Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Similar documents
A QUICK INTRODUCTION TO VOMS

The EU DataGrid Fabric Management

Introduction to Grid Security

Authentication and Authorization Mechanisms for Multi-domain Grid Environments

Troubleshooting Grid authentication from the client side

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Grid Security Infrastructure

EUROPEAN MIDDLEWARE INITIATIVE

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

GLOBUS TOOLKIT SECURITY

Understanding StoRM: from introduction to internals

SLCS and VASH Service Interoperability of Shibboleth and glite

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

Introduction to SciTokens

dcache Introduction Course

GSI Online Credential Retrieval Requirements. Jim Basney

E G E E - I I. Document identifier: Date: 10/08/06. Document status: Document link:

Using the MyProxy Online Credential Repository

The PRIMA Grid Authorization System

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Bookkeeping and submission tools prototype. L. Tomassetti on behalf of distributed computing group

Grid Architectural Models

Implementing GRID interoperability

LCG User Registration & VO management

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Installation and Administration

The SciTokens Authorization Model: JSON Web Tokens & OAuth

User Authentication Principles and Methods

Guidelines on non-browser access

Overview of HEP software & LCG from the openlab perspective

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

Troubleshooting Grid authentication from the client side

glite Grid Services Overview

Gridbus Portlets -- USER GUIDE -- GRIDBUS PORTLETS 1 1. GETTING STARTED 2 2. AUTHENTICATION 3 3. WORKING WITH PROJECTS 4

Architecture Proposal

Managing Grid Credentials

New open source CA development as Grid research platform.

WebSphere Message Broker

DIRAC Distributed Secure Framework

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

Globus GTK and Grid Services

Grid Technologies for AAI*

DIRAC distributed secure framework

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

glexec: gluing grid computing to the Unix world

glideinwms architecture by Igor Sfiligoi, Jeff Dost (UCSD)

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Deploying the TeraGrid PKI

3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids

INDIGO AAI An overview and status update!

Warm Up to Identity Protocol Soup

Introduction to GT3. Overview. Installation Pre-requisites GT3.2. Overview of Installing GT3

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

MyProxy Server Installation

Data Avenue REST API. Ákos Hajnal, Zoltán Farkas November, 2015

Hardware Tokens in META Centre

Argus: The Simplified Policy Language

AAI in EGI Current status

Federated Authentication with Web Services Clients

SA1 CILogon pilot - motivation and setup

Prototype DIRAC portal for EISCAT data Short instruction


ArcGIS Server and Portal for ArcGIS An Introduction to Security

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

Cloud Computing. Up until now

Michigan Grid Research and Infrastructure Development (MGRID)

Copyright

UNICORE Globus: Interoperability of Grid Infrastructures

GROWL Scripts and Web Services

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

Axway Validation Authority Suite

IBM Security Access Manager Version May Advanced Access Control Configuration topics IBM

Improving Grid User's Privacy with glite Pseudonymity Service

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM

Argus Vulnerability Assessment *1

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Setup Desktop Grids and Bridges. Tutorial. Robert Lovas, MTA SZTAKI

Clarens Web Services Architecture

LCG-2 and glite Architecture and components

RCauth.eu / MasterPortal update

The EU DataGrid Testbed

SDC EMEA 2019 Tel Aviv

SSH with Globus Auth

EGI-InSPIRE. Security Drill Group: Security Service Challenges. Oscar Koeroo. Together with: 09/23/11 1 EGI-InSPIRE RI

Enabling Universal Authorization Models using Sentry

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Dynamic Creation and Management of Runtime Environments in the Grid

ARCHER Collaborative Workspace

Maintaining Configuration Settings in Access Control

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

Single Sign-On for PCF. User's Guide

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

CA SiteMinder Federation

Network Security Essentials

Transcription:

Grid Authentication and Authorisation Issues Ákos Frohner at CERN

Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS Login : short lifetime proxy certificates Authorisation in Java web services Authorisation for a site: LCAS, LCMAPS CERN OpenLab Security Workshop - n 2

