23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 1

LCG/EDG Security- update and plansHEPiX/HEPNT - FNAL

23 Oct 2002David KelseyCLRC/RAL, UK

d.p.kelsey@rl.ac.uk

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 2

Outline

• Introduction to Grid Security• EU DataGrid/DataTAG (EDG/EDT)

developments• LHC Computing Grid Project (LCG) Phase 1

– The main challenges for 2003• Summary

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 3

Introduction to Grid Security

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 4

Authentication (1)

• Proof of Identity• Grid Security Infrastructure (GSI)• PKI = Public Key Infrastructure

– Private/public key pair• Generated by user – “private” key must be kept

secret• Asymmetric encryption

– X.509 certificate• National Certificate Authority “signs” the public

key• Binds to a “name” / identity• No authorisation to use resources

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 5

Authentication (2)• Uses SSL, certificates and the key-pair

– Need to trust the CA(s)• Securely identifies User, Machine, Service

– In both directions (mutual authentication)To achieve …• Single sign-on to Grid (via Proxy certificate)

– short-lived (no revocation)• To avoid having to register all users at all sites!• Many issues

– Revocation, length of keys, period of validity, security of private key, operational procedures, …

– Registration authorities (checks identity)

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 6

Authorisation

• Today: based on local mechanisms– e.g. UNIX (uid, gid) or Kerberos

• Globus gatekeeper– Maps global identity (Distinguished Name)

to local user account• Access control all based on standard UNIX

tools– Or Kerberos, AFS etc

• Site/System management fully in control• Limited tools for Virtual Organisations (VOs)

to manage access to resources

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 7

EDG/EDT security developments

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 8

EDG Security news• EU Deliverable 7.5

– Security Requirements and Testbed1 (complete) http://hepwww.rl.ac.uk/kelsey/DataGrid-D7.5.pdf

• EU Deliverable 7.6– Security Design and Testbed2 (January 2003)

• Security components– VO/LDAP & VOMS – Authorisation– LCAS, LCMAPS – local authorisation and mapping– Gridmapdir – dynamic leased accounts– Gridsite – certificate-based web management– SlashGrid - dn-based grid homefile system– GACL – Library to parse ACL’s (XML)– edg-security (for database access control)

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 9

EDG WP6 CA group• The PMA (Policy Management Authority) for EDG

– Members: the CA managers (but not just EDG!)– includes CrossGrid, US DOE CA’s… more joining– http://marianne.in2p3.fr/datagrid/ca/

• Establishing “Trust” between CA’s, Grid projects, VOs, Sites– Need approval of site security officers and sysadmins

• To (perhaps) bypass normal user registration procedures– Achieved for EDG testbed activities

• NOT yet for LCG production-scale deployment• Defining “best practice” and “minimum requirements”

– Working with GGF– CP/CPS documents– Registration Authority procedures– Operational procedures

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 10

Trusted CA’s• 13 trusted CA’s

– CERN, Czech Rep, France, Germany, Ireland, Italy, Netherlands, Nordic, Portugal, Russia, Spain, UK, USA

• Under consideration– Canada, Greece, Poland, Slovakia

• CNRS/France willing to act as short-term “catch-all”– For small number of users/machines– But needs agreed registration procedure(s)– Already doing so for Austria, Israel,

Switzerland, Romania, Taiwan…

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 11

Authorisation

• VO/LDAP shown in Catania HEPiX• Now we (EDT for EDG) are developing VOMS

– Virtual Organisation Membership Service• See Luciano Gaido’s slides (EDG meeting

Budapest) and VOMS architecture report (EDT meeting 8Oct02)– Some of these follow

• LCAS & plug-ins and GACL to apply Access Control

• Easy management of ACL’s still missing

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 12

current implementation (LDAP)

• Support for users belonging to more than one VO– –vo option to grid-proxy-init command;– the VO name is inserted in the Subject of

the proxy certificate (D field);– requires a patch to Globus code (and a

change to mkgridmap);– under test the interaction with RB;– availability: 30 September ’02.

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 13

VO Membership Service1. Client and server authenticate

themselves and establish a secure communication channel using standard Globus API.

2. The Client sends the request to the Server.

3. The Server checks the request and sends back the required info (signed by itself).

4. The Client checks the validity of the info received.

5. Steps 1—4 are repeated for each Server the Client wants to contact.

6. The Client creates a proxy certificate with an extension (non critical) containing all the info received from the contacted VOMS Servers.

Query

Authentication

Request

AuthDB

VOMSpseudo-

cert

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo-

cert

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 14

VOMS

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 15

LCG Phase 1

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 16

LCG 1 security• LCG Phase 1 – deploy a production quality Grid

– from July 2003• Planning now – documents by December 2002

– Must be ready by summer 2003• Security planning

– User Registration– Authentication– Authorisation– Security Policy– Operational issues

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 17

User Registration• Users would like to register just once (per VO)

– Sign one form– One single “Acceptable Use” description

• Sites need– Sufficient recorded information about the user

• VO databases – managed by whom? (expt offices?)– Behind-the-scenes creation of new user

accounts• Or willingness to use dynamic leased accounts

• VO’s need– Tools to manage users, roles, groups

• Who owns the databases – VOs and/or Sites?

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 18

Authentication• Scaling of establishing list of trusted CA’s

– Currently one per country (many countries!)– Often issued by CA’s serving larger community than HEP

• CERN and FNAL proposing a Kerberos-based CA– User authenticates via kerberos to the KCA– KCA then issues short-lived X.509 certs– Not yet “trusted” by EDG/LCG

• Some sites will not accept long-lived private keys held by users– Credential repositories (MyProxy, aVOMS)– Smartcards– Specialised additional authentication (e.g. Cryptocard)

• Doesn’t scale!• Support multiple levels of authentication• Credential renewal for long-running batch jobs

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 19

Authorisation• Technology immature

– What will be ready for LCG phase 1?– Need input from the experiments

• Who manages access?– To sites– To resources– To individual files, objects

• Sites authorise VO’s– VO’s authorise users, roles, groups

• Much will be definition of procedures– Aim for independence from technologies

• Move to OGSA, ws-security, …• Sites need to trust VO procedures

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 20

Operational issues

• Communication between sites• Intrusion detection• Incident tracking• Auditing and reporting

23-Oct-02 D.P.Kelsey, Grid Security, HEPiX, FNAL 21

Summary• EDG/EDT – much progress during 2002

– More functionality in 2003– GGF and other Grid projects also important

• Current procedures work well for Testbed scale• LCG Phase 1 (and BaBar Grid)

– Need improved procedures for production scale• Need to plan for and support

– Multiple authentication and authorisation technologies

• Will need full consultation with Sites and VOs (experiments) to agree policies and establish trust

• MUST be pragmatic– LCG Phase 1 MUST work