
f4435c13c4deee4719d26f551e0d8c1e.ppt
- Количество слайдов: 15
LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) NIKHEF 13 October 2004 David Kelsey CCLRC/RAL, UK d. p. kelsey@rl. ac. uk 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 1
Overview • Joint (LCG/EGEE) Security Group meetings http: //agenda. cern. ch/display. Level. php? fid=68 – 18 Aug, 7 Sep, 6 Oct 2004 – Next meetings: 2 Nov 2004 – and 25 Nov 2004 (EGEE workshop – The Hague) • Name and Membership of Group • Security concerns from ATLAS Data Management • User Registration Task Force • Operational Security • User Rules/AUP • Site and VO registration procedures 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 2
Name & Membership • Was “Joint Security Group” – Joint in sense of LCG & EGEE (& OSG members) • Some in EGEE found this confusing – JRA 3 (Ake Edlund) is the main activity • Renamed to – Joint Security Policy Group (JSPG) • Responsible for Policy and Procedures • Reports to LCG GDB • EGEE ROC Managers also need to agree policy • New members – Miguel Cárdenas (Spain) – Bio-medical person (soon) 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 3
Security Activities in EGEE CA Coordination Solutions/Recommendations JRA 3 NA 4 Req. JRA 1 Req. Middleware Security Group Req. Joint Security Policy Group “Joint Security Policy Group” defines policy and procedures For LCG/GDB and EGEE/SA 1 Req. SA 1 (Cross Membership of OSG) 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 4
Security concerns ATLAS data management • • • Miguel Branco – CHEP talk (see JSPG agenda - 4 Oct) Very interesting and honest! (useful for input to JRA 3 etc) Users don’t like certificates (and are confused) Using user certificate for services (clients) Lots of clashes between 3 different ATLAS VOs – LCG, Grid 3, Nordu. Grid My. Proxy credential renewal (single point failure) No security on LCG replica catalogue Using atlassgm (s/w mgr) to run production jobs We need VOMS, and LCAS/LCMAPS! Experiments need help to develop secure applications Security of DB resident data 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 5
User Registration and VO Membership Management • Requirements document (V 2. 7) – https: //edms. cern. ch/document/428034 – approved by GDB in May 2004 • Task force created to propose the solution • TF Membership – Maria Dimou (LCG Registrar, DTeam VO manager) – Joni Hahkala (VOMS Admin development leader) – Tanya Levshina (VOX leader) – Ian Neilson (LCG Security Officer) – Task Force leader – DPK • Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, … • Recent Meeting at CERN on 15 -17 September, 2004 • http: //cern. ch/dimou/lcg/registrar/TF/meetings/2004 -09 -15/ 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 6
The Registration and VO Data/Databases • ORGDB • No direct read access at all, except via link from Auth. N/VODB • – As maintained by CERN HR/User Office/Experiment Secretariats – User fields required here: Family Name, Given Name, Institute Name, Phone Number, e-mail address – And contract, experiment participation end dates Authentication part of VODB • Authorised read access possible (site admins) • – Live link to record in ORGDB (via db key) – User’s DN(s) from certificate and DN of signing CA – Registration and Expiry dates Authorisation part of VODB • Used by Auth. Z technology (attribute authority) – Groups, Roles, attributes assigned by VO manager – Suspension status flag 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 7
Process (1) • Every user (4 LHC expts) must register in ORGDB first – Already true for the majority • Advantages of using existing procedures • No duplication of effort or personal data – External users (e. g. people never coming to CERN) and short-term users (e. g. summer students) • Needs a simple, speedy and robust procedure – Non-VO people, e. g. testers/experiment independent people • must register in ORGDB (e. g. via LCG/IT) • Eventual aim is to use the experiment participation end-date in ORGDB to trigger immediate suspension from the VO 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 8
Process (2) • VODB expiry date – Not exceeding 1 year from date of VO registration – Less if institute-contract/ORGDB-registration expires before then – Care to be taken with transition to avoid large number of renewals at the same time • Personal User Data will only reside in ORGDB • There is no automatic membership of VODB. User has to complete a form and the VO manager has to approve 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 9
Process (3) • When VODB expiry date is reached, the VO membership is immediately suspended – Advance warning will be sent to the user • There will be other possible reasons for suspension – E. g. following security problems 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 10
Technical Solution agreed • 15 -17 Sep meeting decisions: • The Authentication part of VODB (reg database) – Will be US CMS VOX - VOMRS component • Subject to FNAL agreement – VOMRS needs development to meet new requirements • CERN is working on VOMRS interconnection to the Oracle DB (ORGDB) • Non-LHC VO’s may use the VOMS admin component • Time to implement not yet fixed – Aim for early next year 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 11
Operational Security • Incident Response – OSG document • A good document • We (LCG/EGEE) should base our incident response on this – JSPG to set policy, OSCT to define procedures • EGEE OSCT – Operational Security Coordination Team – Presented to ROC Managers (by Ian Neilson) • ARM 2 Bologna – 5 th October – – 13 -Oct-04 Each ROC to nominate a person Adds to the existing CSIRT procedures (does not replace) Propose Incident Response procedures And security service challenges D. P. Kelsey, LCG-GDB-Security 12
Acceptable Use Policy • Current LCG User Rules – Very LCG specific (actually LCG-1 specific!) – Very much “draft” quality • Based on old EDG security policy • Has lots of site rules as well • • We need a new version! EU e. Infrastructure Reflection Group tackling AUP now – DPK to chair parallel session on this (18 Nov) New draft zero already exists (too early to discuss) Concentrating on defining Acceptable Use – What is allowed – What is not (e. g. personal use, for-profit use) Work with OSG, NRENs, National Grids – Acceptable to all (keep it short and simple) – We are already bound by the network AUPs To be accepted at registration in a VO May need a separate document on User Rules? 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 13
Site and VO registration • • Too many of both to handle informally Two documents being written Defines procedures to join LCG/EGEE infrastructure Forms (web) need to be filled – We need all the contact details • Approval required – Site: ROC, VO: EGEE NA 4 • After registration – Sites need write access to CVS • Today needs a CERN AFS account • CERN security not so happy (investigate alternatives) – Sites subsequently join testzone and then the BDII 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 14
Summary • Not asking formal GDB approvals today – Hope to have various documents before Dec 2004 meeting • But all feedback very welcome • Important message – We need to deploy and use VOMS and LCAS/LCMAPS as soon as possible • We need to offer “roles” • Lets get a simple use-case working – Waiting for g. Lite is too late 13 -Oct-04 D. P. Kelsey, LCG-GDB-Security 15
f4435c13c4deee4719d26f551e0d8c1e.ppt