Requirements A grid security system requires: User to be authenticated by a service The service to gather additional information associated with the user or the actual session (e.g. group membership, role) The service to gather additional information associated with the protected service or object (e.g. file permissions) The checking of any local policy applicable to the situation The making of an authorization decision based on the identity of the user and the additional information The Users to access resources in a global Grid environment without the need for individual accounts at various sites, while allowing resource providers to keep control over access to their resources. EDG gathered 112 requirements: Authentication, Authorisation, Confidentiality, Integrity, and Non-repudiation CERN OpenLab Security Workshop - n 3

Old-style Service high frequency low frequency Backward compatibility on the service side: one can generate gridmapfiles from the VO userlist for existing services based on GSI. Old-style services still use the gridmap-file for authorization gridftp EDG 1.4.x services EDG 2.x service in compatibility mode CA CA CA VO VO VO VO crl update mkgridmap gridmap-file host cert (long life) service GSI CERN OpenLab Security Workshop - n 4

The Components GSI based or compatible authentication grid-mapfile or VOMS based authorization (can be both) policy or ACL based access control coarse and fine grained solutions access control description s syntax is not standard implemented alternatives: edg-java-security for Java web services GSI/LCAS/LCMAPS for native C/C++ services mod_ssl/gacl for Apache based web services Slashgrid for transparent filesystem ACLs and GridSite CERN OpenLab Security Workshop - n 5

Overview of the Components CA proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) request certificate: dn, ca, Pkey VOMS proxy cert certificate VOMS cred: VO, group(s), role(s) proxy cert user proxy cert proxy cert delegation: cert+key (long lifetime) proxy cert MyProxy re-newal request delegation: cert+key (short lifetime) TrustManager auth TrustManager auth mod_ssl auth GSI auth GSI auth WebServices Authz dn,attrs,acl, req.op ->yes/no authz pre-process: parameters-> obj.id + req. op. pre-process: parameters-> obj.id + req. op. pre-process: parameters-> obj.id + req. op. LCAS dn,attrs,acl, req.op ->yes/no authz dn -> DB role map doit obj.id -> acl dn,attrs,acl, req.op ->yes/no authz GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz GACL: obj.id -> acl dn,attrs,acl, req.op ->yes/no authz LCMAPS dn -> userid, krb ticket map doit doit doit doit coarse grained (e.g. Spitfire) fine grained (e.g. RepMec) Java fine grained (e.g. GridSite) web C fine grained (e.g. SE, /grid) coarse grained (e.g. gatekeeper) CERN OpenLab Security Workshop - n 6

VOMS: Virtual Organization Management Service Issues credentials to prove group/role/vo membership standard RFC 3281 Attribute Certificate format single string attributes FQAN Core service: standalone daemon for the login single purpose high performance Administrative service: web service with API, command line and web user interface for administration and registration Migration tools for gridmap-files and VO-LDAP servers CERN OpenLab Security Workshop - n 7

Login user high frequency low frequency user cert (long life) CA VO-VOMS The credential created in the login procedure is backward compatible: one can use it with the existing services, which are based on GSI voms-proxy-init proxy cert (short life) authz cert (short life) edg-voms-proxy-init -voms iteam /mp/x509_up<uid> (normal proxy location) backward compatible proxy format CERN OpenLab Security Workshop - n 8

Multi-VO Login user high frequency low frequency user cert (long life) voms-proxy-init proxy cert (short life) authz cert (short life) CA VO-VOMS VO-VOMS VO-VOMS VO-VOMS voms-proxy-init -voms iteam -voms wp6 single proxy certificate is generated each VO provides a separate VOMS credential first one is the default VO each VOMS credential contains multiple group/role entries first one is the default group One can be member of many VOs and use their resources at the same time. The VO specific credentials are separate, but collected into the same proxy certificate. CERN OpenLab Security Workshop - n 9

VOMS FAQ No instant effect: the user has to log-in, using voms-proxyinit, to be notified of any VO change Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration) CERN OpenLab Security Workshop - n 10

