Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail:...
-
Upload
dina-sullivan -
Category
Documents
-
view
214 -
download
2
Transcript of Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail:...
![Page 1: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/1.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1
Security Group
D7.6 Design Ideas
E-mail: [email protected]
![Page 2: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/2.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 2
Mutual Authentication
GSI – certificate based authentication
challenge = random data
key(data) = encoding with key
validation: decode(public key, encode(private key, data)) = data
Short-time certificates! -> no CRL
![Page 3: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/3.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 3
Delegation
proxy certificate is generated on the server side
private key not crosses the net
rights of the proxy are subset of the original rights
![Page 4: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/4.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 4
Membership (dataflow)
Authenticate a user at a service
Gather additional information associated to the user or the actual session (e.g. group membership, role, time)
Gather additional information associated to the protected service or object (e.g. file permissions)
Get local policy applicable to the situation (e.g. temporarily disabled user)
Make an authorization information based on the identity and the additional information
VO policy site policy
file
ACL
VO membership, group, role
read a file
virtual organisation organisation
![Page 5: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/5.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 5
Membership (sequence)
![Page 6: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/6.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 6
Access Control List
user – list of capabilities
operation
protected object – access control list
(policy: pattern + ACL)
-> yes/no decision
capability:
DN
VO DN
group/role/...
file
ACL
+cap.1:read
+cap.2:write,read
-cap.3:read
…
+cap.m:op1,op2
read user
DN, VO
cap.1
cap.2
…
cap.n
decision
yes/no
policy
/cms/**:+cms:read
*:-Bob:read,write,delete
*.bak:+cleanup-role:delete
![Page 7: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/7.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 7
New File or Directory in an SE
the original owner (creator) is marked for accountingnot user for authorization!
creator have admin (getacl, setacl) permissions
additional permissions from the enclosing object (default ACL), site and VO policy
delete is a file attribute
mark group/VO for accounting?
File
creator: Alice
ACL +Alice:getacl,setacl, read,write,delete
Directory
creator:Alice
ACL +Alice:getacl,setacl,create,list,delete
default ACL dir:+Alice:getacl,setacl,create,list,delete file:
+Alice:getacl,setacl,read,write,delete
![Page 8: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/8.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 8
File Replication (sequence)
![Page 9: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/9.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 9
File Replication
1. SE.getACL(+Alice:read,write,admin)
2. RM.preRegister -> RM-role
3. SE.setACL(+Alice:read,write,admin; RM-role:admin)
4. Alice: RM.register
5. RM: MC.register
6. SE.getACL, MC.setACL (+Alice:read,write,admin; RM-role:admin)
7. SE.setACL(+Alice:read; RM-role:admin)
RM
MCuser
SEf1
SE
1.
+Alice:read,write,admin
2. 4. 5.
6.1.
+Alice:read,write,admin
6.2.
f1
*
+Alice:read+RM-role:admin
+Alice:read,write,admin+RM-role:admin
3.
+Alice:read+RM-role:admin
7.
![Page 10: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/10.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 10
Normal File Access
1. RM.getBestFile(LFN) -> SE, FN
2. SE.read(FN)RM
MCuser
SEf1
SEf1 +Alice:read
+RM-role:admin+Alice:read+RM-role:admin
1.
2.
![Page 11: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/11.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 11
Medical Image Access
1. RM.getBestFile(LFN) -> SE, FN
2. RM.getAppMetaData -> restricted-cert, key
3. SE.read(FN, restricted-cert)
4. decode(key, FN)
RM
MCAlice
SEf1
SEf1 +RM-role:admin,read+RM-role:admin,read
1., 2.
3.image
patient+Alice:read
key
![Page 12: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/12.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 12
RM-role
1. CAS.getMembership -> RM-role
2. CAS.getMembership -> RM-role
3. user
4. metadata catalog
5. storage element
6. file ACL entry
RM-2
CAS
RM-1RM-role
1.
RM-role
2.
user
3.
MC
4.
SE SE
5.
f1+Alice:read+RM-role:admin
f1+Alice:read+RM-role:admin
6.
![Page 13: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/13.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 13
Administrator Roles
Certificate AuthoritiesCAit
CAch
CAfr
VOLHC
RM RB CAS
VOEDG
RM RB CAS
SE CE INFN
SE CE CERN
SE CE CNRS
file
job
Virtual Organisation administrators
CAS admin
RM admin
RB admin
Site administrators
SE admin
CE admin
![Page 14: Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Security Group D7.6 Design Ideas E-mail: Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083005/56649f185503460f94c2eeff/html5/thumbnails/14.jpg)
Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 14
Other issues
initial credential: userid/password (PAM), kx509, ...
renewable, forwardable certificates
CAS: does more, then necessary
encoding of capabilities (structure vs. DN)
mapping CAS: composition of (Virtual) Organisations
mutual authorization: use only VO-role playing service
ACLs for jobs: monitor, stop, resume, kill
using multiple vs. single VO (multiple vs. one cas-certificate)
...