1 / 9

GRID Security Update

GRID Security Update. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. DataGrid CA status. National CA already in operation for DataGrid Testbed0 CERN Czech Republic France Italy Netherlands Nordic Portugal Spain UK. UK Testbed CA. Old certificates expired 30 th April 2001

miranda-lopez
Télécharger la présentation

GRID Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GRID Security Update David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, Security Update

  2. DataGrid CA status • National CA already in operation for DataGrid Testbed0 • CERN • Czech Republic • France • Italy • Netherlands • Nordic • Portugal • Spain • UK D.P.Kelsey, Security Update

  3. UK Testbed CA • Old certificates expired 30th April 2001 • Including the CA public key! • Andrew has now re-issued user certificates • There is a new CA public key (with longer life!) • End systems need to be reconfigured for new CA key – see new rpm from Alex D.P.Kelsey, Security Update

  4. Certificates for DataGrid users/hosts • All testbed users get a certificate from their own national CA. • Same for host certificates • Does this cause big problems? • See WP6 web page http://marianne.in2p3.fr • Countries not yet running a CA • Implement one or • Find an existing CA willing to issue certificates • Globus certificates are OK for TB0 but avoid if possible • Will be removed in Testbed 1 (M9) D.P.Kelsey, Security Update

  5. User accounts for DataGrid Testbed0/1 • Certificates from national CA • Requests for “GRID” accounts via WP managers • For definite need only • WP8 predict about 60 users for Testbed1 • WP manager gives list to WP6 • WP6 will arrange for accounts on Testbed sites • This does not scale! • We need to plan beyond Testbed 1 • Longer term – different approach D.P.Kelsey, Security Update

  6. Acceptable use policy? • Do we need an acceptable use policy or other document? • Can show to management to convince them that they should allow an unknown set of people to run programs on computers at a testbed site? • Who are the users? • Why should they use a testbed site? • Do we envisage trusting someone who defines the list of people we will allow to run jobs, access data etc? • Will such lists be signed etc? D.P.Kelsey, Security Update

  7. Configuration of systems • See WP6 web • Part of the standard distribution • To configure complete list of trusted CA’s • To configure the certificate request mechanism • To update CRL’s • Local site is free to accept trusted CA’s or not. • We will check CPS of each CA to define “trust” D.P.Kelsey, Security Update

  8. Authorisation • CAS from Globus • May not be ready/tested for testbed1 • Still uses Grid mapfile • So plan on not using it • Therefore Authorisation via Grid mapfile • gid, uid UNIX security mechanisms • INFN LDAP tool for group membership • Andrew McNab patch for leasing generic accounts • Need input from WP8-10 for group structure • WP6 needs to solve the management/admin issues D.P.Kelsey, Security Update

  9. Future plans • DataGrid ATF now working on implications of security for the architecture (next mtg 29/30 May) • DataGrid WP6 CA mgrs meet on 5th June (CERN) • To discuss CP, CPS etc. • I have proposed a meeting of a new DataGrid Security Task Force (6th June at CERN) • To coordinate WP security deliverables/work • To discuss architectural issues • To plan for future work (+ resource needs) • GridPP has a work group on security (WG E) • Bid for 6.5 FTE (~50% of this for development) D.P.Kelsey, Security Update

More Related