VOMS Registration user high frequency low frequency CA Tool support for the registration workflow(s) to ease the life of VO managers. user cert (long life) registration VO-VOMS deny denied VO membership email address request new confirmation allow create confirmed accepted done (user) (user) (VO admin) web email email to the requestor: email to the administrator: email address confirmation new request notification email to the requestor: request is accepted/denied CERN OpenLab Security Workshop - n 11

Multi-VO Registration user high frequency low frequency CA Support for multi-vo registration and login using the same user certificate. user cert (long life) registration VO-VOMS VO-VOMS VO administration operations create/delete (sub) group/role/capability VO-VOMS add/remove member of g/r/c get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member CERN OpenLab Security Workshop - n 12

Java Web Service high frequency low frequency host cert user information system 1. VO affiliation WS user cert 2. service URI(s) for VOs in authz? VO credential on the client side is used to select the VO specific service. proxy authz VO credential on the server side is used for authorization. VO 3. calling the service (URI) authentication & authorization info edg-javasecurity CERN OpenLab Security Workshop - n 13

edg-java-security Trust manager GSI compatible authentication (supporting proxy chain) Adapters to HTTP and SOAP Currently deployed for Tomcat4 VOMS credential verification Authorization Manager Authorization and mapping for Java services Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file Handles VOMS attributes CERN OpenLab Security Workshop - n 14

Inside the Java Web Service WS map.xml map-db proxy VO gridmap-file authz authn authz map service TrustManager DN, attr., operation + policy -> yes/no decision DN->DB role edg-java-security CERN OpenLab Security Workshop - n 15

Job Submission high frequency low frequency host cert user user cert 4. CEs for VOs in authz? information system 1. VO affiliation (AccessControlBase) CE WMS proxy 3. job submission VO credential is used by the resource broker to pre-select available CEs. VO authz 2. cert upload MyProxy server CERN OpenLab Security Workshop - n 16

Arriving to a Computing Element MyProxy server VO credential for authorization and mapping on the CE. cert (long term) LCAS: authorization based on (multiple) VO/group/role attributes LCMAPS: mapping to user pool and to (multiple) groups default VO = default UNIX group other VO/group/role = other UNIX group(s) host cert CE 1. cert download proxy WMS VOMS 2. voms-proxy-init authz 3. job start authentication & authorization info VO LCAS/ LCMAPS CERN OpenLab Security Workshop - n 17

LCAS and LCMAPS Local Centre Authorization Service (LCAS) Handles authorization requests to local fabric authorization decisions based on proxy user certificate and job specification; supports grid-mapfile mechanism. Plug-in framework (hooks for external authorization plugins) allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db), GACL plugin for VOMS (to process authorization data) Local Credential Mapping Service (LCMAPS) provides local credentials needed for jobs in fabric mapping based on user identity, VO affiliation, local site policy plug-ins for local systems (Kerberos/AFS, LDAP nss) CERN OpenLab Security Workshop - n 18

Inside a Computing Element CE allowed banned GACL group-pool user-pool JobRepository proxy VO gridmap-file authz authn authz map JobManager gatekeeper GSI LCAS DN, attrs, RSL + local policy -> yes/no decision LCMAPS DN, attrs, RSL + local policy -> uid, gids, other tokens CERN OpenLab Security Workshop - n 19

Summary of Issues Resolved Compatibility with existing systems Tomcat - edg-java-security Apache gridsite gridmap-file LCAS and LCMAPS Credential Mapping implementation on computing element Credential Renewal for long running jobs Delegation absent from standard HTTPS CERN OpenLab Security Workshop - n 20

More Information European DataGrid Project Security Coordination Group http://cern.ch/hep-project-grid-scg LCAS/LCMAPS homepage http://www.dutchgrid.nl/datagrid/wp4/lcas/ Java Security http://cern.ch/grid-data-management/security/ GridSite http://www.gridpp.ac.uk/gridsite/ VOMS http://grid-auth.infn.it/ http://cern.ch/edg-wp2/security/voms CERN OpenLab Security Workshop - n 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback