Transcript Introduction to EGEE - Israel Internet Association

Enabling Grids for E-sciencE
Grid Security
[email protected]
School of Computer Science, Tel-Aviv University
Israeli Academic Grid, IUCC
www.eu-egee.org
INFSO-RI-508833
Acknowledgements
Enabling Grids for E-sciencE
• Presentation is based on slides from:
– Roberto Barbera, University of Catania and INFN (EGEE Tutorial
Roma, 02.11.2005)
– Mike Mineter, Concepts of grid computing
– Fabrizio Gagliardi, EGEE Project Director, CERN, Geneva,
Switzerland (Naregi Symposium 2005 – Tokyo)
– Fabrizio Gagliardi, EGEE Project Director, CERN, Geneva,
Switzerland (APAC, 27 September 2005)
– Guy Warner, NeSC Training Team (An Induction to EGEE for GOSC
and the NGS NeSC, 8th December 2004 )
– OSG Authentication and Authorization Infrastructure
Rob Quick, September 8, 2006
– Roy Williams, Conrad Steenberg, Matthew Graham, Joe Jacob, Ray Plante
Scaling NVO Services to the Teragrid
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
2
Security & Intellectual Property (I)
Enabling Grids for E-sciencE
•
The existing EGEE grid middleware is distributed
under an Open Source License developed by EU
DataGrid
– No restriction on usage (scientific or commercial)
beyond acknowledgement
– Same approach for new middleware
•
Application software maintains its own licensing
scheme
– Sites must obtain appropriate licenses before
installation
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
3
EGEE project in 1K words
Enabling Grids for E-sciencE
https://goc.grid-support.ac.uk/gridsite/monitoring/
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
4
When does it Grid ?
Enabling Grids for E-sciencE
• Coordinates Distributed
Resources
• Using standard, open,
general-purpose
protocols
• Deliver non-trivial
qualities of service
Foster, Kesselman/The grid: Blue Print for a new Computing infrastructure
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
5
The components of a Grid
Enabling Grids for E-sciencE
• Resources
– networking, computers, storage, data, instruments, …
• Grid Middleware
– the “operating system of the grid”
• Operations infrastructure
– Run enabling services (people + software)
• Virtual Organization management
– Procedures for gaining access to resources
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
6
How this Orchestra Plays ?
Enabling Grids for E-sciencE
“User
interface”
Input “sandbox”
Output “sandbox”
DataSets info
Replica
Catalogue
Information
Service
Resource
Broker
INFSO-RI-508833
Publish
Logging &
Book-keeping
Job Query
Job Submit Event
Author.
&Authen.
Storage
Element
Job Status
Computing
Element
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
7
Network
Server
RB node
Replica
Location
Server
UI
Workload
Manager
Inform.
Service
Job Contr.
Characts.
& status
Computing
Element
Storage
Element
Job
Status
RB node
Replica
Location
Server
Network
Server
UI
Workload
Manager
UI: allows users to
access the functionalities
of the WMS
(via command line, GUI,
C++ and Java APIs)
Computing
Element
Inform.
Service
Job Contr.
CondorG
CE characts
& status
SE characts
& status
Storage
Element
submitted
edg-job-submit myjob.jdl
Myjob.jdl
UI
Job
Statu
s
RB node
submitted
JobType = “Normal”;
Replica
Network
Location
Executable = "$(CMS)/exe/sum.exe";
Server
Server
InputSandbox = {"/home/user/WP1testC","/home/file*”,
"/home/user/DATA/*"};
OutputSandbox = {“sim.err”, “test.out”, “sim.log"};
Workload
Requirements =Manager
other. GlueHostOperatingSystemName
==
Inform.
“linux" &&
Service
other. GlueHostOperatingSystemRelease == "Red Hat 7.3“ &&
other.GlueCEPolicyMaxCPUTime > 10000;
Job Contr.
Rank = other.GlueCEStateFreeCPUs;
CondorG
CE characts
& status
Computing
Element
SE characts
& status
Job Description Language
(JDL) to specify job
Storage
characteristics and
Element
requirements
Job
RB node
Network
Server
Job
NS: network daemon Status
responsible for accepting submitted
Replica
incoming requests
Location
Server
waiting
UI
Input
Sandbox
files
RB
storage
Workload
Manager
Inform.
Service
Job Contr.
CondorG
CE characts
& status
Computing
Element
SE characts
& status
Storage
Element
RB node
Job
Status
Job submission
Replica
Location
Server
Network
Server
Job
UI
RB
storage
Workload
manager
WM: acts to
satisfy the request
Inform.
Service
Job Contr.
CondorG
CE characts
& status
Computing
Element
SE characts
& status
Storage
Element
submitted
waiting
RB node Job
Network
Server
UI
RB
storage
Workload
Manager
Job Contr.
CondorG
submission
Replica
Location
Server
MatchMaker/
Broker
Where must
job be
executed ?
Inform.
thisService
CE characts
& status
Computing
Element
Job Status
SE characts
& status
Storage
Element
submitted
waiting
RB node
Matchmaker: responsible
Network
to find the “best” CEServer
UIfor a job
RB
storage
Job
Status
Job submission
MatchMaker/
Broker
Workload
Manager
Replica
Location
Server
Inform.
Service
Job Contr.
CondorG
CE characts
& status
Computing
Element
SE characts
& status
Storage
Element
submitted
waiting
Where are (which
RB nodeSEs)
Job
the needed data ?
submission
Network
Server
MatchMaker/
Broker
UI
RB
storage
Job
Status
Workload
Manager
Replica
Location
Server
Inform.
Service
Job Contr.
- What
CondorG
is the
status of the
characts
Grid ? CE
& status
Computing
Element
SE characts
& status
Storage
Element
submitted
waiting
RB node
Job
Status
Job submission
Network
Server
MatchMaker/
Broker
UI
RB
storage
Workload
Manager
CE choice
Replica
Location
Server
Inform.
Service
Job Contr.
CondorG
CE characts
& status
Computing
Element
SE characts
& status
Storage
Element
submitted
waiting
RB node
Job
Status
Job submission
Replica
Location
Server
Network
Server
submitted
waiting
UI
RB
storage
Workload
Manager
Inform.
Service
Job
Adapter
Job Contr.
CondorG
characts
SE characts
Job Adapter: responsibleCE
for
“touches”
& statusthe final
& status
to the job before performing submission
(e.g. creation of wrapper script, PFN, etc.)
Computing
Element
Storage
Element
RB node
Job
Status
Job submission
submitted
Replica
Location
Server
Network
Server
waiting
UI
RB
storage
ready
Workload
Manager
Inform.
Service
Job
Job Contr.
Job Controller: responsible for the
actual job management
operations (done via
Computing
CondorG)
Element
CE characts
& status
SE characts
& status
Storage
Element
RB node
Job
Status
Job submission
Replica
Location
Server
Network
Server
UI
RB
storage
waiting
ready
Workload
Manager
Inform.
Service
scheduled
Job Contr.
CondorG
CE characts
& status
SE characts
& status
Job
Computing
Element
submitted
Storage
Element
RB node
Job
Status
Job submission
Replica
Location
Server
Network
Server
UI
RB
storage
submitted
waiting
ready
Workload
Manager
Inform.
Service
scheduled
Job Contr.
CondorG
running
Input
Sandbox
files
“Grid enabled”
data transfers/
accesses
Computing
Element
Job
Storage
Element
RB node
Network
Server
Job
Status
Job submission
Replica
Location
Server
submitted
waiting
UI
RB
storage
Output
Sandbox
files
Computing
Element
Workload
Manager
ready
Inform.
Service
Job Contr.
CondorG
scheduled
running
done
Storage
Element
RB node
Job
edg-job-get-output <dg-job-id>
Network
Server
Job
Status
submission
Replica
Location
Server
submitted
waiting
UI
RB
storage
Workload
Manager
ready
Inform.
Service
Job Contr.
CondorG
scheduled
running
done
Computing
Element
Storage
Element
RB node
Job
Status
Job submission
submitted
Network
Server
UI
RB
storage
Output
Sandbox
files
Workload
Manager
Replica
Location
Server
waiting
ready
Inform.
Service
Job Contr.
CondorG
scheduled
running
done
cleared
Computing
Element
Storage
Element
RB node
Job monitoring
edg-job-status <dg-job-id>
edg-job-get-logging-info <dg-job-id>
UI
LB: receives and stores
job events; processes
corresponding job status
Network
Server
Workload
Manager
Job
status
Job Contr.
CondorG
Logging &
Bookkeeping
Log
Monitor
Log of
job events
LM: parses CondorG log
file (where CondorG logs
info about jobs) and notifies LB
Computing
Element
Security issues
Enabling Grids for E-sciencE
•
•
•
•
•
What is “Secure Grid Society” ?
Key issues
Proxy and its implementation
VO related issues
Is the grid more/less secure ?
10-15 Petabytes
˜20.000.000 CDROM
10 times the
Eiffel Tower
˜3000 m
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
25
Approaches to Security: 1
Enabling Grids for E-sciencE
The Poor Security House
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
26
Approaches to Security: 2
Enabling Grids for E-sciencE
The Paranoid Security House
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
27
Approaches to Security: 3
Enabling Grids for E-sciencE
The Realistic Security House
