DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003
Grid Security forSite Authorization in EDGVOMS, Java Security and LCMAPS
David Groep, [email protected]
EDG Security CoordinationA. Frohner – CERND. Kouril - CESNETF. Bonnassieux - CNRSR. Alfieri, R. Cecchini, V. Ciaschini, L. dell'Agnello, A. Gianoli , F. Spataro - INFNO. Mulmo – KDC D.L. Groep, M. Steenbakkers, W. Som de Cerff, O. Koeroo, G. Venekamp – NIKHEFL. Cornwall, D. Kelsey, J. Jensen – RALA. McNab – University of ManchesterP. Broadfoot, G. Lowe – University of Oxford
http://hep-project-grid-scg.web.cern.ch/
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 2
Talk Outline
Introduction
Authorization requirements
VO Membership Service
Java Security for Hosted Environments
Native Mechanisms (LCAS, LCMAPS)
Conclusions
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 3
Authentication – only the first step
EDG security infrastructure based on X.509 certificates (PKI)
Authentication Needs “trusted third parties”: 16 national certification authorities
Policies and procedures mutual thrust
Users identified with “identity” certificates signed by a national CA
See also next talk by Dave Kelsey…
Authorization Several entities involved
Resource Providers (e.g. computer centres, storage providers, NRENs) Virtual Organizations (e.g. LHC experiments collaborations)
Cannot decide Authorization for grid users only on local site basis
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 4
User’s Authorization in Globus
useruser serviceservice
grid-mapfile
authentication info
user cert(long life)
proxy cert(short life)
CA CA CA
crl update
low frequency
high frequency
host cert(long life)
grid-proxy-init
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 5
User’s Authorization in EDG 1.4.x
VO-LDAP
useruser serviceservice
grid-mapfile
authentication info
user cert(long life)
proxy cert(short life)
VO-LDAP
VO-LDAP
VO-LDAP
CA CA CA
mkgridmap
crl update
low frequency
high frequency
host cert(long life)
registration
grid-proxy-init
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 6
VOMS Overview
Provides info about the user’s relationship with his VO(’s)
groups, “compulsory” groups, roles (admin, student, ...), capabilities (free form string), temporal bounds
Features single login: voms-proxy-init only at the beginning of the session (replaces grid-
proxy-init);
expiration time: the authorization information is only valid for a limited period of time (possibly different from the proxy certificate itself);
backward compatibility: the extra VO related information is in the user’s proxy certificate, which can be still used with non VOMS-aware services;
multiple VO’s: the user may authenticate himself with multiple VO’s and create an aggregate proxy certificate;
security: all client-server communications are secured and authenticated.
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 7
User’s Authorization in EDG 2.x
VO-VOMS
useruser serviceservice
authentication & authorization info
user cert(long life)
VO-VOMS
VO-VOMS
VO-VOMS
CA CA CAlow frequency
high frequency
host cert(long life)
authz cert(short life)
proxy cert(short life)
voms-proxy-init
crl update
registration
service cert(short life)
authz cert(short life)
registration
LCASLCMAPS
edg-java-security
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 8
Pseudo-Certificate Format
/C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/[email protected]
/C= IT/O=INFN/CN=INFN CA
/C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/[email protected]
/C=IT/O=INFN/CN=INFN CA
VO: CMS URI: http://vomscms.cern.ch
TIME1: 020710134823ZTIME2: 020711134822ZGROUP: montecarloROLE: administratorCAP: “100 GB disk”
SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A...
The pseudo-cert is inserted in a non-critical extension of the user’s proxy
1.3.6.1.4.1.8005.100.100.1
It will become an Attribute Certificate
One for each VOMS Server contacted
user’s identity
server identity
user’s info
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 9
VOMS Architecture
DBJDBC
GSI
https
Tomcat & java-secTomcat & java-sec
axisaxisVOMSimpl
VOMSimpl
servletservlet
vomsdvomsd
Perl CLI
Web interface
voms-proxy-init
mkgridmapApache & mod_sslApache & mod_ssl
voms-httpdvoms-httpd
DBI
https
VOMS server
soap + SSL
MySQL db – with history and audit records
User query server and client (C++)
Java Web Service based administration interface
Perl client (batch processing)
Web browser client (generic administrative tasks)
Web server interface for mkgridmap
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 10
Authorization
User VOMS
service
authr
map
pre-proc
authr
LCAS
LCMAPS
pre-proc
LCAS
Coarse-grainede.g. Spitfire
service
dn
dn + attrs
Fine-grainede.g. RepMeC
Coarse-grainede.g. CE, Gatekeeper
Fine-grainede.g. SE, /grid
Java C
authenticate
ACL ACL
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 11
Authorization for Web Services
Java TrustManager can secure both web sites and web services
Based on Apache Tomcat Catalina servlet container SOAP client, as an extension of the Axis SocketFactoryFactory
HTTP client, as an API that creates HTTPS connections.
