6-Dec-02 D.P.Kelsey, DataGrid Security 1

EU DataGrid SecurityUK Security Workshop

5-6 Dec 2002, NeSC

David KelseyCLRC/RAL, UK

d.p.kelsey@rl.ac.uk

6-Dec-02 D.P.Kelsey, DataGrid Security 2

Overview

• GridPP/EU DataGrid (EDG)/CERN LCG• DataGrid Security – Introduction• Security Requirements• Authentication issues• Authorisation issues• Deployment issues• DataGrid Security Solutions• Summary

6-Dec-02 D.P.Kelsey, DataGrid Security 4

GridPPProvide architecture and middleware

Use the Grid with simulated data

Use the Grid with real data

Future LHC Experiments

Running US Experiments

£17M PPARC project toBuild Grid for UK PP

Sep 01 – Aug 04

6-Dec-02 D.P.Kelsey, DataGrid Security 5

Main Partners

• CERN – International (Switzerland/France)

• CNRS - France

• ESA/ESRIN – International (Italy)

• INFN - Italy

• NIKHEF – The Netherlands

• PPARC - UK

6-Dec-02 D.P.Kelsey, DataGrid Security 6

Research and Academic Institutes•CESNET (Czech Republic)•Commissariat à l'énergie atomique (CEA) – France•Computer and Automation Research Institute,  Hungarian Academy of Sciences (MTA SZTAKI)•Consiglio Nazionale delle Ricerche (Italy)•Helsinki Institute of Physics – Finland•Institut de Fisica d'Altes Energies (IFAE) - Spain•Istituto Trentino di Cultura (IRST) – Italy•Konrad-Zuse-Zentrum für Informationstechnik Berlin - Germany•Royal Netherlands Meteorological Institute (KNMI)•Ruprecht-Karls-Universität Heidelberg - Germany•Stichting Academisch Rekencentrum Amsterdam (SARA) – Netherlands•Swedish Research Council - Sweden

Assistant PartnersIndustrial Partners•Datamat (Italy)•IBM-UK (UK)•CS-SI (France)

6-Dec-02 D.P.Kelsey, DataGrid Security 7

Project Scope

• To develop, implement and exploit a large-scale data and CPU-oriented computational GRID.

• 9.8 M Euros EU funding over 3 years (Jan 01 – Dec 03)• 90% for middleware and 3 application areas

– HEP– Earth Observation– Bio-medical

• Three year phased developments & demos (2001-2003)• Related EU projects:

– DataTAG (2002-2003)– CrossGrid (2002-2004)

6-Dec-02 D.P.Kelsey, DataGrid Security 8

DataGrid SecurityIntroduction

• No single Work Package (security is everywhere!)– 3 security sub-groups

• Authentication, Authorisation, & Co-ordination

• Based on Globus GSI– But adding our own extra functionality

• EU Deliverables (documents)– Security Requirements and first implementation

• (D7.5) – completed May 2002

– Security Design and 2nd implementation (D7.6) (Jan 2003)

• Many topics not covered today!

6-Dec-02 D.P.Kelsey, DataGrid Security 9

Security Requirements• 112 documented in D7.5 document

– 72 essential, 37 desirable aims, 3 long-term aim– Authentication (17), Authorisation (32), Auditing(5), Non-

repudiation (3), Delegation (8), Confidentiality (18), Integrity (4), Networking (2), Manageability (4), Usability (8), Interoperability (5), Scalability (1), Performance (5)

• Includes– Virtual Organisations (VO’s) – Role based authorisation

• Authorise resources as well as users– Local Authorisation

• Decisions and keep ACL’s local to data– Confidentiality

• Encrypted medical data• Don’t know who is in a VO

– International Collaboration – must inter-operate!

6-Dec-02 D.P.Kelsey, DataGrid Security 10

Authentication

• 13 approved National Certificate Authorities– includes Registration Authorities – check identity– 5 new CA’s under consideration

• CNRS (France) acts as “catch-all” CA for countries with none– With appropriate RA mechanisms

• Matrix of “Trust” (work ongoing) – much work!– CA Mgrs check each other against agreed list of

minimum requirements– Software tools being developed to aid this process

• Cross-Domain Authentication between Grid projects– USA (DOE) and CrossGrid are members of the CA

group and Trust matrix

6-Dec-02 D.P.Kelsey, DataGrid Security 11

Authentication (2)

DataGrid CA Features matrix

6-Dec-02 D.P.Kelsey, DataGrid Security 12

Authentication issues

• Don’t mix Authentication and Authorisation– But authentication often includes some implicit

authorisation• How to define list of “trusted” CA’s?

