1 / 18

Authorisation and Authentication in gLite

Authorisation and Authentication in gLite. Dr. Mike Mineter National e-Science Centre, Edinburgh / UK Dr. Rüdiger Berlich, Forschungszentrum Karlsruhe / Germany Melbourne, 30.01.06 Slides contributed by EGEE Team. Outline. Delegation: building distributed systems dynamically

hsarah
Download Presentation

Authorisation and Authentication in gLite

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorisation and Authentication in gLite Dr. Mike Mineter National e-Science Centre, Edinburgh / UK Dr. Rüdiger Berlich, Forschungszentrum Karlsruhe / Germany Melbourne, 30.01.06 Slides contributed by EGEE Team

  2. Outline • Delegation: building distributed systems dynamically • Why Authorisation and Authentication (AA) are the basis of grids • Authentication: “AuthN” • “Who are you? Are you who you claim to be?” • Authorisation: “AuthZ” • “What are you allowed to do?” • MyProxy: management of certificates Authorisation and Authentication in gLite, Melbourne, January 2006

  3. ComputeCenter Service VO ComputeCenter Use Delegation to Establish Dynamic Distributed System slide based on presentation given by Carl Kesselman at GGF Summer School 2004 Authorisation and Authentication in gLite, Melbourne, January 2006

  4. INTERNET Requirements for AuthN and AuthZ • Support multiple VOs across • Administrative domains • National borders • Via Internet • Single sign-on • Multiple services • Delegation • Scalability: • N,000 users • M,000 CPUs • Without M*N million usernames / passwords… • Security Authorisation and Authentication in gLite, Melbourne, January 2006

  5. Authentication and X.509 certificates Authorisation and Authentication in gLite, Melbourne, January 2006

  6. AA and Certificates • X 509 Digital certificate is the basis of AA in EGEE • Certification Authorities (CAs) • ~one per country; each builds network of “Registration Authorities” who issue certificates • CAs are mutually recognized – to enable international collaboration • International Grid Trust Federation http://www.gridpma.org/ • For Asia-Pacific region CAs: https://www.apgrid.org/CA/CertificateAuthorities.html • CA certificates – issued to • Users: you get a Certificate and use it to access grid services • Sites providing resources • Uses Public Key Infrastructure (PKI) • Private key – known only to you • Public key included in your certificate Authorisation and Authentication in gLite, Melbourne, January 2006

  7. Clear text message Clear text message Encrypted text Public Key Private Key Use of PKI - overview • Basis for authentication, integrity, confidentiality, non-repudiation • Certificate: held in two parts • Public key + principal information + CA signature • Private key: only the owner (should) use this • Asymmetric encryption • Digital signatures • A hash derived from the message and encrypted with the signer’s private key • Signature is checked by decrypting with the signer’s public key • Public key is trusted only because it is signed by a trusted third party (Certification Authority) • A CA certifies that a key belongs to a given principal Authorisation and Authentication in gLite, Melbourne, January 2006

  8. X.509 Certificates • An X.509 Certificate contains: • owner’s public key; • identity of the owner; • info on the CA; • time of validity; • Serial number; • digital signature of the CA Structure of a X.509 certificate Public key Subject:C=CH, O=CERN, OU=GRID, CN=Andrea Sciaba 8968 Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2005 GMT Serial number: 625 (0x271) CA Digital signature Authorisation and Authentication in gLite, Melbourne, January 2006

  9. Grid Security Infrastructure - proxies • de facto standard for Grid middleware • Based on PKI • To support…. • Single sign-on: to a machine on which your certificate is held • Delegation: a service can act on behalf of a person • Mutual authentication: both sides must authenticate to the other • ….GSI introduces proxy certificates • Short-lived certificates signed with the user’s certificate or a proxy • Reduces security risk, enables delegation Authorisation and Authentication in gLite, Melbourne, January 2006

