lcg egee security update hepix fall 2004 bnl 18 october 2004 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 PowerPoint Presentation
Download Presentation
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004

Loading in 2 Seconds...

play fullscreen
1 / 24

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 - PowerPoint PPT Presentation


  • 134 Views
  • Uploaded on

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004. David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk. Outline. Update since October 2003 (Vancouver HEPiX) Introduction Policy Procedures & Operations Technology Future work. Introduction LCG & EGEE. LCG today.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004' - natan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lcg egee security update hepix fall 2004 bnl 18 october 2004

LCG/EGEE Security UpdateHEPiX, Fall 2004BNL, 18 October 2004

David KelseyCCLRC/RAL, UKd.p.kelsey@rl.ac.uk

outline
Outline

Update since October 2003 (Vancouver HEPiX)

  • Introduction
  • Policy
  • Procedures & Operations
  • Technology
  • Future work

David Kelsey, LCG/EGEE Security, HEPiX

slide3

Introduction

LCG & EGEE

David Kelsey, LCG/EGEE Security, HEPiX

lcg today
LCG today

David Kelsey, LCG/EGEE Security, HEPiX

the next generation of grids egee enabling grids for e science in europe
Build a large-scale production grid service to:

Underpin European science and technology

Link with and build on national, regional and international initiatives

Foster international cooperation both in the creation and the use of the e-infrastructure

Collaboration

Pan-European Grid

Operations, Support and training

Network infrastructure(GÉANT)

The next generation of grids:EGEE Enabling Grids for E-science in Europe

AHM2004, Nottingham, September 2004 - 5

egee activities
EGEE Activities
  • 48 % service activities (Grid Operations, Support and Management, Network Resource Provision)
  • 24 % middleware re-engineering (Quality Assurance, Security, Network Services Development)
  • 28 % networking (Management, Dissemination and Outreach, User Training and Education, Application Identification and Support, Policy and International Cooperation)

32 Million Euros EU funding over 2 years starting 1st April 2004

Emphasis in EGEE is on operating a production

grid and supporting the end-users

AHM2004, Nottingham, September 2004 - 6

security activities in egee lcg
Security Activities in EGEE(LCG)

CA Coordination

NA4

NA4

Middleware

NA4

NA4

Solutions/Recommendations

Req.

JRA3

JRA1

Applications

Req.

Security

Req.

Req.

Middleware

Security Group

Joint Security Policy Group

Req.

OSCT

Req.

“Joint Security Policy Group” defines policy and proceduresand inputs requirements to MWSG(For LCG/GDB and EGEE/SA1)

(Cross Membership of US OSG Sec Team)

Operations

SA1

LCG

OSG

David Kelsey, LCG/EGEE Security, HEPiX

slide8

Security Policy

David Kelsey, LCG/EGEE Security, HEPiX

lcg security policy
LCG Security Policy
  • During 2003/04, the LCG project agreed a first version of its Security Policy
    • Written by the Joint Security Policy Group
    • Approved by the Grid Deployment Board/PEB
  • A single common policy for the whole project
    • But does not override local policies
  • An important step forward for a production Grid
  • The policy
    • Defines Attitude of the project towards security and availability
    • Gives Authority for defined actions
    • Puts Responsibilities on individuals and bodies
  • Now being used by EGEE and (some) national Grids

David Kelsey, LCG/EGEE Security, HEPiX

lcg policy
LCG Policy

GOC

Guides

New since Oct 2003

picture from Ian Neilson

Incident

Response

Certification

Authorities

Audit

Requirements

Usage

Rules

Security & Availability

Policy

Application Development

& Network Admin Guide

User Registration & VO Management

http://cern.ch/proj-lcg-security/documents.html

David Kelsey, LCG/EGEE Security, HEPiX

slide11

Security Procedures & Operations

David Kelsey, LCG/EGEE Security, HEPiX

security procedures
Security Procedures
  • Incident Response
    • Open Science Grid leading this area
    • See talks in Friday morning’s Operations session
  • LCG/EGEE Operational Security
    • Operational Security Coordination Team (OSCT)
    • Again: see Friday’s talk
  • User Registration & VO Management
    • Requirements for 4 LHC Experiments
      • Presented at May 2004 (Edinburgh) HEPiX (M.Dimou)

David Kelsey, LCG/EGEE Security, HEPiX

user registration and vo membership management
User Registration and VO Membership Management
  • Requirements document (V2.7)
    • https://edms.cern.ch/document/428034
    • approved by GDB in May 2004
  • Task force created to propose the solution
  • Many discussions with CERN HR, User Office, Experiment Secretariats, VO managers, …
  • Recent Meeting at CERN
    • 15-17 September, 2004

http://cern.ch/dimou/lcg/registrar/TF/meetings/2004-09-15/

    • Technical solution now agreed

David Kelsey, LCG/EGEE Security, HEPiX

user registration 1
User Registration (1)
  • Every user (4 LHC expts) must register in CERN HR db first
    • Already true for the majority
      • Advantages of using existing procedures
      • No duplication of effort or personal data
    • External users (e.g. people never coming to CERN) and short-term users (e.g. external summer students)
      • Need a simple, speedy and robust procedure
    • Non-VO people
      • e.g.testers/experiment independent people
      • must register in CERN HR (e.g. via LCG/IT)
  • Eventual aim is to use the experiment participation end-date in CERN HR to trigger immediate suspension from the VO

