mine altunay osg security officer open science grid: security gateway security summit january 28-30,...
TRANSCRIPT
Mine AltunayOSG Security Officer
Open Science Grid: Security
Gateway Security Summit
January 28-30, 2008
San Diego Supercomputer Center
Gateway Security Summit : 01/30/2008 2
OSG Security Team
Mine AltunayFNAL
Doug OlsonLBNL
Bob CowlesSLAC
Don PetravickFNAL
Gateway Security Summit : 01/30/2008 3
OSG Security• The big picture:
– What OSG security does ?
• Security Infrastructure– Authentication– VOMS– PRIMA/GUMS– gPlazma– gLexec
• How can someone become part of OSG
Gateway Security Summit : 01/30/2008 4
OSG Security• A security framework that enables science and promotes
autonomous and open science collaboration among VOs, sites, and software providers
• Operational– Vulnerability analysis, patches, – Incident response
• Interoperability– Joint policy work, JSPG, MWSG, IGTF– Why we are here – how to build interoperability with other Grids
TeraGrid
• Education– Security tutorials, documents for naïve user
Gateway Security Summit : 01/30/2008 5
Globus
Condor GLexe
c
RSVGratia
VDT
Fermi grid
BNL_ATLAS_1
UCSDT2
ATLAS
CMS
Software• Check software vulnerabilities• Develop and announce patches
Interoperability • JSPG, IGTF:• Participate in EGEE’s response and operation teams:
Security Education for Sites and VOs• Raise security awareness• Teach OSG policies and best practices• workshops, tutorials, grid schools
Open Science Grid
•
Job Submissions
Policies for Site-VO interoperability• Develop policies : AUP, Service Agreements, pilot policies, MOU, membership
Inter
operab
ili
ty
Incident Response and Monitoring• Coordinating the response teams, communication with Sites and VOs• Banning compromised machines or users, monitoring for suspicious job submissions• Fire drills for practice
Gateway Security Summit : 01/30/2008 6
Security Infrastructure
• Authentication – Performed by GSI– OSG distributes IGTF approved root CAs (in VDT)
– Sites fetches automatic CRL updates– Sites can update root CAs (optional tool in VDT)
Gateway Security Summit : 01/30/2008 7
AuthorizationVOMS+PRIMA+GUMS
VOMSServer Attribute
Repository
GUMSServer DN/FQAN
Mapping(MySQL)
Synch periodically to get VO membership
Validate Proxy (GSI)
Gatekeeper
Gridmap callout
PRIMA Module
Batch system
Job submission
3
4: request account
5: account mapping
6
1: voms-proxy-init
2: receive VO permissions
Gateway Security Summit : 01/30/2008 8
VOMS• VO Membership service
– VO manages access rights for its members– FQAN: Fully Qualified Attribute Name– Based on RFC 3281– Example: /oscar.nikhef.nl/mcprod/Role=production/Capability=NULL
– Different roles have different permissions
• Sites must honor VO permissions• VOMS registration
– via VOMS, or VOMRS or manually
• Use voms-proxy-init instead of grid-proxy-init– VO specific permissions FQAN inserted into X.509 noncritical extensions
Gateway Security Summit : 01/30/2008 9
GUMS: Grid User Management Service
• Maps user DNs/FQANs to accounts– Replaces grid-map files– Site-wide tool
• Sites recognize VO permissions
• Synch with VOMS periodically– Downloads the VO memberships, FQANs– Can work with LDAP instead of VOMS
Gateway Security Summit : 01/30/2008 10
GUMS• Three types of mapping
– personal accounts (manual or from LDAP)– group accounts (multiple DNs to a single UID,
like VO -> UID)– pool accounts (dynamically generated)
• Guarantee that the same UID can be used by only one DN/FQAN at any given time
• Currently, the pool account is created when a DN/FQAN is first seen, and never released
Gateway Security Summit : 01/30/2008 11
GUMS• Two kinds of grouping
• User groups– Map (DN,FQAN) to (uid,gid)
• Host groups– Connect host with user groups– A M x N configuration– A single host group can be used for
• Multiple hosts (like "*.usatlas.bnl.gov")• Multiple user groups (like “usatlasGroup,atlas,dial")
Gateway Security Summit : 01/30/2008 12
gPlazma: Storage Authz
SRM-dCache
SRM Server
voms-proxy-initProxy with VO Membership | Role attributes
gPLAZMAPRIMA SAML Client
Storage Authorization Service
Storage metadata
GridFTPServer
DATA
DATA
https/SOAP
SAML response
SAML query Get storage authz for this username
User Authorization Record
If authorized,get username
SRM Callout
srmcp
GridFTP Callout
gPLAZMALite Authorization Service
gPLAZMALite grid-mapfile
dcache.kpwd
GUMS Identity MappingService
1
2
3 44a
4b
4c
4d
5
7
6
8
910
1112
13
Gateway Security Summit : 01/30/2008 13
CE and SE: Big Picture
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
StorageAuthorization
Service
Gateway Security Summit : 01/30/2008 14
Local or Remote ClientProxy with VO Membership | Role Attributes
SAZ
GUMS
Site-wide Assertion Service
Site
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
PEP
StorageAuthorization
Service
Gateway Security Summit : 01/30/2008 15
Local or Remote ClientProxy with VO Membership | Role Attributes
GUMS
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
StorageAuthorization
Service
Gateway Security Summit : 01/30/2008 16
SAZgPLAZMALiteAuthorizationServices suite
GUMS
Site-wide Assertion Service
Site
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
StorageAuthorization
Service
Local or Remote ClientProxy with VO Membership | Role Attributes
Gateway Security Summit : 01/30/2008 17
Local or Remote ClientProxy with VO Membership | Role Attributes
gPLAZMALiteAuthorizationServices suite
GUMS
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PEP
StorageAuthorization
Service
Gateway Security Summit : 01/30/2008 18
gLExecSlide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL
• When a user submits a grid job to an OSG site, the job always carries the user's credentials. At the execution site, the job is assigned an appropriate userid under which to run. Another option for submitting grid jobs involves the concept of a pilot job. This type of job, once it's in a site's batch slot, coordinates and calls a series of user jobs according to VO priorities at launch time. If the pilot job and the user jobs all run under the same userid, however, the pilot job framework violates the security policies of any site that requires knowledge and control of its resource users.
• gLExec, a gLite product currently used on European Computing Elements, solves this problem. gLExec is a privileged executable that, given a user credential and an execution command, obtains the appropriate Unix ID from a site's GUMS server and executes the job under that Unix ID. In order to use gLExec within OSG, VOs must configure the pilot job such that it "calls home" to get the associated user credential. The pilot then forwards the credential to gLExec, which uses it to communicate with the site security service, thus returning control to the site.
Gateway Security Summit : 01/30/2008 19
gLExecSlide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL
Gateway Security Summit : 01/30/2008 20
How to become an OSG member?
• Join the OSGEDU VO:– Run small applications after
learning how to use OSG from schools
• Be part of the Engagement program and Engage VO:– Support within the Facility to
bring applications to production on the distributed infrastructure
• Be a standalone VO and a Member of the Consortium:– Ongoing use of OSG &
participate in one or more activity groups.
Open Science Grid
Gateway Security Summit : 01/30/2008 21
Documents• OSG Security twiki
– https://twiki.grid.iu.edu/twiki/bin/view/Security
• OSG Security Plan– http://osg-docdb.opensciencegrid.org/cgi-bin/
ShowDocument?docid=389
• Security Awareness for the OSG– http://osg-docdb.opensciencegrid.org/cgi-bin/
ShowDocument?docid=573