grid authentication and authorisation issues
play

Grid Authentication and Authorisation Issues kos Frohner at CERN - PowerPoint PPT Presentation

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS


  1. Grid Authentication and Authorisation Issues Ákos Frohner at CERN

  2. Overview ● Setting the scene: requirements ● “Old style” authorisation: DN based gridmap-files ● Overview of the EDG components ● VO user management: VOMS ● “Login”: short lifetime proxy certificates ● Authorisation in Java web services ● Authorisation for a site: LCAS, LCMAPS CERN OpenLab Security Workshop - n° 2

  3. Requirements ● A grid security system requires: ● User to be authenticated by a service ● The service to gather additional information associated with the user or the actual session (e.g. group membership, role) ● The service to gather additional information associated with the protected service or object (e.g. file permissions) ● The checking of any local policy applicable to the situation ● The making of an authorization decision based on the identity of the user and the additional information ● The Users to access resources in a global Grid environment without the need for individual accounts at various sites, while allowing resource providers to keep control over access to their resources. ● EDG gathered 112 requirements: Authentication, Authorisation, Confidentiality, Integrity, and Non-repudiation CERN OpenLab Security Workshop - n° 3

  4. “Old-style” Service high frequency CA CA CA low frequency host cert (long life ) Backward compatibility service on the service side: one can generate gridmap- crl update files from the VO userlist for existing VO services based on GSI. VO Old-style services still use the mkgridmap gridmap-file for authorization VO ◆ gridftp gridmap-file ◆ EDG 1.4.x services VO ◆ EDG 2.x service in compatibility mode GSI CERN OpenLab Security Workshop - n° 4

  5. The Components ● GSI based or compatible authentication ● grid-mapfile or VOMS based authorization (can be both) ● policy or ACL based access control ● coarse and fine grained solutions ● access control description’s syntax is not standard ● implemented alternatives: ● edg-java-security for Java web services ● GSI/LCAS/LCMAPS for native C/C++ services ● mod_ssl/GACL for Apache based web services ● Slashgrid for transparent filesystem ACLs and GridSite CERN OpenLab Security Workshop - n° 5

  6. Overview of the Components CA proxy cert: request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey certificate user VOMS re-newal delegation: request cert+key VOMS cred: MyProxy (long lifetime) VO, group(s), role(s) delegation: cert+key (short lifetime) proxy cert proxy cert proxy cert proxy cert proxy cert auth auth auth auth auth GSI TrustManager TrustManager mod_ssl GSI authz authz pre-process: pre-process: pre-process: parameters-> parameters-> parameters-> LCAS WebServices Authz obj.id + req. op. obj.id + req. op. obj.id + req. op. dn,attrs,acl, req.op dn,attrs,acl, req.op ->yes/no ->yes/no map map LCMAPS dn -> DB role authz authz authz dn -> userid, krb ticket obj.id -> acl GACL: GACL: dn,attrs,acl, req.op obj.id -> acl obj.id -> acl ->yes/no dn,attrs,acl, req.op dn,attrs,acl, req.op doit doit ->yes/no ->yes/no doit doit doit coarse grained coarse grained fine grained fine grained fine grained (e.g. gatekeeper) (e.g. RepMec) (e.g. GridSite) (e.g. SE, /grid) (e.g. Spitfire) web C Java CERN OpenLab Security Workshop - n° 6

  7. VOMS: Virtual Organization Management Service ● Issues credentials to prove group/role/VO membership ● standard RFC 3281 Attribute Certificate format ● single string attributes – FQAN ● Core service: standalone daemon for the “login” ● single purpose – high performance ● Administrative service: web service with API, command line and web user interface ● for administration and registration ● Migration tools for gridmap-files and VO-LDAP servers CERN OpenLab Security Workshop - n° 7

  8. “Login” high frequency CA The credential created low frequency in the “login” procedure is backward compatible: one can use it with the existing services, which user are based on GSI user cert (long life ) VO-VOMS voms-proxy-init proxy cert (short life) edg-voms-proxy-init -voms iteam authz cert ◆ /mp/x509_up<UID> (normal proxy location) (short life) ◆ backward compatible proxy format CERN OpenLab Security Workshop - n° 8