David Kelsey, LCG/EGEE Security, HEPiX

user registration 2
User Registration (2)
  • VO registration expiry date
    • Not exceeding 1 year from date of VO registration
    • Less if institute-contract/CERN HR registration expires before then
  • Personal User Data will only reside in CERN HR
  • There is no automatic membership of VO
    • User has to complete a form and the VO manager has to approve
  • Authorized personnel at resource centres will have read access to the VO registration info

David Kelsey, LCG/EGEE Security, HEPiX

user registration 3
User Registration (3)
  • When VO expiry date is reached, the VO membership is immediately suspended
    • Advance warning will be sent to the user
  • There will be other possible reasons for suspension
    • E.g. following security problems

David Kelsey, LCG/EGEE Security, HEPiX

technical solution agreed
Technical Solution agreed
  • 15-17 Sep meeting decisions:
  • The VO registration database
    • Will be VOMRS component from US CMS VOX
    • VOMRS needs development to meet new requirements (FNAL working on this)
    • VOMRS manages the groups and roles -> VOMS
  • CERN is working on VOMRS interconnection to the CERN HR DB (Oracle)
  • The dynamic Authorization will be VOMS
    • Groups and roles
  • Non-LHC VO’s may use the VOMS-admin component (an alternative admin UI)
  • Time to implement not yet agreed
    • Aiming for early in 2005

David Kelsey, LCG/EGEE Security, HEPiX

slide18

Security Technology

David Kelsey, LCG/EGEE Security, HEPiX

authentication eu grid pma cas
Authentication: EU Grid PMA CAs

27 Accredited CAs

  • Green: Accredited
  • Yellow: Recent approvals or still under discussion
  • Slovenia just approved
  • Austria & Bulgaria soon?

Other Accredited CAs:

  • DoEGrids (US)
  • GridCanada
  • ASCCG (Taiwan)
  • ArmeSFO (Armenia)
  • CERN
  • Russia (HEP)
  • FNAL Service CA (US)
  • Israel
  • Pakistan

“Catch-all” CAs operated by

CNRS (for EGEE)

US DOE (for LCG)

SEE-GRID (for SE Europe)

David Kelsey, LCG/EGEE Security, HEPiX

authz voms lcas
AuthZ – VOMS & LCAS

high frequency

low frequency

CA

CA

CA

host cert(long life)

service

user

crl update

user cert(long life)

VO-VOMS

registration

registration

VO-VOMS

voms-proxy-init

VO-VOMS

proxy cert(short life)

service cert(short life)

VO-VOMS

authz cert(short life)

authz cert(short life)

authentication & authorization info

LCAS

David Kelsey, LCG/EGEE Security, HEPiX

glite security
gLite security
  • Aims at being
  • Modular – add new modules later
  • Agnostic – modules will evolve
  • Standard – start with transport-level security but intend to move to WS-Security when it matures
  • Interoperable - at least for AuthN & AuthZ

Applied to Web-services hosted in containers and applications (Apache Axis & Tomcat) as additional modules

Security architecture: https://edms.cern.ch/document/487004/

AHM2004, Nottingham, September 2004 - 21

egee authz policy
EGEE AuthZ Policy

Policy comes from many stakeholders

Graphics from

Globus Alliance& GGF OGSA-WG

David Kelsey, LCG/EGEE Security, HEPiX

future work
Future Work
  • Policy
    • Working on more general policy (with OSG)
      • No longer LCG-specific
    • EU eInfrastructure Reflection Group (18 Nov 04)
      • Acceptable Use Policy and Authorization for EU eScience
  • Procedures
    • Operational Security, including Incident Response
    • User Registration
  • Technology
    • Authentication
      • Asia/Pacific & Americas PMAs being created
      • Credential Repositories
    • Authorization – dynamic role-based access control
      • VOMRS & VOMS
      • Local control and policy, e.g. via LCAS/LCMAPS
  • Security requirements, Operational Constraints
    • Very important to get Site input to operations and middleware development (all feedback is very welcome!)

David Kelsey, LCG/EGEE Security, HEPiX

references
References
  • LCG/EGEE Joint Security Policy Group

http://proj-lcg-security.web.cern.ch/

  • EGEE JRA3 (Security)http://egee-jra3.web.cern.ch/
  • Open Science Grid Securityhttp://www.opensciencegrid.org/techgroups/security/
  • EU DataGrid Securityhttp://hep-project-grid-scg.web.cern.ch/
  • LCG Guide to Application, Middleware and Network Securityhttps://edms.cern.ch/document/452128
  • EU eInfrastructure Reflection Grouphttp://www.e-irg.org/
  • EU Grid PMA (CA coordination)http://www.eugridpma.org/
  • TERENA Tacar (CA repository)http://www.terena.nl/tech/task-forces/tf-aace/tacar/

David Kelsey, LCG/EGEE Security, HEPiX