Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document...
-
Upload
susan-fletcher -
Category
Documents
-
view
212 -
download
0
Transcript of Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document...
![Page 1: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/1.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1
Security Group
D7.5 Document and Open Issues
E-mail [email protected]
![Page 2: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/2.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 2
D7.5: Overview
What is Security? (Chapter 3): general description
Assumptions (Section 3.7): what will we not do
3 3.7 = 4: Security Requirements
Achieved goals (Chapter 5): what is done
Plans (Chapter 6): not a consistent design yet!
Checklists (Chapter 7): summary of 4 & 5 & 6
![Page 3: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/3.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 3
Requirements
AUT Authentication requirements
AUZ Authorization requirements
AUD Auditing requirements
NRP Non-Repudiation requirements
DLG Delegation requirements
CNF Confidentiality requirements
INT Integrity requirements
NET Network requirements
ADD Additional requirements
MNG Manageability requirements
USR Usability requirements
IOP Interoperability
SCA Scalability requirements
PER Performance requirements
![Page 4: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/4.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 4
Requirements - Authentication
GSI – certificate based authentication
AUT-02 symmetric
AUT-05 lives beside existing authentication systems
AUT-14 no associated VO in a cert
AUT-15 no authorization information in a certificate
Questions from me:
certificate revocation: immediate vs. authorization?
large scale CRL handling?
certificate authorities: should not be bound to DataGrid or to grid
![Page 5: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/5.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 5
Requirements/Authorization: Role/Group/VO
principal (service or user) is identified by a certificate from a CA (not part of any VO)
group: organizational structure or common
interest inside a VO no default group e.g: Security and WP7 in DataGrid
role: administrative tool default role password for extra role e.g.: user and admin
see AUZ-21
CAit
CAch
CAfr
VOAlice
authz
VOCMS
authz
RAldapINFN
RAldap
CERN
RAldap
CNRS
membership
![Page 6: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/6.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 6
Requirements/Authorization: 2.
AUZ-05 based on various info (id, CRL, role, group, lightweight ...)
AUZ-16 disconnected operation
AUZ-17... central access control – immediate disable?
AUZ-23,24 authorize the resource, not the user – whom to trust?
AUZ-25... granularity: controlled operations and objects
Questions:
listing accessible resources vs. checking permission case-by-case
central control (policy?) vs. disconnected operation
![Page 7: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/7.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 7
Requirements
Auditing+Non-repudiation: „trustable log”
Delegation: traceable delegation – original identity preserved
Confidentiality: protecting the data from unwanted access (before)
Integrity: check for possible manipulations and errors (after)
Network: firewalls (no more detail – yet)
Management/Usability: make it simple
Interoperability: with other „grids”
Scaleable/Robust (user/machine/institute/country):1000/200/10/5 –> 10.000/1.000/100/10 –> 100.000/10.000/100/10
![Page 8: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/8.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 8
Testbed-1
you probably already know it
![Page 9: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/9.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 9
CA/RA
11 CA
well defined practices
focus on only one VO: DataGrid
CA = RA ?
membership info in VO/LDAP
goal: „production deployment”
Certificate Management:
scaleable revocation list handling
user cert storage (central?)
roaming access: web portals
long term/renewable proxy certificates for long jobs
![Page 10: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/10.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 10
Data Management / Storage Element
in Tomcat configuration files:
certificate checking
certificate -> identity
identity -> role
Goals:
Short term: local authorization DB
Long term: general solutions for other services as well
Testbed-1: only local filesystem with gridftp for remote access
pool of local userids
VO = groupidgroup-level access permissions
![Page 11: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/11.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 11
Castor (MSS)
with the GSI library
certificate checking
certificate -> identity
identity -> local userid
Access control uses the local authorization system: every grid-user have a corresponding local userid.
Short term: thread-safe GSI
local userid not exposed to client
Long term: SE solution
![Page 12: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/12.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 12
Networking
Detailed firewall configuration guide for light/medium/heavy config.
VPN: use application level encryption
Plans:
Network Address Translation for large CEs
dynamic firewall configuration for interactive jobs
![Page 13: Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues E-mail Akos.Frohner@cern.ch.](https://reader036.fdocuments.in/reader036/viewer/2022083008/56649e9e5503460f94ba036b/html5/thumbnails/13.jpg)
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 13
Open Issues
gridmap file: authentication & authorization & map to local userid
authentication: configurable trust (trusted CAs from VO?)
authorization: central vs. local service (CAS?)
mapping: single userid: grid service does everything (SE)
pool of userids: local enforcement system (CE)
1-1: local authorization system (maybe as an extra step)