grid authentication and authorisation issues
play

Grid Authentication and Authorisation Issues kos Frohner at CERN - PowerPoint PPT Presentation

May 27, 2023 •156 likes •384 views

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS

  1. Grid Authentication and Authorisation Issues Ákos Frohner at CERN

  2. Overview ● Setting the scene: requirements ● “Old style” authorisation: DN based gridmap-files ● Overview of the EDG components ● VO user management: VOMS ● “Login”: short lifetime proxy certificates ● Authorisation in Java web services ● Authorisation for a site: LCAS, LCMAPS CERN OpenLab Security Workshop - n° 2

  3. Requirements ● A grid security system requires: ● User to be authenticated by a service ● The service to gather additional information associated with the user or the actual session (e.g. group membership, role) ● The service to gather additional information associated with the protected service or object (e.g. file permissions) ● The checking of any local policy applicable to the situation ● The making of an authorization decision based on the identity of the user and the additional information ● The Users to access resources in a global Grid environment without the need for individual accounts at various sites, while allowing resource providers to keep control over access to their resources. ● EDG gathered 112 requirements: Authentication, Authorisation, Confidentiality, Integrity, and Non-repudiation CERN OpenLab Security Workshop - n° 3

  4. “Old-style” Service high frequency CA CA CA low frequency host cert (long life ) Backward compatibility service on the service side: one can generate gridmap- crl update files from the VO userlist for existing VO services based on GSI. VO Old-style services still use the mkgridmap gridmap-file for authorization VO ◆ gridftp gridmap-file ◆ EDG 1.4.x services VO ◆ EDG 2.x service in compatibility mode GSI CERN OpenLab Security Workshop - n° 4

  5. The Components ● GSI based or compatible authentication ● grid-mapfile or VOMS based authorization (can be both) ● policy or ACL based access control ● coarse and fine grained solutions ● access control description’s syntax is not standard ● implemented alternatives: ● edg-java-security for Java web services ● GSI/LCAS/LCMAPS for native C/C++ services ● mod_ssl/GACL for Apache based web services ● Slashgrid for transparent filesystem ACLs and GridSite CERN OpenLab Security Workshop - n° 5

  6. Overview of the Components CA proxy cert: request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey certificate user VOMS re-newal delegation: request cert+key VOMS cred: MyProxy (long lifetime) VO, group(s), role(s) delegation: cert+key (short lifetime) proxy cert proxy cert proxy cert proxy cert proxy cert auth auth auth auth auth GSI TrustManager TrustManager mod_ssl GSI authz authz pre-process: pre-process: pre-process: parameters-> parameters-> parameters-> LCAS WebServices Authz obj.id + req. op. obj.id + req. op. obj.id + req. op. dn,attrs,acl, req.op dn,attrs,acl, req.op ->yes/no ->yes/no map map LCMAPS dn -> DB role authz authz authz dn -> userid, krb ticket obj.id -> acl GACL: GACL: dn,attrs,acl, req.op obj.id -> acl obj.id -> acl ->yes/no dn,attrs,acl, req.op dn,attrs,acl, req.op doit doit ->yes/no ->yes/no doit doit doit coarse grained coarse grained fine grained fine grained fine grained (e.g. gatekeeper) (e.g. RepMec) (e.g. GridSite) (e.g. SE, /grid) (e.g. Spitfire) web C Java CERN OpenLab Security Workshop - n° 6

  7. VOMS: Virtual Organization Management Service ● Issues credentials to prove group/role/VO membership ● standard RFC 3281 Attribute Certificate format ● single string attributes – FQAN ● Core service: standalone daemon for the “login” ● single purpose – high performance ● Administrative service: web service with API, command line and web user interface ● for administration and registration ● Migration tools for gridmap-files and VO-LDAP servers CERN OpenLab Security Workshop - n° 7

  8. “Login” high frequency CA The credential created low frequency in the “login” procedure is backward compatible: one can use it with the existing services, which user are based on GSI user cert (long life ) VO-VOMS voms-proxy-init proxy cert (short life) edg-voms-proxy-init -voms iteam authz cert ◆ /mp/x509_up<UID> (normal proxy location) (short life) ◆ backward compatible proxy format CERN OpenLab Security Workshop - n° 8