– CP/CPS important– Audit of CA procedures – 3rd party? (not done yet)– GGF GridCP and CA-OPs WG’s important here

• Scaling problems– How many CA’s can we cope with? (we will reach ~20)– Or should the VO’s issue Authentication certs?– Or use Kerberos at the site and generate certs online

• Some US HEP sites not happy with user-held private keys

6-Dec-02 D.P.Kelsey, DataGrid Security 13

Authorisation• Testbed 0 (2000-01)

– Based on Globus GSI and Grid Mapfile• Maps certificate DN to one UNIX user account• No groups or roles• Unix UID/GID-based access control

• Testbed 1 (2001-02)– DataGrid “Virtual Organisation” (VO) support

• LDAP based VO directories• Tools to manage grid mapfile automation –> groups• Leasing of dynamic user accounts

– mods to Globus mapping code• Testbed 2 (2002-03)

– DataGrid VOMS, LCAS, GACL,… (see later)

6-Dec-02 D.P.Kelsey, DataGrid Security 14

EDG Authorisation LDAPgrid-mapfile generation

o=testbed,dc=eu-datagrid, dc=org

CN=Franz Elmer

ou=People

CN=John Smith

mkgridmap

grid-mapfile

VOVODirectoryDirectory

““AuthorizatioAuthorizationn

Directory”Directory”

CN=Mario Rossi

o=xyz,dc=eu-datagrid, dc=org

CN=Franz ElmerCN=John Smith

Authentication

Certificate

Authentication

Certificate

Authentication

Certificate

ou=People ou=Testbed1

ou=???

local users ban list

6-Dec-02 D.P.Kelsey, DataGrid Security 15

VOMS

• Virtual Organisation Membership Service• Modify grid-proxy-init command

– voms-proxy-init –vo <MyVO> -role <todaysrole>

– Can request from multiple VO servers– Creates users proxy certificate

• But containing signed VO membership and roles

• Roles, Groups, Capabilities– All possible

6-Dec-02 D.P.Kelsey, DataGrid Security 16

VO Membership Service

1. Client and server authenticate themselves and establish a secure communication channel using standard Globus API.

2. The Client sends the request to the Server.

3. The Server checks the request and sends back the required info (signed by itself).

4. The Client checks the validity of the info received.

5. Steps 1—4 are repeated for each Server the Client wants to contact.

6. The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers.

Query

Authentication

Request

AuthDB

VOMSpseudo-

cert

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo-

cert

6-Dec-02 D.P.Kelsey, DataGrid Security 17

VOMS

6-Dec-02 D.P.Kelsey, DataGrid Security 18

Security Developments

• Security components developed (see EDG web)– CA Trust Matrix tools– VO/LDAP & VOMS – Authorisation– LCAS, LCMAPS – local authorisation and mapping– Gridmapdir – dynamic leased accounts– Gridsite – certificate-based web management– SlashGrid - dn-based grid homefile system– GACL – Library to parse ACL’s (XML)– edg-java-security (for Data Management)

6-Dec-02 D.P.Kelsey, DataGrid Security 19

SlashGrid & GACL(McNab – HEP Manchester)

• Framework for creating “Grid-aware” filesystems– different types of filesystem provided by dynamically

loaded plugins– Uses CMU Coda kernel module– Source, binaries and API notes: http://

www.gridpp.ac.uk/slashgrid/• GACL

– a C library for manipulating Grid Access Control Lists, written in XML-based Access Control Languages.

– http://www.gridpp.ac.uk/gacl/• n.b. also GridSite for certificate-base web authorisation

6-Dec-02 D.P.Kelsey, DataGrid Security 20

User VOMS

service

authr

map

pre-proc

authr

LCAS

LCMAPS

pre-proc

LCAS

Coarse-grainede.g. Spitfire

WP2

service

dn

dn + attrs

Fine-grainede.g. RepMeC

WP2/WP3

Coarse-grainede.g. CE, Gatekeeper

WP4

Fine-grainede.g. SE, /grid

WP5

Java C

Authorisation

authenticate

acl acl

6-Dec-02 D.P.Kelsey, DataGrid Security 21

Grid Deployment - issues

• Legal, political, site security policies, etc.– The user does not (need to) know where the

jobs will run• Cannot sign registration forms everywhere

– Acceptable Use policies (Rules)• What is needed for User Registration?

– We have a solution for EDG testbed• But not yet for full production (LCG considering this)

– What is acceptable to Site Security Officers?• GGF Site-AAA research group

– An extremely important area – could kill the Grid!

6-Dec-02 D.P.Kelsey, DataGrid Security 22

Issues – Deployment (2)Virtual Organisation

Management• VO’s need to manage their members and

sites/resource providers negotiate with VO’s– Only system which will scale

• Sites cannot manage large number of Grid users

– Not just a technical problem!– Must develop procedures to allow this to

happen– VO’s not used to managing resources– Will Computer Centres give up (full) control?

6-Dec-02 D.P.Kelsey, DataGrid Security 23

Summary• Authentication

– Cross-Domain Trust is the big problem• will it continue to scale?

• Authorisation– The most IMPORTANT area

• This is where the identity and rights need to be checked

– Technology is immature– Need VO management procedures/tools

• Many operational, legal, deployment issues– To establish Trust between Sites/VO’s/users

• EDG has several solutions – available for use!

6-Dec-02 D.P.Kelsey, DataGrid Security 24

Web links

• GridPP http://www.gridpp.ac.uk• DataGrid http://www.eu-datagrid.org• LCG http://lcg.web.cern.ch/LCG/• GGF Security Area

http://www.globalgridforum.org/2_SEC/SEC.htm

• DataGrid Security Requirements document

http://hepwww.rl.ac.uk/kelsey/datagrid-d7.5.pdf