LCG/EGEE Security UpdateHEPiX, Fall 2004

BNL, 18 October 2004

David KelseyCCLRC/RAL, UK

d.p.kelsey@rl.ac.uk

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

2

Outline

Update since October 2003 (Vancouver HEPiX)• Introduction• Policy• Procedures & Operations• Technology• Future work

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

3

IntroductionLCG & EGEE

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

4

LCG today

AHM2004, Nottingham, September 2004 - 5

The next generation of grids:EGEE Enabling Grids for E-science in Europe

Build a large-scale production grid service to:

• Underpin European science and technology

• Link with and build on national, regional and international initiatives

• Foster international cooperation both in the creation and the use of the e-infrastructure Network

infrastructure(GÉANT )

Op

era

tio

ns

, S

up

po

rt a

nd

tr

ain

ing

Collaboration

Pan-European Grid

AHM2004, Nottingham, September 2004 - 6

EGEE Activities

• 48 % service activities (Grid Operations, Support and Management, Network Resource Provision)

• 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development)

• 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation)

32 Million Euros EU funding over 2 years starting 1st April 2004

Emphasis in EGEE is on operating a productiongrid and supporting the end-users

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

7

Security Activities in EGEE(LCG)

JRA3 JRA1

NA4

MiddlewareSecurity Group

Joint Security Policy Group

NA4NA4NA4Solutions/Recommendations

Req. Req.Req.

Req.

Req.

Req.

SA1

“Joint Security Policy Group” defines policy and proceduresand inputs requirements to MWSG(For LCG/GDB and EGEE/SA1)

(Cross Membership of US OSG Sec Team)

CA Coordination

Security

Middleware

Applications

Operations

OSG

LCG

OSCT

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

8

Security Policy

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

9

LCG Security Policy

• During 2003/04, the LCG project agreed a first version of its Security Policy– Written by the Joint Security Policy Group– Approved by the Grid Deployment Board/PEB

• A single common policy for the whole project– But does not override local policies

• An important step forward for a production Grid• The policy

– Defines Attitude of the project towards security and availability

– Gives Authority for defined actions– Puts Responsibilities on individuals and bodies

• Now being used by EGEE and (some) national Grids

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

10

LCG Policy

Security & Availability Policy

UsageRules

Certification Authorities

AuditRequirements

GOCGuides

Incident Response

User Registration & VO Management

http://cern.ch/proj-lcg-security/documents.html

Application Development& Network Admin Guide

picture from Ian Neilson New since Oct 2003

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

11

Security Procedures & Operations

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

12

Security Procedures

• Incident Response– Open Science Grid leading this area– See talks in Friday morning’s Operations

session• LCG/EGEE Operational Security

– Operational Security Coordination Team (OSCT)

– Again: see Friday’s talk• User Registration & VO Management

– Requirements for 4 LHC Experiments• Presented at May 2004 (Edinburgh) HEPiX

(M.Dimou)

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

13

User Registration and VO Membership Management

• Requirements document (V2.7) – https://edms.cern.ch/document/428034 – approved by GDB in May 2004

• Task force created to propose the solution• Many discussions with CERN HR, User Office,

Experiment Secretariats, VO managers, …• Recent Meeting at CERN

– 15-17 September, 2004http://cern.ch/dimou/lcg/registrar/TF/meetings/2004-09-15/– Technical solution now agreed

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

14

User Registration (1)

• Every user (4 LHC expts) must register in CERN HR db first– Already true for the majority

• Advantages of using existing procedures• No duplication of effort or personal data

– External users (e.g. people never coming to CERN) and short-term users (e.g. external summer students)

• Need a simple, speedy and robust procedure– Non-VO people

• e.g.testers/experiment independent people

• must register in CERN HR (e.g. via LCG/IT)• Eventual aim is to use the experiment participation end-

date in CERN HR to trigger immediate suspension from the VO

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

15

User Registration (2)

• VO registration expiry date– Not exceeding 1 year from date of VO

registration– Less if institute-contract/CERN HR

registration expires before then• Personal User Data will only reside in CERN

HR• There is no automatic membership of VO

– User has to complete a form and the VO manager has to approve

• Authorized personnel at resource centres will have read access to the VO registration info

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

16

User Registration (3)

• When VO expiry date is reached, the VO membership is immediately suspended– Advance warning will be sent to the user

• There will be other possible reasons for suspension– E.g. following security problems

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

17

Technical Solution agreed

• 15-17 Sep meeting decisions:• The VO registration database

– Will be VOMRS component from US CMS VOX– VOMRS needs development to meet new

requirements (FNAL working on this)– VOMRS manages the groups and roles -> VOMS

• CERN is working on VOMRS interconnection to the CERN HR DB (Oracle)

• The dynamic Authorization will be VOMS– Groups and roles

• Non-LHC VO’s may use the VOMS-admin component (an alternative admin UI)

• Time to implement not yet agreed– Aiming for early in 2005

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

18

Security Technology

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

19

Authentication: EU Grid PMA CAs

Green: Accredited Yellow: Recent

approvals or still under discussion

Slovenia just approved Austria & Bulgaria soon?

Other Accredited CAs: DoEGrids (US) GridCanada ASCCG (Taiwan) ArmeSFO (Armenia) CERN Russia (HEP) FNAL Service CA (US) Israel Pakistan

27 Accredited CAs

“Catch-all” CAs operated byCNRS (for EGEE)US DOE (for LCG)SEE-GRID (for SE Europe)

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

20

AuthZ – VOMS & LCAS

VO-VOMS

useruser serviceservice

authentication & authorization info

user cert(long life)

VO-VOMS

VO-VOMS

VO-VOMS

CA CA CAlow frequency

high frequency

host cert(long life)

authz cert(short life)

service cert(short life)

authz cert(short life)

proxy cert(short life)

voms-proxy-init

crl update

registration

registration

LCAS

AHM2004, Nottingham, September 2004 - 21

gLite security

Aims at being• Modular – add new modules later• Agnostic – modules will evolve• Standard – start with transport-level security but intend to move to WS-Security when it matures • Interoperable - at least for AuthN & AuthZ

Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules

Security architecture: https://edms.cern.ch/document/487004/

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

22

EGEE AuthZ Policy

Key Material

Group of unique names Organizational role

Server

UserAttributesVO

Policy

ResourceAttributesSite

Policy

Policy

Authorization PolicyArchitecture

Local SiteKerberosIdentity

PolicyEnforcement

Point

VOOther

Stakeholders

Site/Resource

OwnerAuthorization

Service/PDP

Policy andattributes.

Allow orDeny

Resource

Standardize

Delegation

User

Process actingon user’s behalf

PKI/KerberosIdentity

TranslationService

PKIIdentity

Delegation Policy

Graphics fromGlobus Alliance& GGF OGSA-WG

Policy comes from many stakeholders

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

23

Future Work• Policy

– Working on more general policy (with OSG)• No longer LCG-specific

– EU eInfrastructure Reflection Group (18 Nov 04)• Acceptable Use Policy and Authorization for EU eScience

• Procedures– Operational Security, including Incident Response– User Registration

• Technology– Authentication

• Asia/Pacific & Americas PMAs being created• Credential Repositories

– Authorization – dynamic role-based access control• VOMRS & VOMS• Local control and policy, e.g. via LCAS/LCMAPS

• Security requirements, Operational Constraints– Very important to get Site input to operations and

middleware development (all feedback is very welcome!)

18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX

24

References• LCG/EGEE Joint Security Policy Group

http://proj-lcg-security.web.cern.ch/• EGEE JRA3 (Security)

http://egee-jra3.web.cern.ch/• Open Science Grid Security

http://www.opensciencegrid.org/techgroups/security/• EU DataGrid Security

http://hep-project-grid-scg.web.cern.ch/• LCG Guide to Application, Middleware and Network

Securityhttps://edms.cern.ch/document/452128

• EU eInfrastructure Reflection Grouphttp://www.e-irg.org/

• EU Grid PMA (CA coordination)http://www.eugridpma.org/

• TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/