Embed Size (px)
Citation preview
David Groep – WP4 security and AAA issues – 2001.06.06 - 2
WP4 self-organization (1)
Configuration management What should a system look like, what is installed
Systems Installation Bootstrapping and installing software packages on 10.000 nodes
Resource Management Queuing system, task scheduling, quotas ’n budget
David Groep – WP4 security and AAA issues – 2001.06.06 - 3
WP4 self-organization (2)
Monitoring Performance and functional monitoring
Fault Tolerance & Exception Recovery Detect exceptions using monitoring information and schedule
recovery actions, make self-healing nodes
Gridification Job authorization, credential mapping, information abstraction and
network accessibility
David Groep – WP4 security and AAA issues – 2001.06.06 - 4
Internal and external AAA
External AAA: interaction of a compute centre with “global” grid → through WP1
(ComputeElement) and WP2 (StorageElement)
Internal AAA: recognizing trusted components and operators
authorization for jobs and files
access to information services
Protecting jobs and files whilst in the fabric (uid issues)
David Groep – WP4 security and AAA issues – 2001.06.06 - 5
A use case for job submission
Accept a job from ComputeElement (the Grid)
Check authorization w.r.t. extra local policies
Assign necessary local credentials
Have the job run on the local fabric
David Groep – WP4 security and AAA issues – 2001.06.06 - 6
Gridification of a Compute Centre
ComputeElmt
GridJobMediating Serv
GridJobMediating Serv
LRMS
Far
ms
Far
ms
Far
ms
Local CredentialMapping Serv
Local CredentialMapping Serv
User Rep.
Job Rep.
LCASLCAS
AuthZ plugins:AuthZ plugins:
QuotaCheckQuotaCheckPolicy list
Fabric-localID-service
Fabric-localID-service
Local to the fabric
Externally visible
Grid Info Serv (WP3)
GriFIS
GridGATEprotocol gateway
GridGATEprotocol gateway
David Groep – WP4 security and AAA issues – 2001.06.06 - 7
Job life cycle in a fabric
GjMS – Grid-job Mediating Service Accept jobs from ComputeElement and shuffle them through the
AAA chain
LCAS – Local Community Authorization Service Authorize a job or store request to run on this fabric
Based on community-wide CAS (VO’s) add extra constrains like: budgets, ban lists, wall clock limitations
LCMAPS – Local Credential Mapping Service Obtain the `usual’ credentials for running (uid/gid)
Issues: additional credentials for AFS, K5, ….
David Groep – WP4 security and AAA issues – 2001.06.06 - 8
Gridification of a Compute Centre
Grid Info Serv (WP3)
GriFIS
ComputeElmt
GridJobMediating Serv
GridJobMediating Serv Fabric-local
ID-service
Fabric-localID-service
Local CredentialMapping Serv
Local CredentialMapping Serv
LRMS
Far
ms
Far
ms
Far
ms LCASLCAS
AuthZ plugins:AuthZ plugins:
QuotaCheckQuotaCheckPolicy listUser Rep.
Job Rep.Local to the fabric
Externally visible
GridGATEprotocol gateway
GridGATEprotocol gateway
David Groep – WP4 security and AAA issues – 2001.06.06 - 9
FLIDS (Fabric-local ID service)
within a fabric only a local certifying entity will be sufficiently trusted
Signing authority for LCAS accepted (job) requests Identify trusted operators for installation of new systems Identify and certify hosts within a fabric
FLIDS is (a tree of) certification authorities
Some of those “automated” CA’s Sign certificates when request is singed by trusted operator
David Groep – WP4 security and AAA issues – 2001.06.06 - 10
Information and Configuration
A configuration database existscontaining the desired state of the local fabric
Contains sensitive information
Prevent unauthorized read access
Prevent snooping information sent to other hosts
PM9 (and possibly beyond?):web-server XML over HTTPS
Write access limited to special operator interface only
David Groep – WP4 security and AAA issues – 2001.06.06 - 11
Another FLIDS application
Adding a new host to a fabric
Possibly in a `hostile’ environment
We have a trusted operator with an install disk
Need to get initial configuration information
Which includes,e.g., a ssh host key
Next slide is for your reference only (don’t be baffled by it)
David Groep – WP4 security and AAA issues – 2001.06.06 - 12
New host to be installed
CFG Configuration Database
Secured http server
LCA root cert
Operator install disk:-kernel and init-CFG https agent-Signed cert of operator-Protected private key of operator-LCA root certificate
CFG data ACLs
LCA cert and privkey
FLIDS engine
Automated CA,Will sign when requestApproved by `operator’
1:Operator boots system
2:agent makes https requestusing operator credentials
3:https server checks CFG data ACL(operator has all rights), can verify IDof operator using LCA root cert
4: sens config data encryptedusing session key
5: host generates key pair(but without a passphrase to protecting private part)
6: request sent to FLIDS engine,signed by operator key (in cleartext)(FLIDS hostname known from CFG data)
7: FLIDS checks signature of operator, and signsrequest with LCA key. Request DN namespace limited.
8: signed host cert back to host (in clear)
9: host checks signature on cert using the LCA root cert on the boot disk
10:
htt
ps
req
ues
ts t
o C
FG
auth
enti
cate
d w
ith
new
sig
ned
ho
st c
erti
fica
te11: CFG web server can checkhostname in cert againstrequesting IP addressand check ACLs
David Groep – WP4 security and AAA issues – 2001.06.06 - 13
Issues not (yet) addressed
Information services Use whatever security framework WP3 chooses
Will likely not publish list of authorized users
Networking issues WP4 does not envision using network-layer security
IPv6 is being studied, but only for address space issues
GridGATE is not a VPN router and is not doing IPsec