  9. Multi-VO “Login” high frequency CA voms-proxy-init -voms iteam -voms wp6 low frequency ◆ single proxy certificate is generated ◆ each VO provides a separate VOMS user credential first one is the default VO user cert (long life ) ◆ each VOMS credential contains VO-VOMS multiple group/role entries first one is the default group VO-VOMS voms-proxy-init VO-VOMS One can be member of proxy cert (short life) many VOs and use their VO-VOMS resources at the same authz cert (short life) time. The VO specific credentials are separate, but collected into the same proxy certificate. CERN OpenLab Security Workshop - n° 9

  10. VOMS FAQ ● No instant effect: the user has to “log-in”, using voms-proxy- init, to be notified of any VO change ● Delegation: a user cannot delegate her/his groups to someone else (unless s/he is a group-admin); no user groups ● Indirect effect on the policy: VOMS may name groups/roles in order to implement a policy, but it is up to the services to enforce it and up to the resource owner no to override it ● VOMS is not used to implement fine grained ACLs: it does not store file names or job ids (although it has its own ACLs for group/role administration) CERN OpenLab Security Workshop - n° 10

  11. VOMS Registration high frequency CA Tool support for the low frequency registration workflow(s) to ease the life of VO managers. user user cert (long life ) VO-VOMS registration web denied deny VO membership email address create allow request confirmation new confirmed accepted done (user) (user) (VO admin) email to the administrator: email to the requestor: new request notification email address confirmation email to the requestor: request is accepted/denied email CERN OpenLab Security Workshop - n° 11

  12. Multi-VO Registration high frequency CA Support for multi-VO low frequency registration and login using the same user certificate. user user cert (long life ) VO administration operations VO-VOMS registration ◆ create/delete (sub) VO-VOMS group/role/capability ◆ add/remove member of g/r/c VO-VOMS ◆ get/set ACLs for these operations VO registration tasks user requested administrative operation; e.g.: user registration = add member CERN OpenLab Security Workshop - n° 12

  13. Java Web Service high frequency low frequency host cert information system WS user 1. VO affiliation user cert VO credential on the 2. service URI(s) client side is used to for VOs in authz? select the VO specific service. VO credential on the proxy VO server side is used for authorization. authz 3. calling the service (URI) edg-java- security authentication & authorization info CERN OpenLab Security Workshop - n° 13

  14. edg-java-security ● Trust manager ● GSI compatible authentication (supporting proxy chain) ● Adapters to HTTP and SOAP ● Currently deployed for Tomcat4 ● VOMS credential verification ● Authorization Manager ● Authorization and mapping for Java services ● Plug-in framework for maps: database, XML file and for backward compatibility: gridmap-file ● Handles VOMS attributes CERN OpenLab Security Workshop - n° 14

  15. Inside the Java Web Service WS map.xml map-db gridmap-file VO proxy authn authz map service authz DN, attr., operation + DN->DB role TrustManager policy -> yes/no decision edg-java-security CERN OpenLab Security Workshop - n° 15

  16. Job Submission high frequency low frequency host cert information system CE user 1. VO affiliation ( AccessControlBase) user cert 4. CEs for VOs in authz? WMS VO credential is used by the resource 3. job submission broker to pre-select VO available CEs. proxy 2. cert upload authz MyProxy server CERN OpenLab Security Workshop - n° 16

  17. Arriving to a Computing Element VO credential for authorization and mapping on the CE. LCAS: authorization based on (multiple) VO/group/role attributes host cert MyProxy server LCMAPS: mapping to user pool and to (multiple) groups CE ◆ default VO = default UNIX group cert (long term) ◆ other VO/group/role = other UNIX group(s) 1. cert download proxy WMS VO authz 3. job start VOMS 2. voms-proxy-init authentication & LCAS/ authorization info LCMAPS CERN OpenLab Security Workshop - n° 17

  18. LCAS and LCMAPS ● Local Centre Authorization Service ( LCAS ) ● Handles authorization requests to local fabric ● authorization decisions based on proxy user certificate and job specification; ● supports grid-mapfile mechanism. ● Plug-in framework (hooks for external authorization plugins) ● allowed users (grid-mapfile or allowed_users.db), banned users (ban_users.db), available timeslots (timeslots.db), GACL ● plugin for VOMS (to process authorization data) ● Local Credential Mapping Service ( LCMAPS ) ● provides local credentials needed for jobs in fabric ● mapping based on user identity, VO affiliation, local site policy ● plug-ins for local systems (Kerberos/AFS, LDAP nss) CERN OpenLab Security Workshop - n° 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala

Authentication, Authorisation and Accounting(AAA) Framework (RFC 2904) Vedavyas Duggirala (vyas@vt.edu) CS 6204, Spring 2005 1 Background Not a standard. Establishes requirements for Authentication, Authorization &amp; Accounting(AAA)

