DIRAC Distributed Secure Framework

Similar documents
DIRAC distributed secure framework

DIRAC pilot framework and the DIRAC Workload Management System

Troubleshooting Grid authentication from the client side

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

CA-based Trust Issues for Grid Authentication and Identity Delegation

Globus Toolkit Firewall Requirements. Abstract

Development of new security infrastructure design principles for distributed computing systems based on open protocols

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Server-based Certificate Validation Protocol

SA1 CILogon pilot - motivation and setup

High Performance Computing Course Notes Grid Computing I

Troubleshooting Grid authentication from the client side

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

The PanDA System in the ATLAS Experiment

GSI Online Credential Retrieval Requirements. Jim Basney

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Credentials Management for Authentication in a Grid-Based E-Learning Platform

VSP18 Venafi Security Professional

Network Working Group Request for Comments: 3820 Category: Standards Track. NCSA D. Engert ANL. L. Pearlman USC/ISI M. Thompson LBNL June 2004

Integration of the guse/ws-pgrade and InSilicoLab portals with DIRAC

Grid Security Infrastructure

Public Key Infrastructure

JAliEn A new interface between the AliEn jobs and the central services

Hardware Tokens in META Centre

Managing Grid Credentials

Using vrealize Operations Tenant App as a Service Provider

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

A security architecture for the ALICE Grid Services

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

13th International Workshop on Advanced Computing and Analysis Techniques in Physics Research ACAT 2010 Jaipur, India February

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Secure Abstraction with Code Capabilities

Using the MyProxy Online Credential Repository

Introduction to SciTokens

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

Security in the CernVM File System and the Frontier Distributed Database Caching System

Introduction to Programming and Computing for Scientists

Authorization Strategies for Virtualized Environments in Grid Computing Systems

The Match On Card Technology

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

Public Key Enabling Oracle Weblogic Server

BIG-IP System: SSL Administration. Version

FPKIPA CPWG Antecedent, In-Person Task Group

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

U.S. E-Authentication Interoperability Lab Engineer

Managing Certificates

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Manage Certificates. Certificates Overview

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

A PKI For IDR Public Key Infrastructure and Number Resource Certification

A Novel Adaptive Proxy Certificates Management Scheme in Military Grid Environment*

Lecture Notes 14 : Public-Key Infrastructure

ING Public Key Infrastructure Technical Certificate Policy

Prototype DIRAC portal for EISCAT data Short instruction

A Roadmap for Integration of Grid Security with One-Time Passwords

PoS(ISGC 2016)035. DIRAC Data Management Framework. Speaker. A. Tsaregorodtsev 1, on behalf of the DIRAC Project

Copyright

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

MCSA Windows Server 2012

Certification Authority

Overview. SSL Cryptography Overview CHAPTER 1

Guidelines on non-browser access

70-742: Identity in Windows Server Course Overview

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Configuring Virtual Servers

ForeScout CounterACT. SecureConnector Advanced Features. How-to Guide. Version 8.0

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

SSL Certificates Certificate Policy (CP)

Configuring the Cisco APIC-EM Settings

CSE 565 Computer Security Fall 2018

Introduction to Programming and Computing for Scientists

Cryptography and Network Security

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

SEVENMENTOR TRAINING PVT.LTD

Create Decryption Policies to Control HTTPS Traffic

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Configuring Certificate Authorities and Digital Certificates

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Deploying the TeraGrid PKI

Certificate Management

glite Grid Services Overview

How to Set Up External CA VPN Certificates

Send documentation comments to

Configuring SSL CHAPTER

Introduction to Grid Security

Nasuni Data API Nasuni Corporation Boston, MA

Policy Based Dynamic Negotiation for Grid Services Authorization

[GSoC Proposal] Securing Airavata API

EUROPEAN MIDDLEWARE INITIATIVE

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Salesforce1 Mobile Security White Paper. Revised: April 2014

Transcription:

DIRAC Distributed Secure Framework A Casajus Universitat de Barcelona E-mail: adria@ecm.ub.es R Graciani Universitat de Barcelona E-mail: graciani@ecm.ub.es on behalf of the LHCb DIRAC Team Abstract. DIRAC, the LHCb community Grid solution, provides access to a vast amount of computing and storage resources to a large number of users. In DIRAC users are organized in groups with different needs and permissions. In order to ensure that only allowed users can access the resources and to enforce that there are no abuses, security is mandatory. All DIRAC services and clients use secure connections that are authenticated using certificates and grid proxies. Once a client has been authenticated, authorization rules are applied to the ed action based on the presented credentials. These authorization rules and the list of users and groups are centrally managed in the DIRAC Configuration Service. Users submit jobs to DIRAC using their local credentials. From then on, DIRAC has to interact with different Grid services on behalf of this user. DIRAC has a proxy management service where users upload shortlived proxies to be used when DIRAC needs to act on behalf of them. Long duration proxies are uploaded by users to MyProxy service, and DIRAC retrieves new short delegated proxies when necessary. This contribution discusses the details of the implementation of this security infrastructure in DIRAC. 1. Introduction The LHCb [1] experiment is the Large Hadron Collider Beauty experiment at CERN, primarily intended for precise measurements of CP violation and rare decays in b-physics. LHCb expects to start taking data by the end of 2009. The data rate is expected to be about 5 Peta Bytes per full year of running. This data will need large computing resources at a scale in which the only reasonable solution is the worldwide computing grid. LHCb physicists will have to process a large amount of data. DIRAC [2] is the community grid solution LHCb will use to manage all the available resources to process the data. All the resources are distributed across different countries and they have to be accessed by the collaboration in a secure way. DIRAC has a security framework called DISET build on top of OpenSSL, a industry standard widely used. DISET provides all the communication, authorization and authentication framework for DIRAC to build its services on top.

2. Secure framework One of DIRAC design goals was to manage a large amount of distributed resources. That required a secure communications layer that allowed DIRAC to set up access control accross the resources. DIRAC was designed using a service-agent achitecture [3]. Due to DIRAC complexity, it also required a powerful framework that allowed to build services and agents easily. To meet all this needs DISET was made. DISET is a framework that provides a secure connection layer, an authorization mechanism and a powerful and flexible framework to build agents and services. To provide secure connectivity, DISET uses a python wrapper around OpenSSL to manage the authentication and encryption of the data. 2.1. Authentication DISET follows the same authentication mechanism the grid uses. Clients and services are identified by X509 certificates [4]. To be able to forward the user credentials to the final destination, a proxy certificate [5] has to be provided. Therefore The authentication mechanism has to support X509 certificates and certificate proxies. All connections require mutual authentication: clients authenticate services and vice versa. Authentication is done by checking the credentials received against a list of valid Certification Authorities (CAs). If the credentials presented by the client or the service fail to be signed by one of the valid CAs, the connection is closed. Clients can use certificates or proxies to connect to services but services can only use host certificates. 2.2. Authorization Before any action is executed, DIRAC checks if the client is allowed to the execution of the action. DIRAC has a set of authentication rules to verify if the action can be executed. Each action has a set of required properties. Every time a client connects to a DIRAC service, DISET authenticates it and extracts the client credentials from the SSL handshake. The client credentials identify the er in DIRAC and associate a set of properties to the credentials. There are two ways in how a set of properties can be associated to a credential depending on the er: If the er is a host, DISET checks if the Distinguished Name (DN ) is registered in the DIRAC Configuration Service (CS). If it s registered, there will be a set of properties associated to the host DN. If the er is a user, the properties are not directly associated to the user s DN. Because there can be lots of users, users are organized in groups. When a user wants to connect to any DIRAC service, an active group has to be selected. DISET extracts this group with the rest of the user s credentials when the connection is established, and uses this group and the user s DN to discover which set of properties the user has in the CS. To execute the ed action, the er has to have at least one property in the set of required properties by the action. Actions can allow any authenticated user to execute them if no property is required. A default set of properties can also be defined. If an action does not have a set of required properties, the default set will be the one required by the action. 2.3. Setting an active group Users can belong to more than one group. Before any action can be ed, users need to select which group will be the active one. To any action to a service, users have to present a valid grid proxy, which can have a DIRAC group embedded in a X509 extension inside it. DISET only accepts this extension if it is embedded in the fist level after the user certificate in the proxy chain. By embedding the group in an extension in a predefined level in the proxy chain, DISET ensures that:

Extract DN and group from proxy Is the DN valid and registered? YES Is the DN in the ed group? Received from user Extract required properties for ed action NO Deny Get from the CS properties for the user s group Deny NO Does at least one property match? YES Accept Figure 1. Authorization algorithm applied by DISET to each incoming. Only the user can set the active group. No other entity can define the active group because it is embedded in the level signed directly by the user certificate. Services know that the user has selected the group in person. The user cannot say that the group hasn t been selected because it has been signed directly by the user certificate. The selected group travels with the proxy. Future delegations only add levels to the proxy. This extra levels can add anything in their extensions but only the fist level is checked to ensure no modifications. 3. Proxy Management service DIRAC manages user s payloads. There are multiple types of payload, e.g. a job that has to run in a cluster or a data transfer. Typically users payload are submitted from one host and get executed in another host, but the payload has to be executed under the user s credentials. This requires the user s credentials to travel with the payload to the final destination. There is also a delay between the payload to DIRAC and the execution. To manage all the user s proxies, DIRAC has the Proxy Management service. The Proxy Management service allows users to upload long-lived proxies with a DIRAC group embedded. There is a strict set of rules to allow download of any stored. All proxy movements through the network are done by delegating proxies. Delegation is a method that allows movement of public credentials through any channel avoiding movement of private keys. Instead of simply sending the user s proxy through the network, there are three steps to create a new proxy on the other side of the connection: (i) The proxy receiving end generates a public key and a private key. With the public key, a certificate is generated and sent to the other end of the connection. (ii) The proxy sending end uses the certificate received to create a new proxy chain. This proxy chain will contain the originating proxy chain plus a new level. The new level will be generated using the certificate received and signing it with the previous level. (iii) The new chain is sent to the receiving end where the private key will be added. Users upload their proxies to the Proxy Management service by delegating them. authorized agents download them by doing the same. And

3.1. Authorization rules for downloading proxies Proxies allow to act on behalf of users so they are very sensitive data. Only a restricted set of users and agents are allowed to download proxies from the Proxy Management service. There are only two cases where downloading full proxies is required: Administrators (handful of people) can download any proxy. Agents that run in predefined hosts and need to interact with resources on behalf of users, can download the required proxy. An example of this case is the DIRAC component that submits jobs to the grids DIRAC has access to. There is another case where downloading a proxy is required. DIRAC uses pilot jobs to access the resources. A pilot job is a job sent to the grid to reach the final resource. Once it is running on the final resource, it installs DIRAC if it is not there, and then runs the real user job. Before a user s job can start to run on a resource, a limited proxy has to be downloaded to run the user s job using the user s credentials. There are two types of pilot jobs: generic and private. Private pilot jobs are submitted to the required grid using the user s credentials. This type of pilot job can only run the submitter s credentials. This jobs are directly submitted with a user proxy. Proxy Proxy Manager User Limited Proxy User Generic Pilot Proxy Token Resource Job Agent Token Director Generic Pilot Job Proxy token User Job Figure 2. How DIRAC handles the proxies to execute the user s payload under a generic pilot. Generic pilot jobs are submitted with a generic credential. Before running the real user job, a limited user proxy is needed. The pilot credentials must be able to download any limited proxy. To avoid someone stealing a generic pilot proxy from a resource and downloading a newer proxy for the same credentials, generic pilot credentials cannot download another generic pilot credentials. To avoid downloading all proxies from the Proxy Management service, each generic pilot jobs has a proxy token. This tokens are randomly generated every job. A token has to be presented to the Proxy Management service in order to download any proxy from a pilot job. To implement that, the Proxy Management service doesn t allow the generic pilot group to download another proxy with a pilot group. And only allows pilot group s to download limited proxies if a valid token is presented. Tokens have an expiration date and a limited number of uses. If a generic pilot proxy is stolen, downloading non-pilot proxies will be allowed only while the proxy and the token haven t expired. 3.2. Extending proxies The Proxy Management service can keep long-lived proxies but it can also use external mechanisms like the MyProxy service to extend the proxies it holds. If an authorized source s a proxy longer than the one the Proxy Management service has, it can a new proxy from the MyProxy service, store the new and longer lived proxy, and use it to delegate a proxy that fits the.

3.3. VOMS interaction DIRAC does not require VOMS, but can use it if the resources DIRAC accesses require it. Any DIRAC group that can interact with these resources has a VOMS mapping. When a DIRAC component wants to interact with the resources, a VOMS proxy is ed to the Proxy Management service. Before delegating the proxy to the er, the Proxy Management service adds the required VOMS extensions based on the ed group. References [1] Antunes-Nobrega R et al. (LHCb) CERN-LHCC-2003-030 [2] Tsaregorodtsev A et al. 2008 Computing in High-Energy Physics and Nuclear Physics 2007 [3] Graciani R and Casajus A 2008 Computing in High-Energy Physics and Nuclear Physics 2007 [4] Housley R, Polk W, Ford W and Solo D 2002 [RFC3280] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [5] Tuecke S, Welch V, Engert D, Pearlman L and Thompson M 2004 [RFC3820] Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback