WP 4 Security and AA A issues For WP

WP 4 Security and AA(A) issues For WP 4: David Groep hep-proj-grid-fabric@cern. ch

WP 4 self-organization (1) u Configuration n What should a system look like, what is installed u Systems n Installation Bootstrapping and installing software packages on 10. 000 nodes u Resource n management Management Queuing system, task scheduling, quotas ’n budget David Groep – WP 4 security and AAA issues – 2001. 06 - 2

WP 4 self-organization (2) u Monitoring n Performance and functional monitoring u Fault n Tolerance & Exception Recovery Detect exceptions using monitoring information and schedule recovery actions, make self-healing nodes u Gridification n Job authorization, credential mapping, information abstraction and network accessibility David Groep – WP 4 security and AAA issues – 2001. 06 - 3

Internal and external AAA u External n AAA: interaction of a compute centre with “global” grid → through WP 1 (Compute. Element) and WP 2 (Storage. Element) u Internal AAA: n recognizing trusted components and operators n authorization for jobs and files n access to information services n Protecting jobs and files whilst in the fabric (uid issues) David Groep – WP 4 security and AAA issues – 2001. 06 - 4

A use case for job submission u Accept u Check u Assign u Have a job from Compute. Element (the Grid) authorization w. r. t. extra local policies necessary local credentials the job run on the local fabric David Groep – WP 4 security and AAA issues – 2001. 06 - 5

Gridification of a Compute Centre Externally visible Grid Info Serv (WP 3) Grid. GATE protocol gateway Compute. Elmt Gri. FIS Local to the fabric Job Rep. Grid. Job Mediating Serv Fabric-local ID-service Farms LRMS Local Credential Mapping Serv LCAS Auth. Z plugins: User Rep. Quota. Check Policy list David Groep – WP 4 security and AAA issues – 2001. 06 - 6

Job life cycle in a fabric u Gj. MS n Accept jobs from Compute. Element and shuffle them through the AAA chain u LCAS n n – Grid-job Mediating Service – Local Community Authorization Service Authorize a job or store request to run on this fabric Based on community-wide CAS (VO’s) add extra constrains like: budgets, ban lists, wall clock limitations u LCMAPS – Local Credential Mapping Service n Obtain the `usual’ credentials for running (uid/gid) n Issues: additional credentials for AFS, K 5, …. David Groep – WP 4 security and AAA issues – 2001. 06 - 7

Gridification of a Compute Centre Externally visible Grid Info Serv (WP 3) Grid. GATE protocol gateway Compute. Elmt Gri. FIS Local to the fabric Grid. Job Mediating Serv Job Rep. Fabric-local ID-service Farms LRMS Local Credential Mapping Serv LCAS Auth. Z plugins: User Rep. Quota. Check Policy list David Groep – WP 4 security and AAA issues – 2001. 06 - 8

FLIDS (Fabric-local ID service) u within a fabric only a local certifying entity will be sufficiently trusted n Signing authority for LCAS accepted (job) requests n Identify trusted operators for installation of new systems n Identify and certify hosts within a fabric u FLIDS is (a tree of) certification authorities u Some of those “automated” CA’s n Sign certificates when request is singed by trusted operator David Groep – WP 4 security and AAA issues – 2001. 06 - 9

Information and Configuration u. A configuration database exists containing the desired state of the local fabric n Contains sensitive information n Prevent unauthorized read access n Prevent snooping information sent to other hosts n n PM 9 (and possibly beyond? ): web-server XML over HTTPS Write access limited to special operator interface only David Groep – WP 4 security and AAA issues – 2001. 06 - 10

Another FLIDS application u Adding a new host to a fabric u Possibly u We in a `hostile’ environment have a trusted operator with an install disk u Need to get initial configuration information u Which includes, e. g. , a ssh host key Next slide is for your reference only (don’t be baffled by it) David Groep – WP 4 security and AAA issues – 2001. 06 - 11

CFG Configuration Database LCA root cert CFG data ACLs 11: CFG web server can check hostname in cert against requesting IP address and check ACLs 10: https requests to CFG authenticated with new signed host certificate 4: sens config data encrypted using session key Secured http server 3: https server checks CFG data ACL (operator has all rights), can verify ID of operator using LCA root cert 2: agent makes https request using operator credentials New host to be installed FLIDS engine LCA cert and privkey Automated CA, Will sign when request Approved by `operator’ 6: request sent to FLIDS engine, signed by operator key (in cleartext) (FLIDS hostname known from CFG data) 5: host generates key pair (but without a passphrase to protecting private part) 9: host checks signature on cert using the LCA root cert on the boot disk 1: Operator boots system 7: FLIDS checks signature of operator, and signs request with LCA key. Request DN namespace limited. 8: signed host cert back to host (in clear) Operator install disk: -kernel and init -CFG https agent -Signed cert of operator -Protected private key of operator -LCA root certificate David Groep – WP 4 security and AAA issues – 2001. 06 - 12

Issues not (yet) addressed u Information services n Use whatever security framework WP 3 chooses n Will likely not publish list of authorized users u Networking issues n WP 4 does not envision using network-layer security n IPv 6 is being studied, but only for address space issues n Grid. GATE is not a VPN router and is not doing IPsec David Groep – WP 4 security and AAA issues – 2001. 06 - 13