617 views • 19 slides
Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

257 views • 13 slides
In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the

In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep David Groep Nikhef Amsterdam PDP &amp; Grid In Grid ... where many participants have no a-priori

309 views • 26 slides
Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System

Authentication, Authorisation and Accounting in a Distributed Multimedia Content Delivery System Miros aw Czyrnek (majrek@man.poznan.pl) Marcin Lubo ski (laser@man.poznan.pl) Cezary Mazurek (mazurek@man.poznan.pl) AGENDA AGENDA

447 views • 22 slides
SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms

SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms

SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms Presenters Rachel Lewis Director of Authorisation at the SRA Also responsible for the SRA Contact Centre &amp; Business Support Services Has

525 views • 30 slides
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti &lt;sergio.maffioletti@gc3.uzh.ch&gt; Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/ GridCertLib EGI

383 views • 26 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
Marketing Authorisation Issues for SMEs Veterinary SME Workshop &quot;Veterinary regulatory

Marketing Authorisation Issues for SMEs Veterinary SME Workshop &quot;Veterinary regulatory

Marketing Authorisation Issues for SMEs Veterinary SME Workshop &quot;Veterinary regulatory support for SMEs&quot; 07 November 2013 Anna-Maria Brady UK CVMP alternate An agency of the European Union Veterinary Medicines Directorate What is

375 views • 15 slides
Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

1 st EMEA Workshop for Micro, Small and Medium- Sized Enterprises (SMEs) Navigating the Regulatory Maze Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process Dr Evdokia Korakianiti Scientific

474 views • 21 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to the Smart Grid Ken Van Meter Principal, Energy and Cyber Services Lockheed Martin The Smart Grid is, and must be, a national priority Security

333 views • 9 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz, Oregon State University Presented by Muslum Ozgur Ozmen Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security |

138 views • 10 slides
March 1, 2012 Living with the New GRId 2.0 and Maryland Law Issues In 2010, Institutional

March 1, 2012 Living with the New GRId 2.0 and Maryland Law Issues In 2010, Institutional

March 1, 2012 Living with the New GRId 2.0 and Maryland Law Issues In 2010, Institutional Shareholder Services Inc. ( ISS ) introduced Governance Risk Indicators ( GRId ), a scoring tool designed to assess levels of risk in a

149 views • 4 slides
ESIGN/UETA, Interplay With the UCC Navigating Issues of Enforceability, Authentication of

ESIGN/UETA, Interplay With the UCC Navigating Issues of Enforceability, Authentication of

Presenting a live 90-minute webinar with interactive Q&amp;A E-Signatures and Electronic Loan Documentation: Complying with ESIGN/UETA, Interplay With the UCC Navigating Issues of Enforceability, Authentication of E-Signatures and Admissibility

569 views • 36 slides
Knocking Down the Big Door Breaking Authentication and Segregation of Production and

Knocking Down the Big Door Breaking Authentication and Segregation of Production and

Knocking Down the Big Door Breaking Authentication and Segregation of Production and Non-Production Environments Nahuel Grisola Cinta Infinita, Founder / CEO @cintainfinita Buenos Aires, 27 de Abril 2018 nahuel@cintainfinita.com.ar

961 views • 83 slides
International Student Employment &amp; Degree Level Changes Topics to Cover &gt; Background on

International Student Employment &amp; Degree Level Changes Topics to Cover &gt; Background on

International Student Employment &amp; Degree Level Changes Topics to Cover &gt; Background on International Student Services (ISS) &gt; Newcomers Intro to International Student Employment Background on CPT &amp; OPT Recent OPT Changes

870 views • 54 slides
Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Authorization, Security, and Privacy

537 views • 40 slides
Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT, Germany Steven Arzt | Fraunhofer SIT, Germany Stephan Huber | Fraunhofer SIT, Germany With the help of: Alexander Traud, Benedikt Hiemenz, Daniel

1.23k views • 95 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
INDIGO DataCloud INDIGO AAI An overview and status update RIA-653549 Andrea

INDIGO DataCloud INDIGO AAI An overview and status update RIA-653549 Andrea

INDIGO DataCloud INDIGO AAI An overview and status update RIA-653549 Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project approved

641 views • 53 slides
Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018 1 This training is presented to you by PPL in collaboration with the CHC Managed Care Organizations and the Office of Long Term Living The

682 views • 52 slides

More recommend