  9. Multi-VO “Login” high frequency CA voms-proxy-init -voms iteam -voms wp6 low frequency ◆ single proxy certificate is generated ◆ each VO provides a separate VOMS user credential first one is the default VO user cert (long life ) ◆ each VOMS credential contains VO-VOMS multiple group/role entries first one is the default group VO-VOMS voms-proxy-init VO-VOMS One can be member of proxy cert (short life) many VOs and use their VO-VOMS resources at the same authz cert (short life) time. The VO specific credentials are separate, but collected into the same proxy certificate. CERN OpenLab Security Workshop - n° 9

  10. VOMS FAQ ● No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change ● Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups ● Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it ● VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration) CERN OpenLab Security Workshop - n° 10

  11. VOMS Registration high frequency CA Tool support for the low frequency registration workflow(s) to ease the life of VO managers. user user cert (long life ) VO-VOMS registration web denied deny VO membership email address create allow request confirmation new confirmed accepted done (user) (user) (VO admin) email to the administrator: email to the requestor: new request notification email address confirmation email to the requestor: request is accepted/denied email CERN OpenLab Security Workshop - n° 11

  12. Multi-VO Registration high frequency CA Support for multi-VO low frequency registration and login using the same user certificate. user user cert (long life ) VO administration operations VO-VOMS registration ◆ create/delete (sub) VO-VOMS group/role/capability ◆ add/remove member of g/r/c VO-VOMS ◆ get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member CERN OpenLab Security Workshop - n° 12

  13. Java Web Service high frequency low frequency host cert information system WS user 1. VO affiliation user cert VO credential on the 2. service URI(s) client side is used to for VOs in authz? select the VO specific service. VO credential on the proxy VO server side is used for authorization. authz 3. calling the service (URI) edg-java- security authentication & authorization info CERN OpenLab Security Workshop - n° 13

  14. edg-java-security ● Trust manager ● GSI compatible authentication (supporting proxy chain) ● Adapters to HTTP and SOAP ● Currently deployed for Tomcat4 ● VOMS credential verification ● Authorization Manager ● Authorization and mapping for Java services ● Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file ● Handles VOMS attributes CERN OpenLab Security Workshop - n° 14

  15. Inside the Java Web Service WS map.xml map-db gridmap-file VO proxy authn authz map service authz DN, attr., operation + DN->DB role TrustManager policy -> yes/no decision edg-java-security CERN OpenLab Security Workshop - n° 15

  16. Job Submission high frequency low frequency host cert information system CE user 1. VO affiliation ( AccessControlBase) user cert 4. CEs for VOs in authz? WMS VO credential is used by the resource 3. job submission broker to pre-select VO available CEs. proxy 2. cert upload authz MyProxy server CERN OpenLab Security Workshop - n° 16

  17. Arriving to a Computing Element VO credential for authorization and mapping on the CE. LCAS: authorization based on (multiple) VO/group/role attributes host cert MyProxy server LCMAPS: mapping to user pool and to (multiple) groups CE ◆ default VO = default UNIX group cert (long term) ◆ other VO/group/role = other UNIX group(s) 1. cert download proxy WMS VO authz 3. job start VOMS 2. voms-proxy-init authentication & LCAS/ authorization info LCMAPS CERN OpenLab Security Workshop - n° 17

  18. LCAS and LCMAPS ● Local Centre Authorization Service ( LCAS ) ● Handles authorization requests to local fabric ● authorization decisions based on proxy user certificate and job specification; ● supports grid-mapfile mechanism. ● Plug-in framework (hooks for external authorization plugins) ● allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db), GACL ● plugin for VOMS (to process authorization data) ● Local Credential Mapping Service ( LCMAPS ) ● provides local credentials needed for jobs in fabric ● mapping based on user identity, VO affiliation, local site policy ● plug-ins for local systems (Kerberos/AFS, LDAP nss) CERN OpenLab Security Workshop - n° 18

Recommend


More recommend