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
28
Approaches to grid security
Enabling Grids for E-sciencE
• The Poor Security Approach:
– Use unencrypted communications.
– No or poor (easily guessed) identification means.
– Private identification (key) left in publicly available location.
• The Paranoid Security Approach:
– Don’t use any communications (no network at all).
– Don’t leave computer unattended.
– Don’t trust anyone !
• The Realistic Security Approach:
– Encrypt all sensitive communications
– Use difficult to break identification means.
– Keep identification secure at all times (e.g. encrypted on a
memory stick).
– Only allow access to trusted users.
– Log activity
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
29
What is “Secure Grid Society” ?
Enabling Grids for E-sciencE
• Sites have internal security
policy
• User can authenticate VO
and Site
• VO can authenticate User
and site
Process
Resource
INFSO-RI-508833
trust
Process
Process
Process
trust
• Site can authenticate User
and VO
trust
User
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
30
Key issues
Enabling Grids for E-sciencE
• Authentication
• Authorization (access control)
• Confidentiality (privacy)
• Integrity
• Non-Repudiation
• Auditing
No difference from any other system !
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
31
Grid specific issues
Enabling Grids for E-sciencE
• SSO
• Delegation
• Credential life span and renewal
• Assurance
• Manageability
• Firewall traversal
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
32
Grid Security Infrastructure (GSI)
Enabling Grids for E-sciencE
• Secure communication between
elements of a computational Grid
• Support security across
organizational boundaries
• Support "single sign-on“ (incl.
delegation)
Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
33
The trust model
Enabling Grids for E-sciencE
No CrossDomain Trust
Certification
Authority
Certification
Authority
Policy
Authority
Policy
Authority
Sub-Domain B1
Sub-Domain A1
Domain A
Domain B
Task
Federation
Service
GSI
Server X
INFSO-RI-508833
Virtual
Organization
Domain
Server Y
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
34
Certificate Request
Enabling Grids for E-sciencE
User send public
key to CA along
with proof of
identity.
User generates
public/private
key pair.
Certificate
Request
Public Key
CA confirms identity,
signs certificate and
sends back to user.
Cert
ID
Private Key
encrypted on
local disk
INFSO-RI-508833
slide
on presentation
given by Carl
Kesselman
at GGF Summer
School 2004
Grid based
Security
by Eddie Aronovich,
ISOC-IL
11th conference,
Feb 2007
35
Inside the Certificate
Enabling Grids for E-sciencE
• Standard (X.509) defined format.
• User identification (e.g. full name).
Name
Issuer: CA
Public Key
Signature
• Users Public key.
• A “signature” from a CA created by encoding a unique string (a
hash) generated from the users identification, users public key
and the name of the CA. The signature is encoded using the
CA’s private key. This has the effect of:
– Proving that the certificate came from the CA.
– Vouching for the users identification.
– Vouching for the binding of the users public key to their
identification.
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
36
Type of certificates
Enabling Grids for E-sciencE
• Personal
– /C=IL/O=IUCC/OU=TAU/CN=Eddie Aronovich
– usercert.pem - userkey.pem
• Host
– /C=IL/O=IUCC/OU=Host/CN=lcfgng.cs.tau.ac.il
– hostcert.pem - hostkey.pem
• Service
– /C=IL/O=IUCC/OU=Services/CN=[service].cs.tau.ac.il
– [service]cert.pem - [service]key.pem
– Service = http, tomcat, container, ldap, etc.
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
37
Public Key Based Authentication
Enabling Grids for E-sciencE
• User sends certificate over the wire.
• Other end sends user a challenge string.
• User encodes the challenge string with private key
– Possession of private key means you can authenticate
as subject in certificate
• Public key is used to decode the challenge.
– If you can decode it, you know the subject
• ==>Treat your private key carefully!!
– Private key is stored only in well-guarded places, and
only in encrypted form
Introduction to Globus toolkit
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
38
Mutual Authentication
Enabling Grids for E-sciencE

