Hao Wang Computer Sciences Department University of Wisconsin-Madison [email protected] Security in Condor

Hao WangComputer Sciences DepartmentUniversity of Wisconsin-Madison

[email protected]://www.cs.wisc.edu/condor

Security in Condor

www.cs.wisc.edu/condor

Outline

› Motivations

› Security Goals

› Design

› Current Status

› Issues and Future Work


Why Do We Need Security?

Alice

Condor



Alice

Condor

I am Alice; Please

run 100 jobs for me



Alice

Condor



Here comes Bob….

Alice

Condor

BobI am Alice; Please

remove all my jobs



Alice

Condor

Bob



› Problem: False identification,

stolen identity

› Solution: Authentication

• Establish the identities reliably

Alice Bob

Condor


Other Problems

› Stolen data› Eavesdropping

Problems Solutions› Encryption


Other Problems

› Stolen data› Eavesdropping

› Tampered data or messages

› Integrity check via Message Authentication Code (MAC)

Problems Solutions› Encryption


Design Requirements

› The ultimate goal – Secure Channel

› Strong authentication Cross platform support (Unix, NT, Linux,

etc…) Must support multiple authentication

protocols• Different sites have different security

requirements• Flexibility


Design Requirements

› Protecting data and secure communication Encryption Integrity check Support multiple platform Must support both TCP and UDP

› User based authorization Fine-Grained access control

› Auditing Logging


Grid Requirements

› Condor is part of the Grid community Need to meet various Grid security

requirements AAA:

• Authentication -- X.509 based PKI infrastructure• Authorization• Accounting

Fully integrated with Globus Toolkit


Trust Model

› In what do we trust? Authentication Protocols

• Kerberos, X.509, NTSSPI, etc.• Strong authentication is the key

Authentication services• Certificate Authorities, Kerberos servers, etc

System Administrators• Configurations

Machines where Condor is installed


Condor Daemons and Tools

Condor Security Architecture

TCP/UDP OpenSSL Globus GSI Kerberos

CryptographyServices

Authentication Services

Other

CEDAR

Libraries

Services

Authorization


Current Status (>=V6.3.2)

› Authentication Support multiple protocols

• Kerberos, X.509, NTSSPI, File System• Use Globus Toolkit (2.0) for Grid related

security services


Authorization

› User based access control policy Access Control Format:

ACCESS_LEVEL = user@domain/hostname, Support wild cards for flexibility

› Each Condor command is associated with an authorization level:

• READ, WRITE, DAEMON, CONFIG, ADMIN, OWNER, NEGOTIATOR

› Specify users for each authorization level Either ALLOW or DENY


Authorization Examples

› Allow all users READ access ALLOW_READ=*/*

› Allow all engineering department users who come from a machine on UW campus network WRITE access ALLOW_WRITE=*@engr.wisc.edu/*.wisc.edu

› Allow condor-1 and condor-2 to have CONFIG access level ALLOW_CONFIG =

[email protected]/*,[email protected]/*



› Only allow the user [email protected] who come from CS department network to have DAEMON access level ALLOW_DAEMON=

[email protected]/*.cs.wisc.edu

› Only [email protected] from the host bigbird can have ADMIN level of access ALLOW_ADMIN=

[email protected]/bigbird.cs.wisc.edu



› Deny following users READ access [email protected]/*,

[email protected]

› Deny [email protected] WRITE access [email protected]/*


Current Status (Cont.)

› Data Encryption OpenSSL based

• Support 3DES, Blowfish

Support both TCP and UDP

› Data Integrity OpenSSL based

• Support MD5

Support both TCP and UDP


UDP Encryption/Integrity

› Encryption and Integrity support for UDP is hard UDP is connectionless

• Packets may come from different sources!

UDP is not reliable How to address these issues?



› Use TCP+strong authentication protocol for initial key exchange The protocol must provide encryption

support Exchange a secret key and a key Id

› Each side cache the <key, key Id> pair› Include <key Id> in subsequent

communication › Use <key> for encryption, for integrity

check for UDP packets



Schedd Startd

Central Manager

Initial State



Schedd Startd

Central Manager

UPDATE

Command Request (UDP)



Schedd Startd

Central Manager

AUTHENTICATE

Authentication (TCP)



Schedd Startd

Central Manager

[Key-

1, ID-1

]

ID-1 Key-1

Key-1ID-1

Key Exchange(TCP+Encryption)



Schedd Startd

Central Manager

[UPD

ATE,ID-1

]

ID-1 Key-1

Key-1ID-1

Update (UDP withEncryption/Integrity)



Schedd Startd

Central Manager

ID-1 Key-1

Key-1ID-1Key-2ID-2

Key-2ID-2

[UPD

ATE,ID-1

][UPDATE,ID-2]

Steady State (UDP)

ID-3 Key-3Key-3 ID-3


Issues with UDP Encryption/Integrity

› Session Management

› Key Management

› Key expiration How frequent should we exchange a

new set of keys?

› Crash recovery


Status Summary

› Strong authentication Support multiple protocols

› User-based authorization

› Encryption for both TCP/UDP

› Integrity check for both TCP/UDP


Future Work

› Grid related work Science Grid, PPDG … related work Community Authorization Service (CAS)

› Credential related Expiration, refresh, delegation MyProxy

› More work on authorization SPKI/SDSI, ClassAd


Questions?

› Demo on Wednesday Room 3397, CS Building, 9am – noon

› More about Condor http://www.cs.wisc.edu/condor [email protected]

› Talk to us: Zachary Miller,Todd TannenbaumMiron LivnyHao Wang

Documents

Hao Wang Computer Sciences Department University of Wisconsin-Madison [email protected] Security in Condor