Jim BasneyOSG Security Policy Officer

Open Science Grid

TAGPMA

November 5, 2008

La Plata, Argentina

2

NERSC

BU

UNMSDSC

UTA

OU

FNALANL

WISC BNL

VANDERBILT

PSU

UVA

CALTECH

IOWA STATE

PURDUE

IU

BUFFALO

TTU

CORNELL

ALBANY

UMICH

INDIANAIUPUI

STANFORD

UWM

UNL

UFL

KU

UNI

WSUMSU

LTU

LSU

CLEMSON

MCGILL

UMISS

UIUC

UCRUCLA

LEHIGH

NSF

ORNL

HARVARD

UIC

SMU

UCHICAGO

(+Brazil, Mexico, Tawain, UK)

Open Science Grid

3

TeraGrid and OSG Compared

4

Open Science Grid

CS/IT Campus Grids: (DOSAR, Fermigrid, GLOW, GPN, GROW…)

Science Community Infrastructure (ATLAS, CMS, LIGO, …)

National & InternationalCyber Infrastructure for Science

(Teragrid, EGEE, …)

Campus Grids

Community Grids

National Grids

Need to be harmonized Into a well Integrated whole

5

Open Science Grid

The Vision:

Transform compute and data intensive science through a cross-domain self-managed national distributed cyber-infrastructure that brings together campus and community infrastructure and facilitating the needs of Virtual Organizations at all scales

129 Resources, 33 VOs, 10,000 users, 29 Support Centers

6

Open Science Grid: International Partners

An International Science Community: Common Goals, Shared Data, Collaborative work

ceResource

ResourceResource

ceResource

ceResource

ceResource

ceResource

7

How it all comes together

Resources that Trust the VO

VO Management Service

OSG Infrastructure

VO Middleware & Applications

Virtual OrganizationManagement services(VOMS) allow registration,administration and controlof members of the group.

Resources trust andauthorize VOs, notindividual users

OSG infrastructure providesthe fabric for jobsubmission and scheduling,resource discovery, security, monitoring, …

8

Globus

CondorGLexec

RSVGratia

VDT

Fermi grid

BNL_ATLAS_1

UCSDT2

ATLAS

CMS

Software• Check software vulnerabilities• Develop and announce patches

Interoperability • JSPG, IGTF:• Participate in EGEE’s response and operation teams:

Security Education for Sites and VOs• Raise security awareness• Teach OSG policies and best practices• workshops, tutorials, grid schools

Open Science Grid

•

Job Submissions

Policies for Site-VO interoperability• Develop policies : AUP, Service Agreements, pilot policies, MOU, membership

Inter

operability

Incident Response and Monitoring• Coordinating the response teams, communication with Sites and VOs• Banning compromised machines or users, monitoring for suspicious job submissions• Fire drills for practice

9

AuthorizationVOMS+PRIMA+GUMS

VOMSServer Attribute

Repository

GUMSServer DN/FQAN

Mapping(MySQL)

Synch periodically to get VO membership

Validate Proxy (GSI)

Gatekeeper

Gridmap callout

PRIMA Module

Batch system

Job submission

3

4: request account

5: account mapping

6

1: voms-proxy-init

2: receive VO permissions

10

Grid Site

VOMSVOMRS

VO Services

synchronize

regi

ster

get-voms-proxy

synchronize

SAZ

Sitewide Services

GUMS

CE

Gatekeeper

PR

IMA

/SA

ML

callo

uts

(C)

Job Manager

Submit request with voms-proxy

Privilege ProjectModule

LegendVO Management Services

user name

DN, FQAN

DN, FQAN user name

SE

SRM

gPlazma

Storage AuthService

DN

, FQ

AN

Prima/SAML Client (Java)

Sto

rage

priv

se

t

DN

, FQ

AN

Sto

rage

priv

se

t

certificate

VOMSExtendedproxy

VOMSExtendedproxy

Is authorized?

yes/no

11

VOMS

• VO Membership service– VO manages access rights for its members– FQAN: Fully Qualified Attribute Name– Based on RFC 3281– Example:

/oscar.nikhef.nl/mcprod/Role=production/Capability=NULL– Different roles have different permissions

