Скачать презентацию LCG GDB Security Update Report from the Joint LCG EGEE Скачать презентацию LCG GDB Security Update Report from the Joint LCG EGEE

f4435c13c4deee4719d26f551e0d8c1e.ppt

  • Количество слайдов: 15

LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) NIKHEF 13 October 2004 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) NIKHEF 13 October 2004 David Kelsey CCLRC/RAL, UK d. p. [email protected] ac. uk 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 1

Overview • Joint (LCG/EGEE) Security Group meetings http: //agenda. cern. ch/display. Level. php? fid=68 Overview • Joint (LCG/EGEE) Security Group meetings http: //agenda. cern. ch/display. Level. php? fid=68 – 18 Aug, 7 Sep, 6 Oct 2004 – Next meetings: 2 Nov 2004 – and 25 Nov 2004 (EGEE workshop – The Hague) • Name and Membership of Group • Security concerns from ATLAS Data Management • User Registration Task Force • Operational Security • User Rules/AUP • Site and VO registration procedures 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 2

Name & Membership • Was “Joint Security Group” – Joint in sense of LCG Name & Membership • Was “Joint Security Group” – Joint in sense of LCG & EGEE (& OSG members) • Some in EGEE found this confusing – JRA 3 (Ake Edlund) is the main activity • Renamed to – Joint Security Policy Group (JSPG) • Responsible for Policy and Procedures • Reports to LCG GDB • EGEE ROC Managers also need to agree policy • New members – Miguel Cárdenas (Spain) – Bio-medical person (soon) 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 3

Security Activities in EGEE CA Coordination Solutions/Recommendations JRA 3 NA 4 Req. JRA 1 Security Activities in EGEE CA Coordination Solutions/Recommendations JRA 3 NA 4 Req. JRA 1 Req. Middleware Security Group Req. Joint Security Policy Group “Joint Security Policy Group” defines policy and procedures For LCG/GDB and EGEE/SA 1 Req. SA 1 (Cross Membership of OSG) 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 4

Security concerns ATLAS data management • • • Miguel Branco – CHEP talk (see Security concerns ATLAS data management • • • Miguel Branco – CHEP talk (see JSPG agenda - 4 Oct) Very interesting and honest! (useful for input to JRA 3 etc) Users don’t like certificates (and are confused) Using user certificate for services (clients) Lots of clashes between 3 different ATLAS VOs – LCG, Grid 3, Nordu. Grid My. Proxy credential renewal (single point failure) No security on LCG replica catalogue Using atlassgm (s/w mgr) to run production jobs We need VOMS, and LCAS/LCMAPS! Experiments need help to develop secure applications Security of DB resident data 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 5

User Registration and VO Membership Management • Requirements document (V 2. 7) – https: User Registration and VO Membership Management • Requirements document (V 2. 7) – https: //edms. cern. ch/document/428034 – approved by GDB in May 2004 • Task force created to propose the solution • TF Membership – Maria Dimou (LCG Registrar, DTeam VO manager) – Joni Hahkala (VOMS Admin development leader) – Tanya Levshina (VOX leader) – Ian Neilson (LCG Security Officer) – Task Force leader – DPK • Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … • Recent Meeting at CERN on 15 -17 September, 2004 • http: //cern. ch/dimou/lcg/registrar/TF/meetings/2004 -09 -15/ 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 6

The Registration and VO Data/Databases • ORGDB • No direct read access at all, The Registration and VO Data/Databases • ORGDB • No direct read access at all, except via link from Auth. N/VODB • – As maintained by CERN HR/User Office/Experiment Secretariats – User fields required here: Family Name, Given Name, Institute Name, Phone Number, e-mail address – And contract, experiment participation end dates Authentication part of VODB • Authorised read access possible (site admins) • – Live link to record in ORGDB (via db key) – User’s DN(s) from certificate and DN of signing CA – Registration and Expiry dates Authorisation part of VODB • Used by Auth. Z technology (attribute authority) – Groups, Roles, attributes assigned by VO manager – Suspension status flag 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 7

