LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK...
-
Upload
alexandrina-howard -
Category
Documents
-
view
224 -
download
0
Transcript of LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK...
LCG/EGEE Security UpdateHEPiX, Fall 2004
BNL, 18 October 2004
David KelseyCCLRC/RAL, UK
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
2
Outline
Update since October 2003 (Vancouver HEPiX)• Introduction• Policy• Procedures & Operations• Technology• Future work
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
3
IntroductionLCG & EGEE
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
4
LCG today
AHM2004, Nottingham, September 2004 - 5
The next generation of grids:EGEE Enabling Grids for E-science in Europe
Build a large-scale production grid service to:
• Underpin European science and technology
• Link with and build on national, regional and international initiatives
• Foster international cooperation both in the creation and the use of the e-infrastructure Network
infrastructure(GÉANT )
Op
era
tio
ns
, S
up
po
rt a
nd
tr
ain
ing
Collaboration
Pan-European Grid
AHM2004, Nottingham, September 2004 - 6
EGEE Activities
• 48 % service activities (Grid Operations, Support and Management, Network Resource Provision)
• 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development)
• 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation)
32 Million Euros EU funding over 2 years starting 1st April 2004
Emphasis in EGEE is on operating a productiongrid and supporting the end-users
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
7
Security Activities in EGEE(LCG)
JRA3 JRA1
NA4
MiddlewareSecurity Group
Joint Security Policy Group
NA4NA4NA4Solutions/Recommendations
Req. Req.Req.
Req.
Req.
Req.
SA1
“Joint Security Policy Group” defines policy and proceduresand inputs requirements to MWSG(For LCG/GDB and EGEE/SA1)
(Cross Membership of US OSG Sec Team)
CA Coordination
Security
Middleware
Applications
Operations
OSG
LCG
OSCT
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
8
Security Policy
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
9
LCG Security Policy
• During 2003/04, the LCG project agreed a first version of its Security Policy– Written by the Joint Security Policy Group– Approved by the Grid Deployment Board/PEB
• A single common policy for the whole project– But does not override local policies
• An important step forward for a production Grid• The policy
– Defines Attitude of the project towards security and availability
– Gives Authority for defined actions– Puts Responsibilities on individuals and bodies
• Now being used by EGEE and (some) national Grids
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
10
LCG Policy
Security & Availability Policy
UsageRules
Certification Authorities
AuditRequirements
GOCGuides
Incident Response
User Registration & VO Management
http://cern.ch/proj-lcg-security/documents.html
Application Development& Network Admin Guide
picture from Ian Neilson New since Oct 2003
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
11
Security Procedures & Operations
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
12
Security Procedures
• Incident Response– Open Science Grid leading this area– See talks in Friday morning’s Operations
session• LCG/EGEE Operational Security
– Operational Security Coordination Team (OSCT)
– Again: see Friday’s talk• User Registration & VO Management
– Requirements for 4 LHC Experiments• Presented at May 2004 (Edinburgh) HEPiX
(M.Dimou)
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
13
User Registration and VO Membership Management
• Requirements document (V2.7) – https://edms.cern.ch/document/428034 – approved by GDB in May 2004
• Task force created to propose the solution• Many discussions with CERN HR, User Office,
Experiment Secretariats, VO managers, …• Recent Meeting at CERN
– 15-17 September, 2004http://cern.ch/dimou/lcg/registrar/TF/meetings/2004-09-15/– Technical solution now agreed
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
14
User Registration (1)
• Every user (4 LHC expts) must register in CERN HR db first– Already true for the majority
• Advantages of using existing procedures• No duplication of effort or personal data
– External users (e.g. people never coming to CERN) and short-term users (e.g. external summer students)
• Need a simple, speedy and robust procedure– Non-VO people