• Sites must honor VO permissions• VOMS registration

– via VOMS, or VOMRS or manually• Use voms-proxy-init instead of grid-proxy-init

– VO specific permissions (FQAN) inserted into X.509 noncritical extensions

12

GUMS

• Grid User Management Service

• Maps user DNs/FQANs to accounts– Replaces grid-map files– Site-wide tool

• Sites recognize VO permissions

• Synch with VOMS periodically– Downloads the VO memberships, FQANs– Can work with LDAP instead of VOMS

13

GUMS

• Three types of mapping– personal accounts (manual or from LDAP)– group accounts (multiple DNs to a single UID,

like VO -> UID)– pool accounts (dynamically generated)

• Guarantee that the same UID can be used by only one DN/FQAN at any given time

• Currently, the pool account is created when a DN/FQAN is first seen, and never released

14

GUMS

• Two kinds of grouping

• User groups– Map (DN,FQAN) to (uid,gid)

• Host groups– Connect host with user groups– A M x N configuration– A single host group can be used for

• Multiple hosts (like "*.usatlas.bnl.gov")• Multiple user groups (like “usatlasGroup,atlas,dial")

15

A simple usage scenario

grid job

Researcher A from University X, which isa member of the VO

VO trusts Researcher Site trusts VO

Site allows access by Researcher

VO-accessible Site Resources

VO Infra. &

Services

Data Storage 1

WN WN

WN WN

WN

WN

Cluster 1

16

Researcher A from University X

Researcher B from University Y

Job 1’s

Data

Job 2’s

Data

VOMRS

Group : Univ. XRole: Researcher

Group : Univ. Y Role: Researcher

VO mappings

• VOMRS manages member-role mappings

• GUMS retrieves membership info from VO• Enforces VO assigned privileges at the Site

GUMSRetrieve VO mappings

17

Researcher A fromGroup 1

grid job 1

VO

VO Infra. &

Services

Site

Researcher B fromGroup 2

Group 1’s

Data

Group 2’s

Data

Unauthorized access

Enforced Policy outcome• Researcher A cannot modify Researcher B’s data (due to VO policy)

18

Researcher A fromGroup 1

grid job 1

VO

VO Infra. &

Services

Site

Researcher B fromGroup 2

DN name is blacklisted

Group 1’s

Data

Group 2’s

Data

Enforced Policy outcome• Researcher B denied access• due to Site policy

Unauthorized access

19

Enforced Security Policy

VO Policy

Site Policy

Enforced Policy

• VO Policy determines:• each VO member’s privileges

Site’s data storage

• Site Policy determines:• VO has access to the storage• can still blacklist particular VO members, if desired

WN WN

WN WN

WN

WN

20

Site Resources

Accessible to VO

Data Storage 1 Data Storage 2

Site Database

Site Web Services

WN WN

WN WN

WN

WN

Cluster 1

NOT Accessible to

VO

Example site access policy:• for each resource, only allow authorized users AND• deny any requests from black-listed users

21

GUMS

Gatekeeper

Prim

a/S

AM

L ca

llout

s (C

)

Job Manager

Pilot DN

Pilot UID

Pilot

User Job WN

Pilot UID

Pilot UID

Pilot

User queue

User job

User DN

User DN

Pilot DN

Request

• User job and Pilot job runs in the same user account modifications between jobs• Site does not auth/authz the useronly auth/authz pilot job

Pilot Jobs

22

GUMS

Gatekeeper

Prim

a/S

AM

L ca

llout

s (C

)

Job Manager

Pilot DN

Pilot UID

Use

r D

NU

ser

UID

Pilot

User Job WN

Pilot UID

User DN

User UID

Pilot

User queue

User job

User DN

User DN

Pilot DN

Request

Pilot Jobs

• gLExec isolates user jobs from one another• gLExec relies on site GUMS to authorize job owners• gLExec logs user access via standard mechanisms

23

Incident Response

• OSG Incident Response Team (IRT) consists of project security, operations, software, and executive staff– Central team coordinates with VO and site security contacts– Site CSIRTs not proactively engaged with OSG

• Large VOs span EGEE and OSG– Requires coordination with EGEE IRT– Adoption of JSPG incident response policy

• Single point of contact– security@opensciencegrid.org– +1 317 278 9699– 24/7/365 response

https://twiki.grid.iu.edu/bin/view/Security/IncidentResponseProcess

24

Thanks

• For more information:– www.opensciencegrid.org– goc@opensciencegrid.org– jbasney@ncsa.uiuc.edu

This material is based upon work supported by the United States National Science Foundation and Department of Energy. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation or Department of Energy.