  10. Building on AuthN • Authorisation… • What are you allowed to do? • … and how is this controlled?? • In EGEE the answer is VOMS • Virtual Organisation Management System • “second generation” of VO management Authorisation and Authentication in gLite, Melbourne, January 2006

  11. Before VOMS User is authorised as a member of a single VO All VO members have same rights Gridmapfiles are updated by VO management software: map the user’s DN to a local account grid-proxy-init VOMS User can be in multiple VOs Aggregate rights VO can have groups Different rights for each Different groups of experimentalists … Nested groups VO has roles Assigned to specific purposes E,g. system admin When assume this role Proxy certificate carries the additional attributes voms-proxy-init Evolution of VO management Authorisation and Authentication in gLite, Melbourne, January 2006

  12. gLite VOMS Authz DB is a RDBMS (both MySQL and Oracle are currently supported). Authorisation and Authentication in gLite, Melbourne, January 2006

  13. “MyProxy” • You may need: • To interact with a grid from many machines • And you realise that you must NOT, EVER leave your certificate where anyone can find and use it…. Its on a USB drive only. • To use a portal, and delegate to the portal the right to act on your behalf (by logging in to an account that can make a proxy certificate for you) • To run jobs that might last longer than the lifetime of a short-lived proxy • Solution: you can store a long-lived proxy in a “MyProxy repository” and derive a proxy certificate when needed. Authorisation and Authentication in gLite, Melbourne, January 2006

  14. UI MyProxy Server voms-proxy-init myproxy-init myproxy-get-delegation GENIUS Server (UI) WEB Browser execution Local WS output the Grid any grid service Grid authentication with MyProxy Authorisation and Authentication in gLite, Melbourne, January 2006

  15. Summary -1 • Digital credentials and the “Grid Security Infrastructure” (GSI) are the basis of AuthN and AuthZ • Need to establish trust, so • Resource can trust user • User can trust the resource • The basis: • both users and sites trust Certificate Authorities • CAs trust each other • CAs sign user and site certificates Protect your certificate: it is your grid identity Authorisation and Authentication in gLite, Melbourne, January 2006

  16. Summary -2 • The EGEE multi-VO grid is built on • Authentication based on X.509 digital certificates • Issued by CAs that are internationally recognised (enabling international collaboration) • With proxy extensions • Authorisation provided by VOMS • VOMS supports • multiple groups, roles within a VO • Aggregation of rights by a user who is a member of several VOs • MyProxy • Secure storage of long-lived proxy certificates • Delegation so services can create and use a proxy on your behalf Authorisation and Authentication in gLite, Melbourne, January 2006

  17. User Responsibilities • Keep your private key secure. • Do not loan your certificate to anyone. • Report to your local/regional contact if your certificate has been compromised. • Do not launch a delegation service for longer than your current task needs. If your certificate or delegated service is used by someone other than you, it cannot be proven that it was not you. Authorisation and Authentication in gLite, Melbourne, January 2006

  18. References • VOMS • Available at http://infnforge.cnaf.infn.it/voms/ • Alfieri, Cecchini, Ciaschini, Spataro, dell'Agnello, Fronher, Lorentey, From gridmap-file to VOMS: managing Authorization in a Grid environment • Vincenzo Ciaschini, A VOMS Attribute Certificate Profile for Authorization • GSI • Available at www.globus.org • A Security Architecture for Computational Grids. I. Foster, C. Kesselman, G. Tsudik, S. Tuecke. Proc. 5th ACM Conference on Computer and Communications Security Conference, pp. 83-92, 1998. • A National-Scale Authentication Infrastructure. R. Butler, D. Engert, I. Foster, C. Kesselman, S. Tuecke, J. Volmer, V. Welch. IEEE Computer, 33(12):60-66, 2000. • RFC • S.Farrell, R.Housley, An internet Attribute Certificate Profile for Authorization, RFC 3281 Authorisation and Authentication in gLite, Melbourne, January 2006

More Related