• e.g.testers/experiment independent people
• must register in CERN HR (e.g. via LCG/IT)• Eventual aim is to use the experiment participation end-
date in CERN HR to trigger immediate suspension from the VO
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
15
User Registration (2)
• VO registration expiry date– Not exceeding 1 year from date of VO
registration– Less if institute-contract/CERN HR
registration expires before then• Personal User Data will only reside in CERN
HR• There is no automatic membership of VO
– User has to complete a form and the VO manager has to approve
• Authorized personnel at resource centres will have read access to the VO registration info
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
16
User Registration (3)
• When VO expiry date is reached, the VO membership is immediately suspended– Advance warning will be sent to the user
• There will be other possible reasons for suspension– E.g. following security problems
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
17
Technical Solution agreed
• 15-17 Sep meeting decisions:• The VO registration database
– Will be VOMRS component from US CMS VOX– VOMRS needs development to meet new
requirements (FNAL working on this)– VOMRS manages the groups and roles -> VOMS
• CERN is working on VOMRS interconnection to the CERN HR DB (Oracle)
• The dynamic Authorization will be VOMS– Groups and roles
• Non-LHC VO’s may use the VOMS-admin component (an alternative admin UI)
• Time to implement not yet agreed– Aiming for early in 2005
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
18
Security Technology
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
19
Authentication: EU Grid PMA CAs
Green: Accredited Yellow: Recent
approvals or still under discussion
Slovenia just approved Austria & Bulgaria soon?
Other Accredited CAs: DoEGrids (US) GridCanada ASCCG (Taiwan) ArmeSFO (Armenia) CERN Russia (HEP) FNAL Service CA (US) Israel Pakistan
27 Accredited CAs
“Catch-all” CAs operated byCNRS (for EGEE)US DOE (for LCG)SEE-GRID (for SE Europe)
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
20
AuthZ – VOMS & LCAS
VO-VOMS
useruser serviceservice
authentication & authorization info
user cert(long life)
VO-VOMS
VO-VOMS
VO-VOMS
CA CA CAlow frequency
high frequency
host cert(long life)
authz cert(short life)
service cert(short life)
authz cert(short life)
proxy cert(short life)
voms-proxy-init
crl update
registration
registration
LCAS
AHM2004, Nottingham, September 2004 - 21
gLite security
Aims at being• Modular – add new modules later• Agnostic – modules will evolve• Standard – start with transport-level security but intend to move to WS-Security when it matures • Interoperable - at least for AuthN & AuthZ
Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules
Security architecture: https://edms.cern.ch/document/487004/
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
22
EGEE AuthZ Policy
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
Graphics fromGlobus Alliance& GGF OGSA-WG
Policy comes from many stakeholders
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
23
Future Work• Policy
– Working on more general policy (with OSG)• No longer LCG-specific
– EU eInfrastructure Reflection Group (18 Nov 04)• Acceptable Use Policy and Authorization for EU eScience
• Procedures– Operational Security, including Incident Response– User Registration
• Technology– Authentication
• Asia/Pacific & Americas PMAs being created• Credential Repositories
– Authorization – dynamic role-based access control• VOMRS & VOMS• Local control and policy, e.g. via LCAS/LCMAPS
• Security requirements, Operational Constraints– Very important to get Site input to operations and
middleware development (all feedback is very welcome!)
18-Oct-04 David Kelsey, LCG/EGEE Security, HEPiX
24
References• LCG/EGEE Joint Security Policy Group
http://proj-lcg-security.web.cern.ch/• EGEE JRA3 (Security)
http://egee-jra3.web.cern.ch/• Open Science Grid Security
http://www.opensciencegrid.org/techgroups/security/• EU DataGrid Security
http://hep-project-grid-scg.web.cern.ch/• LCG Guide to Application, Middleware and Network
Securityhttps://edms.cern.ch/document/452128
• EU eInfrastructure Reflection Grouphttp://www.e-irg.org/
• EU Grid PMA (CA coordination)http://www.eugridpma.org/
• TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/