A sends their certificate;

B verifies signature in A’s certificate;

B sends to A a challenge string;

A encrypts the challenge string with his
private key;
B
A
A’s certificate
Verify CA signature
Random phrase
Encrypt with A’ s private key

A sends encrypted challenge to B
Encrypted phrase



B uses A’s public key to decrypt the
challenge.
B compares the decrypted string with the
original challenge
Decrypt with A’ s public key
Compare with original phrase
If they match, B verified A’s identity and A
can not repudiate it.
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
39
Proxy certificate
Enabling Grids for E-sciencE
•
•
•
•
Avoid passphrase re-enter by creating a proxy
Proxy consists of a new certificate and a private key
Proxy certificate contains the owner's identity (modified)
Remote party receives proxy's certificate (signed by
the owner), and owner's certificate.
• Proxy certificate is life-time limited
• Chain of trust from the CA to proxy through the owner
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
40
Mapping certificate to local user
Enabling Grids for E-sciencE
• Site use local accounting system
• Pool of users dedicated for the Grid
• Each user is mapped using gridmap file or
VOMS
• Mapping can implement local policy on
external users
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
41
Summary - Grid security and trust
Enabling Grids for E-sciencE
• Providers of resources (computers, databases,..) need risks to
be controlled: they are asked to trust users they do not know
– They trust a VO
– The VO trusts its users
• User’s need
– single sign-on: to be able to logon to a machine that can pass the
user’s identity to other resources
– To trust owners of the resources they are using
• Build middleware on layer providing:
– Authentication: who wants to use/provide resource
– Authorisation: what the user is allowed to do
– Security: reduce vulnerability, e.g. from outside the firewall
– Non-repudiation: knowing who did what
• Digital credentials and the “Grid Security Infrastructure”
middleware are the basis of production grids
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
42
Summary - Grid security and trust
Enabling Grids for E-sciencE
• Currently, achieved by Certification:
– User’s identity has to be certified by one of the national
Certification Authorities (CAs)
 mutually recognized http://www.gridpma.org/,
– Resources (host, services) are also certified by CAs
• User
– Each user should join a VO
– Digital certificate is basis of AA
– Identity passed to other resources you use, where it is
mapped to a local account – the mapping is maintained by
the VO
• Common agreed policies establish rights for a
Virtual Organization to use resources
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
43
Summary - Grid security and trust
Enabling Grids for E-sciencE
• Certification and GSI provides
– Authentication
 Resource can trust user
 User can trust the resource provider
 …. So long as certificates are protected – they are your grid
identity
– A basis for Authorization
 so a VO can manage access to resources
 Resource providers trust the VO
 The VO trusts the user
– Mechanism for checking message integrity
 Messages are passed between machines
 Public/private key pairs protect message integrity as well as
authentication
•Not (usually) encrypted but message-integrity is checked
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
44
Contacts
Enabling Grids for E-sciencE
• Israeli Academic Grid (IAG)
http://iag.iucc.ac.il/
• EGEE Website
http://www.eu-egee.org
• Try the grid…
https://gilda.ct.infn.it
http://gridcafe.web.cern.ch/gridcafe/
...‫תודה רבה‬
INFSO-RI-508833
Grid Security by Eddie Aronovich, ISOC-IL 11th conference, Feb 2007
45