140 likes | 244 Vues
DataGrid Security Wrapup. Linda Cornwall 4 th March 2004. DataGrid Security Co-ordination Group. No single work-package to tackle Grid security But WP2 has a security task and team Security Coordination Group (SCG) was formed in late 2001 Lead by David Kelsey
E N D
DataGrid Security Wrapup Linda Cornwall 4th March 2004
DataGrid Security Co-ordination Group • No single work-package to tackle Grid security • But WP2 has a security task and team • Security Coordination Group (SCG) was formed in late 2001 • Lead by David Kelsey • Mandate of SCG (sub-group of WP7) • To produce the Deliverables of WP7 on Security • To help coordinate security activities in WPs 1 to 7 • To liaise with WP6 CA & Authorization groups (and others) • To contribute to the architecture of the EU DataGrid (ATF) • SCG has larger scope than originally foreseen • At least one representative per middleware WP • Collaboration with DataTAG and national Grid projects
SCG Achievements - overview • Authentication: Certification Authorities (CAs) for EDG and others • WP6 Certificate Authorities Coordination Group • DataGrid Security Requirements (D7.5, May 2002) • 112 requirements in many areas… • Authentication, Authorization, Auditing, Non-repudiation, Delegation, Confidentiality, Integrity, Network, Manageability, Usability, Interoperability, Scalability, Performance, Robustness • Priority attached – DataGrid Requirements, Aims within EDG, Long Term aims • Several joint meetings with WP8, 9 and 10 for VO use cases • Security Design (D7.6, March 2003) (Large UK contribution) • Final Security Report (D7.7, January 2004) • includes comparison with initial requirements
Summary of the EDG Security design • Users are issued with a PKI certificate from their local (country) Certification Authority. • Users become a member of one or more `Virtual Organisation’ (VO) • Users are issued with authorization credentials by the VOs to which they belong • Authorization rules are enforced by the local sites or resources • Various Language dependent tools have been developed
Overview of the EDGSecurity Components (D7.6) CA proxy cert: request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey certificate user VOMS re-newal delegation: request cert+key VOMS cred: MyProxy (long lifetime) VO, group(s), role(s) delegation: cert+key (short lifetime) proxy cert proxy cert proxy cert proxy cert proxy cert auth auth auth auth auth GSI mod_ssl TrustManager TrustManager GSI authz authz pre-process: pre-process: pre-process: parameters-> parameters-> parameters-> LCAS WebServices Authz obj.id + req. op. dn,attrs,acl, req.op obj.id + req. op. obj.id + req. op. dn,attrs,acl, req.op ->yes/no ->yes/no map map LCMAPS dn -> DB role authz authz authz dn -> userid, krb ticket obj.id -> acl GACL: GACL: dn,attrs,acl, req.op obj.id -> acl obj.id -> acl ->yes/no doit dn,attrs,acl, req.op dn,attrs,acl, req.op doit ->yes/no ->yes/no doit doit doit coarse grained fine grained coarse grained fine grained fine grained (e.g. gatekeeper) (e.g. RMC) (e.g. GridSite) (e.g. SE, /grid) (e.g. Spitfire) web C Java
Achievements - Authentication • PKI based Certification Authorities (CAs) for EDG and other Grid Projects • DataTAG, CrossGrid, LCG – including a global service for particle physics • Same CAs used by many national projects • Tools to carry out Authentication in languages other than `C’ (GSI) • java (edg-java-security trustmanger) • Apache web services (mod_ssl)
Authorization – Early on • VO LDAP server was developed to manage VO membership • This produced a grid-mapfile • Tool for leasing Pool Accounts to users defined in the grid-mapfile obtained from the VO LDAP server • Combination of these allowed users access to resources without a specific account on that particular host. • This provides very course grain authorization according to a VO based identity
Authorization VOMS • Virtual Organisation Membership Service (VOMS) developed jointly between EDG and DataTAG projects. • Allows for the managements of VO membership for both Users and Services and the issuing of Credentials proving • VO membership, Groups, Roles and Capabilities • VOMS credentials are in the form of a extension to the GSI proxy • VOMS proxy
`Local’ Authorization • Various tools have been developed within EDG to allow access in the local environment. • LCAS and LCMAPS for authorization in C/C++ services • Java authorization Manager • Coarse grained authorization mapping • Credential extraction and checking to allow fined grained authorization by the service • GridSite – Authorization in Web services environment • GACL `Grid Access Control Language’ for defining access control based on Grid Credentials
Requirements analysis (EDG 2.1) • DataGrid Requirements • Success • Mostly satisfied • Not satisfied FS= fully, PS=partially, NS=not… satisfied “Partially” means not all WPs and/or not all languages
Summary of progress • Authentication – lots of success! • Large amount of progress in Authorization mechanisms • Need to be fully integrated with other middleware • Confidentiality – area where we largely failed. • Depended on Authorization integration being complete, and data being stored in encrypted form • More of a problem for e.g. Bio Medical applications than particle physics • Interoperability – also largely successful. • Based on GSI • Worked closely with the international community, GGF • Some other areas need much more work – security largely turned off in EDG testbed 2.1 • Liable to denial of service attacks • Areas like non-repudiation need more attention.
Lessons learned • Be careful collecting requirements • In hindsight, the D7.5 requirements were rather ambitious • The expectations of the applications were documented but there was not sufficient analysis of the difficulty of integration • Security must be an integral part of all development • from the start • Building and maintaining “trust” between projects and continents takes time • Not just about middleware • Integration of security into existing systems is complex • When designing middleware `think security’ • Don’t rely on adding it later • There must be a dedicated activity dealing with security • EGEE planning has already benefited from our experience
Exploitation • Authentication • The CA infrastructure will continue • EGEE will manage the EDG PKI in a new EU PMA • LCG driving the requirements for global physics authentication • Grid CAs to be registered in new TERENA CA repository (TACAR) • eInfrastructure and eIRG meetings (Ireland) to consider this topic • A general EU Grid PKI infrastructure? • DataGrid people will continue in EGEE and GGF • Security Policy issues • DataGrid people already active in defining LCG policy and procedures • Important input to EGEE and eIRG
Exploitation (2) • Authorization • EDG components and people will continue in EGEE, LCG and other projects • VOMS is part of LCG-2 • The HEP applications need roles and groups • Integration with SlashGrid, ACLs (GACL) and GridSite • Joint work with UK GridPP, using VOMS and working with PERMIS team • Greater exploitation of the various Authorization tools will possible when they are fully integrated with other middleware • Work in GGF security area groups will continue • EDG providing reference implementations in OGSA-AuthZ • WS-security, VOMS, LCAS, GridSite, SlashGrid etc • XML policy, XACML, VOMS Attribute Certificates, SAML • Will continue to drive and track standards • Publication of the work is ongoing