Security in Data Grid 12 Mar 2002 TERENA

Security in Data. Grid 12 Mar 2002 TERENA GRID-AN Bo. F David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey CLRC/RAL, UK 2002 -03 -13 Security in Data. Grid 1

The EU Data. Grid • Data. Grid: generic Grid middleware and test bed for – High Energy Physics – Earth Observation and ozone modelling – Bio-informatics & bio-medicine • Middleware components (on top of Globus): – scheduling and accounting – data replication and management – monitoring – data storage – fabric and farm management 2002 -03 -13 Security in Data. Grid 2

Security in Data. Grid • No allocated effort, so groups distributed over WP’s: – CA Coordination (Test bed WP 6) Started before the project (end 2000), well established – Ad-hoc Authorization (Test bed WP 6) Interim solutions for distributing collaboration user lists and “virtual organization directories”. – Security Coordination (“Networking” WP 7) Requirements gathering and design of a first “security architecture”. Definition of security guidelines for middleware development 2002 -03 -13 Security in Data. Grid 3

Start with … Authentication 2002 -03 -13 Security in Data. Grid 4

WP 6 CACG • 11 Data. Grid Testbed 1 CA’s – See WP 6 web – Much effort to run these – growing number of cert requests – Several moving to Open. CA • US DOE Science. Grid CA – Operational since January 2002 – Approved as a Data. Grid “trusted” CA (& vice-versa!) – First test of transatlantic authentication last month • Karlsruhe CA (Cross. Grid and HEP Germany) – To be incorporated later • Seems to attract Grid CA issues that should have gone to GGF! 2002 -03 -13 Security in Data. Grid 5

Authentication (2) • One of the EDG CA’s (CNRS) acts as a “catch-all” CA – CP/CPS will get explicit statements about RA’s • Matrix of Trust (work ongoing) – much work! – Feature matrix – Acceptance matrix (WP 6 CA Mgrs check each other against min. requirements) BUT: • Still another 7 Cross. Grid countries with no CA • And many other LHC countries • Scaling problems! – Automate the feature checking – Continue to work with GGF in the Grid. CP group 2002 -03 -13 Security in Data. Grid 6

Authentication (3) Data. Grid CA Features matrix 2002 -03 -13 Security in Data. Grid 7

CA Acceptance Matrix • Detailed reports per CA • Guidelines for “national” site admins • To be done: – versioning of CP/CPS – invalidation after CP/CPS updates 2002 -03 -13 Security in Data. Grid 8

And now … Authorisation 2002 -03 -13 Security in Data. Grid 9

GSI – Grid map file • Resource Authorization based on access lists • Maps “Grid name” (cert subject DN) → local UID • In effect after successful authentication triode: davidg: 1002$ cat /etc/grid-security/grid- mapfile "/O=dutchgrid/O=users/O=nikhef/CN=David Groep" davidg "/O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers" martijn "/O=dutchgrid/O=users/O=nikhef/CN=Krista Joosten" kristaj "/O=dutchgrid/O=users/O=uva/OU=wins/CN=Vladimir Korkhov" vkorkhov "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon" templon "/C=IT/O=INFN/L=Torino/CN=Piergio Cerello/Email=Piergio. Cerello@to. infn. it" aliprod 2002 -03 -13 Security in Data. Grid 10

mkgridmap and VO’s • Virtual Organizations (VOs) define user groups “ATLAS”, “LHCb”, “Ozone. Modelling”, … • Directory with user lists maintained by VO admin • Resource owners extract list from “allowed” VOs • optional: AND with one other directory (AUP!) • periodically generated (once per day) 2002 -03 -13 Security in Data. Grid 11

grid-mapfile generation o=xyz, dc=eu-datagrid, dc=org ou=People CN=Mario Rossi CN=John Smith Authentication Certificate o=testbed, dc=eu-datagrid, dc=org ou=Testbed 1 VO Directory CN=Franz Elmer Authentication Certificate ou=People ou=? ? ? CN=John Smith “Authorization Directory” Authentication Certificate mkgridmap local users 2002 -03 -13 CN=Franz Elmer grid-mapfile ban list Security in Data. Grid 12

Entries in VO Directory • VO Membership list dn: cn=Roberto Barbera, ou=People, o=alice, dc=eu-datagrid, dc=org object. Class: person object. Class: organizational. Person object. Class: inet. Org. Person object. Class: pki. User sn: Barbera cn: Roberto Barbera mail: roberto. barbera@ct. infn. it labeled. URI: ldap: //security. fi. infn. it/cn=Roberto%20 Barbera, o=infn, c=it? user. Certificate • (sub) groups dn: ou=tb 1 users, o=lhcb, dc=eu-datagrid, dc=org object. Class: domain object. Class: organizational. Unit object. Class: groupofnames. . owner: cn=manager, o=lhcb, dc=eu-datagrid, dc=org • VO administrators • sub-group administrators 2002 -03 -13 Security in Data. Grid 13

Authorisation WP 6 Authorisation group (R. Cecchini – INFN) • Future plans – Evaluation of CAS and PERMIS – Better VO Directory management; – Support of replicas of VO Directories; – Support for users’ attributes in the VO Directories: • e. g. the AUP signing information (with expiration date. . . ) 2002 -03 -13 Security in Data. Grid 14

Authorisation (2) • Globus Community Authorisation Server (CAS) – Long awaited! – Hot news – alpha release by end of next week • PERMIS (http: //www. permis. org) – EU funded project – Univ of Salford (UK) – member of Secure. Grid – Policy-based Role-based (XML) Access control 2002 -03 -13 Security in Data. Grid 15

Grid. Map. Dir (WP 6 - Mc. Nab) • Account sharing mechanism for local UIDs • Modifier version of GSI allows mapping to ‘account pools’ (à la DHCP) • nice when VO directories are large and not all users go to all sites • difficult to recycle accounts (files!) • sucessfully deployed in EDG TB 1 2002 -03 -13 Security in Data. Grid 18

Authorisation issues • We need more functionality – “Dynamic policy-based Access control” – Users with more than one allowed role – Move away from Unix uid based security (and grid mapfile) – Applicable to all Grid services (and callable from) • Users may belong to multiple VO’s – Authorisation may need to be based on “joins” • Global & Local authorisation mechanisms – need to negotiate policy – Global/VO/Local • We should aim for a limited number of compatible authorisation mechanisms – Job for Architecture group and WP 7 Security • OGSA? 2002 -03 -13 Security in Data. Grid 20

Future plans • The EU review encouraged us to do more on security – It is already happening! • WP 6 CA group – continue Acceptance matrix and work with GGF • WP 6 Authorisation group – Test and evaluate CAS and PERMIS • WP 7 Sec D 7. 6 (M 25) “Security Design and TB 2 report” • Work going on in all middleware WP’s on security • WP 7 Sec & Architecture group need to – Coordinate activities – Check that mechanisms are “secure” 2002 -03 -13 Security in Data. Grid 23