Grid Security and VO Management Andrew Mc. Nab University of Manchester
Outline Defining VOs ● VO Pull vs Push ● Pool Accounts ● VOMS ● Grid. Site components ● Web service support ● VO practicalities ● 13 December 2005 Grid Security
Perspective ● Grid. PP is the UK's High Energy Physics grid project – 15 university sites + RAL ● – largest is a 2000 processor farm at Manchester Participates in deployment of LHC Computing Grid ● – ~160 sites worldside, led by CERN Contributes to EGEE middleware development ● – info system, data management and security I co-ordinate the Grid. PP security middleware work – this is principally the Grid. Site system 13 December 2005 Grid Security
Virtual Organisations ● Within LCG/EGEE, VOs are essentially authorization domains: – access rights to resources and datasets owned by a ● ● group of people So the central “VO problem” becomes how to prove individuals are members of that VO, subgroup etc There are two classic ways of doing this: – Pull and Push 13 December 2005 Grid Security
VO by Pull ● EU Data. Grid developed a way of publishing lists of VO members – Authentication based on X. 509 DNs: ie VO = “DN List” ● ● ● – LDAP(S) used, but can also be done by HTTPS Sites subscribe to VO lists and pull them periodically – daily or every few hours Advantage is that user's software doesn't need to know Disadvantage is that hundreds of service machines need to pull lists of thousands of users several times a day 13 December 2005 Grid Security
Pool accounts ● The other half of the EU Data. Grid system was Pool Accounts, developed in Manchester – Unix accounts created and assigned to users as they submit jobs, access files on that site. – Local copy of VO membership list decides whether a mapping can be created – May direct user to a special pool of accounts for their ● ● VO Now used by LCG and UK NGS Surprisingly successful for a “temporary” fix! 13 December 2005 Grid Security
VO by push ● LCG and EGEE are now deploying VOMS – Users are given short-lived X. 509 Attribute Certificates ● ● ● which prove their VO and group membership Users then present these ACs to services, currently in the form of extensions to GSI Proxy certificates Advantages: no need for sites to pull all VO lists; users can choose which group/role to use. Disadvantages: clients need to be aware of VOMS; need to add X. 509 AC support to services' SSL/TLS. 13 December 2005 Grid Security
Access Policies ● ● ● “DN Lists” (eg grid-mapfile) are simplest access policies LCG/EGEE also uses references to VOMS groups, and XML policy files: both Grid. Site's GACL and XAMCL Grid. Site GACL/XACML policy files support: – multiple credential types: individual DN, DN List, VOMS AC and DNS domain – AND + OR of conditions – Read, List, Write, Exec, Admin permissions ● Allows “virtualisation” of access: not just tied to a (pool) unix account, and easy to dynamically manage 13 December 2005 Grid Security
Grid. Site components ● libgridsite C/C++ toolkit provides utility functions – based on Open. SSL, libxml 2, g. SOAP – parse GSI Proxies and VOMS X. 509 attribute certs – evaluate GACL and XACML access policies ● ● – generate new GSI Proxies mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache htcp, htls, htdelegate, . . . provide command line tools 13 December 2005 Grid Security
13 December 2005 Grid Security Module architecture srav vne > LCAG + lortnoccgsetcsrieipe. Oi. Lpdnvaep. Pse. Soifudegi(. , se igin a. Mes. A/Gcigbtl: eddlihis. D_Ide. A t n d e d gr. S k: Ssetsstc: Lsdp, lvteor. H c. S e CVavi aet. li, ne. Hgl. P, droh. t Laa CIA: rr Ta dieg. Pndhm pt r w : Gli. Vdiep. Sat. Gm : G ierl>tcga-Ipm ie se. Lo, c TGm E sia deg dom n d. Ooh_do s. c Eia r P_do C E / b r W es C G r) r. Src_dsn. H m l _mnlm s. M _To S E m TO e x. TUP Ta pg ta f
Web Service support ● ● Grid. Site architecture can provide security for Web Service tools like g. SOAP, with CGI Web Services We also provide the C/C++ implementation of the Grid. Site / EGEE Delegation port. Type – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/Fast. CGI; Grid. Site (security); g. SOAP (WS) ● Delegated credentials stored in the filesystem ● Allows sharing between different CGI languages 13 December 2005 Grid Security
suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● ● Start as root, process as apache, CGI as joeuser We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the cert in the client program determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user 13 Decmber 2005 Grid Security
suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● ● X. 509, GSI Proxy, VOMS, DN List credentials We can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy their C/C++/Perl/Python services remotely 13 December 2005 Grid Security
GRACE ● ● In adding support for Web Services to Grid. Site, we started to offer non-Java ways of building service-orientated grids This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs 13 December 2005 Grid Security
Deployment Issues ● ● Panel question: “How can we deploy a Grid security infrastructure that is scalable, hierarchical, capable of dynamic VOs and easy to use? ” I think that practical Grid infrastructures will follow most of the established patterns of practical Web infrastructures – Many lessons already learnt on the Web ● – Also, users/admins are already familiar with the Web Key lession is to be as loosely-coupled as possible – Use clearly defined interfaces and avoid reinvention 13 December 2005 Grid Security
Software Issues ● Most significant security issue for existing internet services is patching vulnerabilities – “Keeping up to date” has resulted in automated update services for major operating systems – The more you deviate from off-the-shelf software, the ● more of this you have to do yourself for your users So want to reuse Apache, Open. SSL etc as much as possible, ideally without making own versions, to benefit from OS updates 13 December 2005 Grid Security
Authentication ● ● This is largely dealt with by the CAs, and the international CA co-ordination bodies (EUgrid. PMA and now the IGTF) However, users are very aware of authentication (“I forgot my password!” etc) and so it has a large impact on ease of use of the whole system Can already use X. 509 certs in browsers as simple singlesignon to HTTPS websites (Grid. Site, Grid. Site. Wiki etc) But X. 509 handling is itself cumbersome for some users – May need to go to online CAs, merging CAs and university Shibboleth infrastructures etc 13 December 2005 Grid Security
Authorization ● Creation of VOs, subgroups, roles etc – assigning users to these groups/roles ● – binding credentials to resources, dataset rights etc Scalability drives design decisions ● – Can't keep asking VO if a local operation is permitted Pull and Push models already cover most use cases – Dynamic VOs are a natural extension of current systems – Static CA infrastructure means trust can be described by dynamic policies in terms of certificate identities 13 December 2005 Grid Security
Local enforcement ● Can easily be the Cinderella of a grid security architecture – easy to implement shiny new authorization systems in purely Grid software that your project is creating – but what about file access, SQL database queries, ● ● ● execution of native binaries? Either use virtual machines (Java etc) Or map grid identity to local identity (Unix pool account, My. SQL user etc) and then grant it rights derived from grid policies Getting this right has significant performance advantages 13 December 2005 Grid Security
More information ● ● www. gridsite. org is the Grid. Site project website – Open Source, bug tracker, CVS, links to LCG/EGEE Includes the new Grid. Site. Wiki – Derived from Media. Wiki but uses X. 509 instead of usernames / passwords – www. gridpp. ac. uk is the largest site using Grid. Site ● – and includes it's own Wiki, which is pulling in info You can also find Grid. Sites at NGS, GOC, CERN, LCG, TCD. IE, . . . by searching for Grid. Site with Google! 13 December 2005 Grid Security
Summary ● ● ● LCG/EGEE have deployed multiple VOs to 160+ sites using Pull, and are moving to Push via VOMS Pool accounts allow a simple way of using Unix accounts Access policies tie VOs & Authorization to resources Grid. Site provides libgridsite Grid security toolkit for C/C++ mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT, MOVE, DELETE to Apache We can now build secured Web Services for Grids as CGI programs 13 December 2005 Grid Security
Скачать презентацию Grid Security and VO Management Andrew Mc Nab
02d8934d5a8ec89f6e29b982127ace2f.ppt