grid security overview
DESCRIPTION
Grid Security Overview. presented by Von Welch National Center for Supercomputing Applications. A New VO: Day 0. People and resources spread around the campus, state, country or globe Each resource local site rules under which they have to play - PowerPoint PPT PresentationTRANSCRIPT
www.grids-center.orgThe GRIDS Center, part of the NSF Middleware Initiative
Grid Security Overview
presented by
Von WelchNational Center for Supercomputing Applications
www.grids-center.org2The GRIDS Center, part of the NSF Middleware Initiative
A New VO: Day 0
• People and resources spread around the campus, state, country or globe
• Each resource local site rules under which they have to play
• Resources may have deployed authentication mechanisms (Kerberos, AFS) that aren’t going away
• No common database of users, passwords across VO
www.grids-center.org3The GRIDS Center, part of the NSF Middleware Initiative
VO Security Goal
• Main challenge of VO security is setting up trust among this group of previously unconnected resource providers
• Resource providers must establish trust of:– The technology– The users - authentication, behavior– Each other - incident response, logging, practices,
communication, etc.– The the VO - authorization being appropriately given
www.grids-center.org4The GRIDS Center, part of the NSF Middleware Initiative
Steps to Establishing Trust
• Identify the right people– Need to be able to speak authoritatively on security policies for
resources– Might need to be site authorities for stringent sites or sites with
large number of resources involved
• Involve them as early as possible• Foster understanding of technologies through
documentation, discussion• Identify security requirements of users, sites, other
stakeholders• Decide policies on authentication, authorization, logging,
etc– Site AAA Research Group in GGF has documents capturing a
example set of requirements
www.grids-center.org5The GRIDS Center, part of the NSF Middleware Initiative
Authentication Policy
• Globus provides basic authentication mechanism– GSI based on X.509 certificates
• Pick a certificate authority (CA)• Choose an existing CA(s)
– Find those that conform to requirements– And can server user community
• Roll their own– Registration authority (RA) structure to cover all users– Draft policies for operation (certificate policy)
• Documentation for users
www.grids-center.org6The GRIDS Center, part of the NSF Middleware Initiative
Authorization Policy
• Who get what access?• Globus provides simple ACL-based method (grid-
mapfile)• Policy will change over time, as users and
resources come and go• Who decides?• How is information distributed to resources?
www.grids-center.org7The GRIDS Center, part of the NSF Middleware Initiative
Security Tools
• Certificate Management– Getting users “signed up” to use the Grid– Getting the user’s Grid credentials to wherever they’re
needed in the system
• Authorization/Access Control– Tools for storing and providing access to system-wide
authorization information– Central data store for supporting decentralized control
mechanisms
www.grids-center.org8The GRIDS Center, part of the NSF Middleware Initiative
Kerberos Integration
• Institutions that already have a Kerberos realm can use KX.509 and KCA to provide local users with Grid proxy certificates without using a Certificate Authority.
• When users authenticate with Kerberos, they may obtain proxy certificates in addition to their Kerberos tickets.
• KCA is a Kerberized certification service, and KX.509 is a Kerberized client that generates and stores proxy certificates.
• Unlike MyProxy, KX.509 and KCA create credentials for users, so remote sites must be configured to trust the local KCA service’s certification authority.
• PKINIT is a service that allows users to use Grid certificates to authenticate to a Kerberos realm.
www.grids-center.org9The GRIDS Center, part of the NSF Middleware Initiative
User Registration Service
• Portal extensions (CGI scripts) that automate user registration requests.
– Solicits basic data from user.
– Generates cert request from ESG CA (implemented with “simple CA” from GT).
– Admin interface allows CA admin to accept/reject request.
– Generates a certificate and stores in MyProxy service.
– Gives user ID/password for MyProxy.
• Benefits– Users never have to deal with certificates.
– Portal can get user cert from MyProxy when needed.
– Database is populated with user data.
• Orginally written for ESG, being generalized for reuse in other projects!
www.grids-center.org10The GRIDS Center, part of the NSF Middleware Initiative
Community Authorization Service (CAS)
• GT component to allow fine-grain file control access
• Central DB stores information on users, groups, files and rights
• Cas-proxy-init– Uses existing proxy to contact CAS server and get CAS
credential listing user rights
• Administrative tools for managing DB• Hooks in GT 3.2 GridFTPd to enforce rights
www.grids-center.org11The GRIDS Center, part of the NSF Middleware Initiative
VOMS
• Similarto GT CAS• Database of user roles and capabilities
– Administrative tools
– Client interface
• voms-proxy-init– Uses client interface to produce an
attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server
– Works with non-VOMS services, but gives more info to VOMS-aware services
• Allows VOs to centrally manage user roles and capabilities for GRAM access
www.grids-center.org12The GRIDS Center, part of the NSF Middleware Initiative
EDG-mkgridmap
• Builds grid-mapfiles from LDAP directory or VOMS server
• Allows central storage and distribution of user database
• Scripts are run to automatically contact central DB and build local grid-mapfile
www.grids-center.org13The GRIDS Center, part of the NSF Middleware Initiative
VOX and VOMRS
Extends VOMS to include an ESG-like registration service
– Web registration interface
– Builds user database with extended fields
– Populates VOMS server