Process (1) • Every user (4 LHC expts) must register in ORGDB first – Process (1) • Every user (4 LHC expts) must register in ORGDB first – Already true for the majority • Advantages of using existing procedures • No duplication of effort or personal data – External users (e. g. people never coming to CERN) and short-term users (e. g. summer students) • Needs a simple, speedy and robust procedure – Non-VO people, e. g. testers/experiment independent people • must register in ORGDB (e. g. via LCG/IT) • Eventual aim is to use the experiment participation end-date in ORGDB to trigger immediate suspension from the VO 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 8

Process (2) • VODB expiry date – Not exceeding 1 year from date of Process (2) • VODB expiry date – Not exceeding 1 year from date of VO registration – Less if institute-contract/ORGDB-registration expires before then – Care to be taken with transition to avoid large number of renewals at the same time • Personal User Data will only reside in ORGDB • There is no automatic membership of VODB. User has to complete a form and the VO manager has to approve 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 9

Process (3) • When VODB expiry date is reached, the VO membership is immediately Process (3) • When VODB expiry date is reached, the VO membership is immediately suspended – Advance warning will be sent to the user • There will be other possible reasons for suspension – E. g. following security problems 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 10

Technical Solution agreed • 15 -17 Sep meeting decisions: • The Authentication part of Technical Solution agreed • 15 -17 Sep meeting decisions: • The Authentication part of VODB (reg database) – Will be US CMS VOX - VOMRS component • Subject to FNAL agreement – VOMRS needs development to meet new requirements • CERN is working on VOMRS interconnection to the Oracle DB (ORGDB) • Non-LHC VO’s may use the VOMS admin component • Time to implement not yet fixed – Aim for early next year 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 11

Operational Security • Incident Response – OSG document • A good document • We Operational Security • Incident Response – OSG document • A good document • We (LCG/EGEE) should base our incident response on this – JSPG to set policy, OSCT to define procedures • EGEE OSCT – Operational Security Coordination Team – Presented to ROC Managers (by Ian Neilson) • ARM 2 Bologna – 5 th October – – 13 -Oct-04 Each ROC to nominate a person Adds to the existing CSIRT procedures (does not replace) Propose Incident Response procedures And security service challenges D. P. Kelsey, LCG-GDB-Security 12

Acceptable Use Policy • Current LCG User Rules – Very LCG specific (actually LCG-1 Acceptable Use Policy • Current LCG User Rules – Very LCG specific (actually LCG-1 specific!) – Very much “draft” quality • Based on old EDG security policy • Has lots of site rules as well • • We need a new version! EU e. Infrastructure Reflection Group tackling AUP now – DPK to chair parallel session on this (18 Nov) New draft zero already exists (too early to discuss) Concentrating on defining Acceptable Use – What is allowed – What is not (e. g. personal use, for-profit use) Work with OSG, NRENs, National Grids – Acceptable to all (keep it short and simple) – We are already bound by the network AUPs To be accepted at registration in a VO May need a separate document on User Rules? 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 13

Site and VO registration • • Too many of both to handle informally Two Site and VO registration • • Too many of both to handle informally Two documents being written Defines procedures to join LCG/EGEE infrastructure Forms (web) need to be filled – We need all the contact details • Approval required – Site: ROC, VO: EGEE NA 4 • After registration – Sites need write access to CVS • Today needs a CERN AFS account • CERN security not so happy (investigate alternatives) – Sites subsequently join testzone and then the BDII 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 14

Summary • Not asking formal GDB approvals today – Hope to have various documents Summary • Not asking formal GDB approvals today – Hope to have various documents before Dec 2004 meeting • But all feedback very welcome • Important message – We need to deploy and use VOMS and LCAS/LCMAPS as soon as possible • We need to offer “roles” • Lets get a simple use-case working – Waiting for g. Lite is too late 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 15