; Slide presentation Template Ticket
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Slide presentation Template Ticket

VIEWS: 6 PAGES: 13

Slide presentation Template Ticket

More Info
  • pg 1
									       EDG Security



    European DataGrid Project

    Security Coordination Group

http://cern.ch/hep-project-grid-scg
                               Overview

   How it works – EDG security through use cases

   VO Management Service

   Authentication and Authorization components




                                  2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 2
                                           Registration
       high frequency
                                CA                             Tool support for the
        low frequency
                                                               registration workflow(s)
                                                               to ease the life of VO
                                                               managers.
user
       user cert
       (long life)
                registration           VO-VOMS


                                                                                                    web
                                                                                        denied
                                                                            deny
                         VO membership          email address                               create
                            request             confirmation                allow
                                       new                    confirmed            accepted                 done
                             (user)                (user)               (VO admin)




                                email to the requestor: email to the administrator:
                              email address confirmation new request notification
                                                                                 email to the requestor:
                        email                                                  request is accepted/denied

                                                     2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 3
                               Multi-VO registration
       high frequency
                               CA                 Support for multi-VO
        low frequency
                                                  registration and login
                                                  using the same user
                                                  certificate.
user
       user cert
       (long life)
                registration        VO-VOMS
                                                    VO administration operations

                                    VO-VOMS         create/delete
                                                    (sub)group/role/capability

                                    VO-VOMS         add/remove         member of g/r/c
                                                    get/set ACLs for these
                                    VO-VOMS         operations
                                                    VO registration tasks
                                                    user requested administrative
                                                    operation; e.g.:
                                                    user registration = add member
                                          2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 4
                                         “Login”
         high frequency
                             CA                     The credential created
         low frequency
                                                    in the “login” procedure
                                                    is backward compatible:
                                                    one can use it with the
user                                                existing services, which
                                                    are based on GSI
        user cert
        (long life)
                                  VO-VOMS


voms-proxy-init

           proxy cert
           (short life)
                                    edg-voms-proxy-init -voms iteam
              authz cert
              (short life)
                                    /tmp/x509_up<UID>          (normal proxy location)
                                    backward   compatible proxy format




                                           2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 5
                              Multi-VO “Login”
         high frequency
         low frequency       CA               voms-proxy-init -voms iteam -voms wp6
                                              single   proxy certificate is generated
                                              each  VO provides a separate VOMS
user                                          credential
        user cert                             first one is the default VO
        (long life)
                                              each  VOMS credential contains
                                  VO-VOMS
                                              multiple group/role entries
                                              first one is the default group
                                  VO-VOMS
voms-proxy-init

           proxy cert             VO-VOMS          One can be member of
           (short life)
                                                   many VOs and use their
              authz cert          VO-VOMS          resources at the same
              (short life)
                                                   time. The VO specific
                                                   credentials are separate,
                                                   but collected into the same
                                                   proxy certificate.


                                        2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 6
                                    Old-style Service
            high frequency
            low frequency          CA       CA          CA                                   host cert
                                                                                             (long life)
Backward compatibility
on the service side: one                                                                   service
can generate gridmap-                         crl update
files from the VO
userlist for existing                   VO-VOMS
services based on GSI.

Old-style services still use the        VO-VOMS
gridmap-file for authorization                    mkgridmap
                                        VO-VOMS
gridftp

EDG   1.4.x services                   VO-VOMS                          gridmap-file
EDG 2.x service in
compatibility mode
                                                                                             GSI
no advantage, but everything
works as before...

                                              2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 7
                                   Replica Management
           high frequency
           low frequency
                                                                                                  host cert

                                           information
                                             system
user                                                       1. VO affiliation                          RM
           user cert


                                             VO credential on the
                       2. service URI(s)     client side is used to
                       for VOs in authz?
                                             select the VO specific
                                             service.
  proxy                                      VO credential on the
                                             server side is used for                    VO
   authz                                     authorization.

                                3. calling the service (URI)
                                                                                              edg-java-
                                                                                               security
                            authentication & authorization info

                                                   2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 8
                                     Job Submission
           high frequency
           low frequency
                                                                                                host cert

                                       information
                                         system
user                                                    1. VO affiliation                            CE
                                                      (AccessControlBase)
           user cert
                             4. CEs for
                            VOs in authz?

                                        WMS
                                            VO credential is
                                            used by the resource
  proxy        3. job submission            broker to pre-select
                                            available CEs.                            VO
   authz


                2. cert upload         MyProxy
                                       server



                                                 2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 9
                                       Running a Job
           VO credential for authorization and mapping on the CE.
                        LCAS: authorization based on (multiple)
                        VO/group/role attributes                                               host cert

                        LCMAPS: mapping to user pool and to
                        (multiple) groups
                                                                                                    CE
MyProxy
                            default   VO = default UNIX group
 server
              cert          other   VO/group/role =
          (long term)              other UNIX group(s)



    voms-proxy-init
                                        WMS
  proxy
                                                                                     VO
   authz        1. cert download                       2. job start

                         authentication & authorization                                       LCAS/
                                      info                                                  LCMAPS


                                               2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 10
           Virtual Organization Management Service

   Issues credentials to prove group/role/VO membership
        standard RFC 3281 Attribute Certificate format
        single string attributes – FQAN

   Core service: standalone daemon for the “login”
        single purpose – high performance

   Administrative service: web service with API, command line and
    web user interface
        for administration and registration

   Migration tools for gridmap-files and VO-LDAP servers




                                        2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 11
                              VOMS FAQ

   No instant effect: the user has to “log-in”, using voms-proxy-
    init, to be notified of any VO change

   Delegation: a user cannot delegate her/his groups to someone
    else (unless s/he is a group-admin); no user groups

   Indirect effect on the policy: VOMS may name groups/roles in
    order to implement a policy, but it is up to the services to
    enforce it and up to the resource owner no to override it

   VOMS is not used to implement fine grained ACLs: it does not
    store file names or job ids (although it has its own ACLs for
    group/role administration)




                                   2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 12
                        More Information

   European DataGrid Project Security Coordination Group
       http://cern.ch/hep-project-grid-scg

   LCAS/LCMAPS homepage
    http://www.dutchgrid.nl/DataGrid/wp4/lcas/

   Java Security
    http://cern.ch/grid-data-management/security/

   GridSite
    http://www.gridpp.ac.uk/gridsite/

   VOMS
    http://grid-auth.infn.it/
    http://cern.ch/edg-wp2/security/voms

   Akos.Frohner@cern.ch

                                  2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 18

								
To top
;