Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center

Mine AltunayOSG Security Officer

Open Science Grid: Security

Gateway Security Summit

January 28-30, 2008

San Diego Supercomputer Center

Gateway Security Summit : 01/30/2008 2

OSG Security Team

Mine AltunayFNAL

Doug OlsonLBNL

Bob CowlesSLAC

Don PetravickFNAL


OSG Security• The big picture:

– What OSG security does ?

• Security Infrastructure– Authentication– VOMS– PRIMA/GUMS– gPlazma– gLexec

• How can someone become part of OSG


OSG Security• A security framework that enables science and promotes

autonomous and open science collaboration among VOs, sites, and software providers

• Operational– Vulnerability analysis, patches, – Incident response

• Interoperability– Joint policy work, JSPG, MWSG, IGTF– Why we are here – how to build interoperability with other Grids

TeraGrid

• Education– Security tutorials, documents for naïve user


Globus

Condor GLexe

c

RSVGratia

VDT

Fermi grid

BNL_ATLAS_1

UCSDT2

ATLAS

CMS

Software• Check software vulnerabilities• Develop and announce patches

Interoperability • JSPG, IGTF:• Participate in EGEE’s response and operation teams:

Security Education for Sites and VOs• Raise security awareness• Teach OSG policies and best practices• workshops, tutorials, grid schools

Open Science Grid

•

Job Submissions

Policies for Site-VO interoperability• Develop policies : AUP, Service Agreements, pilot policies, MOU, membership

Inter

operab

ili

ty

Incident Response and Monitoring• Coordinating the response teams, communication with Sites and VOs• Banning compromised machines or users, monitoring for suspicious job submissions• Fire drills for practice


Security Infrastructure

• Authentication – Performed by GSI– OSG distributes IGTF approved root CAs (in VDT)

– Sites fetches automatic CRL updates– Sites can update root CAs (optional tool in VDT)


AuthorizationVOMS+PRIMA+GUMS

VOMSServer Attribute

Repository

GUMSServer DN/FQAN

Mapping(MySQL)

Synch periodically to get VO membership

Validate Proxy (GSI)

Gatekeeper

Gridmap callout

PRIMA Module

Batch system

Job submission

3

4: request account

5: account mapping

6

1: voms-proxy-init

2: receive VO permissions


VOMS• VO Membership service

– VO manages access rights for its members– FQAN: Fully Qualified Attribute Name– Based on RFC 3281– Example: /oscar.nikhef.nl/mcprod/Role=production/Capability=NULL

– Different roles have different permissions

• Sites must honor VO permissions• VOMS registration

– via VOMS, or VOMRS or manually

• Use voms-proxy-init instead of grid-proxy-init– VO specific permissions FQAN inserted into X.509 noncritical extensions


GUMS: Grid User Management Service

• Maps user DNs/FQANs to accounts– Replaces grid-map files– Site-wide tool

• Sites recognize VO permissions

• Synch with VOMS periodically– Downloads the VO memberships, FQANs– Can work with LDAP instead of VOMS


GUMS• Three types of mapping

– personal accounts (manual or from LDAP)– group accounts (multiple DNs to a single UID,

like VO -> UID)– pool accounts (dynamically generated)

• Guarantee that the same UID can be used by only one DN/FQAN at any given time

• Currently, the pool account is created when a DN/FQAN is first seen, and never released


GUMS• Two kinds of grouping

• User groups– Map (DN,FQAN) to (uid,gid)

• Host groups– Connect host with user groups– A M x N configuration– A single host group can be used for

• Multiple hosts (like "*.usatlas.bnl.gov")• Multiple user groups (like “usatlasGroup,atlas,dial")


gPlazma: Storage Authz

SRM-dCache

SRM Server

voms-proxy-initProxy with VO Membership | Role attributes

gPLAZMAPRIMA SAML Client

Storage Authorization Service

Storage metadata

GridFTPServer

DATA

DATA

https/SOAP

SAML response

SAML query Get storage authz for this username

User Authorization Record

If authorized,get username

SRM Callout

srmcp

GridFTP Callout

gPLAZMALite Authorization Service

gPLAZMALite grid-mapfile

dcache.kpwd

GUMS Identity MappingService

1

2

3 44a

4b

4c

4d

5

7

6

8

910

1112

13


CE and SE: Big Picture

GUMS

Local or Remote ClientProxy with VO Membership | Role Attributes

Site-wide Assertion Service

Site

SAZ

VOMS

Site-wide Mapping Service

Auxiliary Mapping Service

CE

SE

gPLAZMAStorage

metadata

PRIMAC SAMLlibraries

Globus Gatekeeper PRIMAcallout

StorageAuthorization

Service



SAZ

GUMS


Site

VOMS



CE

SE

gPLAZMAStorage

metadata



PEP


Service



GUMS


Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata




Service


SAZgPLAZMALiteAuthorizationServices suite

GUMS


Site

VOMS




CE

SE

gPLAZMAStorage

metadata

PRIMAJava SAMLgPLAZMA


SRM-GridFTP gPLAZMA callout


Service




gPLAZMALiteAuthorizationServices suite

GUMS


Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata

PRIMAJava SAMLgPLAZMA


SRM-GridFTP gPLAZMA callout

PEP


Service


gLExecSlide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL

• When a user submits a grid job to an OSG site, the job always carries the user's credentials. At the execution site, the job is assigned an appropriate userid under which to run. Another option for submitting grid jobs involves the concept of a pilot job. This type of job, once it's in a site's batch slot, coordinates and calls a series of user jobs according to VO priorities at launch time. If the pilot job and the user jobs all run under the same userid, however, the pilot job framework violates the security policies of any site that requires knowledge and control of its resource users.

• gLExec, a gLite product currently used on European Computing Elements, solves this problem. gLExec is a privileged executable that, given a user credential and an execution command, obtains the appropriate Unix ID from a site's GUMS server and executes the job under that Unix ID. In order to use gLExec within OSG, VOs must configure the pilot job such that it "calls home" to get the associated user credential. The pilot then forwards the credential to gLExec, which uses it to communicate with the site security service, thus returning control to the site.


gLExecSlide courtesy: Igor Sfiligoi, Gabriele Garzoglio, FNAL


How to become an OSG member?

• Join the OSGEDU VO:– Run small applications after

learning how to use OSG from schools

• Be part of the Engagement program and Engage VO:– Support within the Facility to

bring applications to production on the distributed infrastructure

• Be a standalone VO and a Member of the Consortium:– Ongoing use of OSG &

participate in one or more activity groups.

Open Science Grid


Documents• OSG Security twiki

– https://twiki.grid.iu.edu/twiki/bin/view/Security

• OSG Security Plan– http://osg-docdb.opensciencegrid.org/cgi-bin/

ShowDocument?docid=389

• Security Awareness for the OSG– http://osg-docdb.opensciencegrid.org/cgi-bin/

ShowDocument?docid=573