Get documents about "Slide presentation Template Ticket
Description
Slide presentation Template Ticket
Document Sample
EDG Security
European DataGrid Project
Security Coordination Group
http://cern.ch/hep-project-grid-scg
Overview
How it works – EDG security through use cases
VO Management Service
Authentication and Authorization components
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 2
Registration
high frequency
CA Tool support for the
low frequency
registration workflow(s)
to ease the life of VO
managers.
user
user cert
(long life)
registration VO-VOMS
web
denied
deny
VO membership email address create
request confirmation allow
new confirmed accepted done
(user) (user) (VO admin)
email to the requestor: email to the administrator:
email address confirmation new request notification
email to the requestor:
email request is accepted/denied
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 3
Multi-VO registration
high frequency
CA Support for multi-VO
low frequency
registration and login
using the same user
certificate.
user
user cert
(long life)
registration VO-VOMS
VO administration operations
VO-VOMS create/delete
(sub)group/role/capability
VO-VOMS add/remove member of g/r/c
get/set ACLs for these
VO-VOMS operations
VO registration tasks
user requested administrative
operation; e.g.:
user registration = add member
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 4
“Login”
high frequency
CA The credential created
low frequency
in the “login” procedure
is backward compatible:
one can use it with the
user existing services, which
are based on GSI
user cert
(long life)
VO-VOMS
voms-proxy-init
proxy cert
(short life)
edg-voms-proxy-init -voms iteam
authz cert
(short life)
/tmp/x509_up<UID> (normal proxy location)
backward compatible proxy format
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 5
Multi-VO “Login”
high frequency
low frequency CA voms-proxy-init -voms iteam -voms wp6
single proxy certificate is generated
each VO provides a separate VOMS
user credential
user cert first one is the default VO
(long life)
each VOMS credential contains
VO-VOMS
multiple group/role entries
first one is the default group
VO-VOMS
voms-proxy-init
proxy cert VO-VOMS One can be member of
(short life)
many VOs and use their
authz cert VO-VOMS resources at the same
(short life)
time. The VO specific
credentials are separate,
but collected into the same
proxy certificate.
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 6
Old-style Service
high frequency
low frequency CA CA CA host cert
(long life)
Backward compatibility
on the service side: one service
can generate gridmap- crl update
files from the VO
userlist for existing VO-VOMS
services based on GSI.
Old-style services still use the VO-VOMS
gridmap-file for authorization mkgridmap
VO-VOMS
gridftp
EDG 1.4.x services VO-VOMS gridmap-file
EDG 2.x service in
compatibility mode
GSI
no advantage, but everything
works as before...
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 7
Replica Management
high frequency
low frequency
host cert
information
system
user 1. VO affiliation RM
user cert
VO credential on the
2. service URI(s) client side is used to
for VOs in authz?
select the VO specific
service.
proxy VO credential on the
server side is used for VO
authz authorization.
3. calling the service (URI)
edg-java-
security
authentication & authorization info
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 8
Job Submission
high frequency
low frequency
host cert
information
system
user 1. VO affiliation CE
(AccessControlBase)
user cert
4. CEs for
VOs in authz?
WMS
VO credential is
used by the resource
proxy 3. job submission broker to pre-select
available CEs. VO
authz
2. cert upload MyProxy
server
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 9
Running a Job
VO credential for authorization and mapping on the CE.
LCAS: authorization based on (multiple)
VO/group/role attributes host cert
LCMAPS: mapping to user pool and to
(multiple) groups
CE
MyProxy
default VO = default UNIX group
server
cert other VO/group/role =
(long term) other UNIX group(s)
voms-proxy-init
WMS
proxy
VO
authz 1. cert download 2. job start
authentication & authorization LCAS/
info LCMAPS
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 10
Virtual Organization Management Service
Issues credentials to prove group/role/VO membership
standard RFC 3281 Attribute Certificate format
single string attributes – FQAN
Core service: standalone daemon for the “login”
single purpose – high performance
Administrative service: web service with API, command line and
web user interface
for administration and registration
Migration tools for gridmap-files and VO-LDAP servers
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 11
VOMS FAQ
No instant effect: the user has to “log-in”, using voms-proxy-
init, to be notified of any VO change
Delegation: a user cannot delegate her/his groups to someone
else (unless s/he is a group-admin); no user groups
Indirect effect on the policy: VOMS may name groups/roles in
order to implement a policy, but it is up to the services to
enforce it and up to the resource owner no to override it
VOMS is not used to implement fine grained ACLs: it does not
store file names or job ids (although it has its own ACLs for
group/role administration)
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 12
More Information
European DataGrid Project Security Coordination Group
http://cern.ch/hep-project-grid-scg
LCAS/LCMAPS homepage
http://www.dutchgrid.nl/DataGrid/wp4/lcas/
Java Security
http://cern.ch/grid-data-management/security/
GridSite
http://www.gridpp.ac.uk/gridsite/
VOMS
http://grid-auth.infn.it/
http://cern.ch/edg-wp2/security/voms
Akos.Frohner@cern.ch
2004/Jan - EDG Security - GRIDSTART TWG VO Security - n° 18