Authorization Mngr gives attributes based on userDN and VOMS extensions
For web services Service uses proxy of host
For browser interaction Must use long-lived host cert
to be TLS compliant
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 12
Services secured by EDG-Java-Sec
Spitfireuniform access to SQL database services (MySQL, DB/2, Oracle)
Replica Location Service, RepMeC, Giggle – metadata and replica information services
VOMS server
R-GMARelational Grid Monitoring Architecture – Information System
Basis for new OGSA/WebServices components
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 13
Authorization for Native Environments
All systems for running Grid jobs and storing files are UNIX based
Need for interface between Grid rights and local rights
Two-phase process Authorization of users: LCAS
Acquiring and enforcing local (UNIX-style) credentials: LCMAPS
Why the split? Authorization decisions may be applied for more than single resources
Credential mapping may be time-consuming and “heavy”
Internal service securitycredential mapping needs root privileges, authorization can do without
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 14
LCAS: Local Centre AuthZ Service
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo
-cert
GateKeeper
exec=/bin/catarguments=/etc/passwd
GateKeeper
GridFTPServer
LCAS Service
Job Manager
NodeNodeNodeNodeNodeNode
NodeNodeNode
Authorization using:
• Authentication + VO data
• Job description
• Site policy
Authorization using:
• Authentication + VO data
• Job description
• Site policy
other clusters
Plug-in frameworkcurrently shipping modules
• Allowed-users list
• Banned-users list
• wall-clock limitations
Plug-in frameworkcurrently shipping modules
• Allowed-users list
• Banned-users list
• wall-clock limitations
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 15
LCMAPS – Local Credential MAPping
Provides local credentials needed for jobs within the fabric
Plug-in framework, driven by (site specific) policy
Mapping based user identity
VO affiliation, groups and roles
site-local policy
Supports multiple credential types: Traditional POSIX:
in-process & LDAP, via fixed or PoolAccounts*
AFS tokens
true Kerberos5
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo-cert
Job Managerfork+exec args, submit script
LCMAPS open, learn,&run:
… and return legacy uid
LCMAPS open, learn,&run:
… and return legacy uid
LCAS authZ call out
GSI AuthN
accept
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 16
LCMAPS – new functionality
Local UNIX groups based on VOMS group membership and roles
More than one VO and group/role per grid user
No pre-allocation of pool accounts to specific groups
New mechanisms: groups-on-demand
support for central user directories (primarily LDAP)
Why do we continue to need LCAS? Centralized site decisions on authorized users for multiple fabrics
Coordinated access control across multiple CEs and SEs
(and save on ‘expensive’ account allocation mechanisms in LCMAPS)
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 17
Conclusions EDG provides extensive Grid authorization infrastructure today
LCAS* and Java-security already deployed VOMS and LCMAPS ready for deployment (confirmed for June ’03) Updates for various services in October ’03
User Side
Support for large, fast-changing user community
Roles and groups within the experiment VOs
Multiple affiliations and roles per user
Resource Side
Minimal effort on resource provider side
More smooth integration in Grid computing at large
Retains tracability and auditability at all levels
HEPiX, Amsterdam 2003 – Grid Security and Site Authorization in EDG – n° 18
More InformationEDG Security Coordination Group
Web site http://hep-project-grid-scg.web.cern.ch/
VOMS
Web site http://grid-auth.infn.it/
CVS site http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/
Developers’ mailing list [email protected]
PoolAccounts
Web site http://www.gridpp.ac.uk/authz/gridmapdir/
LCAS-LCMAPS
Web site http://www.dutchgrid.nl/DataGrid/wp4/
CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/
http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/
Maillist [email protected]
EDG Java Security
Web site http://edg-wp2.web.cern.ch/edg-wp2/security/