS assertions are recognised by the GridFTP service file level access control 56

57 Community Authorization Service (CAS)/2 Implementation adheres to WSRF standards Built on top of OpenSAML, language is Java CAS tools cas-proxy-init contacts a CAS server embeds the assertion returned by CAS into a proxy certificate cas-wrap runs a (grid) command with CAS credentials CAS credentials as originally created by cas-proxyinit 57

58 CAS assertion in a proxy certificate CAS Server User proxy Policy statement Community Signature What rights does the community grant to this user? CAS-maintained community policy database Resource Server Client User proxy Policy statement Community Signature What local policy applies to this user? Does the policy statement authorize the request? Local policy information Is this request authorized for the community? Illustration from [9]. 58

59 CAS assertion in a proxy certificate/2 Illustration from [8]. 59

60 VOMS vs. CAS model Illustration from [8]. 60

61 Trends in authorisation Further authorisation related components Globus Authorization Framework (Java WS A & A) glite Java Authorization Framework (gjaf) To be replaced by a new authorisation framework during summer 2009! Short-Lived Credential Service (SLCS) Short-lifetime certificates against account and password VOMS Attributes from SHibboleth (VASH) Privilege and Role Management Infrastructure Standards Validation (PERMIS) Towards SOA solutions Web Services security and related standards 61

62 Policy enforcement 62

63 XACML v2.0 XACML Data flow diagram [17]. 63

64 Trends in policy enforcement ARC v1 Policy enforcement in ARC v1 [14]. 64

65 Further Grid Security components Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) Dorian Grid Trust Service (GTS) Common Security Module (CSM) VOMRS VOMS Registration Service Grid Account Management Architecture (GAMA) GUMS Grid User Management System 65

66 Trends in Grid security Towards Service Oriented Architectures (SOA) From transport level security towards message-level security mechanisms SAML, XACML WS-Security XML Signature, XML Encryption WS-SecureConversation WS-Trust WS-Policy From identity based authorisation to identity and attribute based authorisation 66

67 Summary Grid security solutions build on existing, traditional security solutions Scale is the problem: Thousands of users, hundreds of virtual organisations Thousands of computers, clusters, storage systems Result: scalability problems of existing security solutions are tackled in various ways OGSA Security a kind of road map also for grid security development 67

68 Questions? Mika Silander & HIP,

69 References 1. Delegation and single sign-on (proxy certificates). Globus project documentation on GSI. Online 2. Globus project Grid Authentication and Authorisation Issues. Frohner, Á. OpenLAB Security Workshop presentation, CERN, An Online Credential Repository for the Grid: MyProxy. Novotny J., Tuecke S. & Welch V. In Proceedings of the 10th IEEE Symposium On High Performance Distributed Computing, The MyProxy online credential repository. Basney J., Humphrey M. & Welch V. In Software Practice and Experience, vol. 35, no. 9, p , 25 July The Open Grid Services Architecture, Version 1.5 (OGSA). Foster I., Kishimoto H., Savva A., Berry D., Grimshaw A., Horn B., Maciel F., Siebenlist F., Subramaniam R., Treadwell J. & Reich J. V. Technical Report, Open Grid Forum, September

70 References/2 7. Evaluation of the GLOBUS authentication architecture. Prelz F. INFN, Milano, Online 8. The Community Authorization Service: Status and Future. Pearlman L., Kesselman C., Welch V., Foster I. & Tuecke S. In Proceedings of CHEP'03, La Jolla, CA, USA, March, The Community Authorization Service: Status and Future. Foster I., Kesselman C., Pearlman L., Tuecke S. & Welch V. Presentation slides from presentation held in CHEP'03, La Jolla, CA, USA, March, VOMS, an Authorization System for Virtual Organizations. Alfieri R., Cecchini R., Ciaschini V., dell'agnello L., Frohner Á, Gianoli A., Lõrentey K. & Pataro F. Online SSL and TLS Essentials. Securing the Web. Thomas S. John Wiley & Sons, Globus Toolkit 4 Grid Security Infrastructure: A Standards Perspective. Globus security team. September, Online 70

71 References/3 13.Globus GRAM for Developers. Martin S. & Lane P. Argonne National Laboratory. Presentation in GlobusWorld Online: KnowARC Security Review. KnowARC Community, July, Online The Security and Information System in glite middleware. Fargetta M. University of Catania and ICEAGE. Presentation at the International Summer School of Grid Computing 2007, July 2007, Mariefred, Sweden. Online: Portals and Authentication. Groep D. EGEE'07 Conference presentation. NIKHEF, EGEE. Budapest, October extensible Access Control Markup Language (XACML) Version 2.0. Moore T. (ed.), OASIS, February,

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,