Certificates for DataGRID David Kelsey CLRC/RAL, UK [email protected] 3-Nov-00 D.P.Kelsey, HEPiX, JLAB Overview • • • • • DataGRID Globus security Example: UK CA Issues – for coordination Future plans • n.b.
Download ReportTranscript Certificates for DataGRID David Kelsey CLRC/RAL, UK [email protected] 3-Nov-00 D.P.Kelsey, HEPiX, JLAB Overview • • • • • DataGRID Globus security Example: UK CA Issues – for coordination Future plans • n.b.
Certificates for DataGRID David Kelsey CLRC/RAL, UK [email protected] 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 1 Overview • • • • • DataGRID Globus security Example: UK CA Issues – for coordination Future plans • n.b. early days: more questions than answers! 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 2 Work Packages • • • • • • • • • • • • WP 1 Grid Workload Management (C. Vistoli/Italy) WP 2 Grid Data Management (B. Segal/CERN) WP 3 Grid Monitoring services (R. Middleton/UK) WP 4 Fabric Management (T. Smith/CERN) WP 5 Mass Storage Management (J. Gordon/UK) WP 6 Integration Testbed (F. Etienne/France) WP 7 Network Services (C. Michau/France) WP 8 HEP Applications (F. Carminati/CERN) WP 9 EO Science Applications (L. Fusco/ESA) WP 10 Biology Applications (C. Michau/France) WP 11 Dissemination (G. Mascari/Italy) WP 12 Project Management (F. Gagliardi/CERN) 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 3 Simplified Workpackage Relationships Applications HEP Apps (WP8) EO Apps (WP9) Bio Apps (WP10) Data Grid Services Workload Management (WP1) Data Management (WP2) Core Middleware Physical Fabric ManageFabric ment (WP4) Monitoring Services (WP3) Globus Middleware Networking (WP7) Mass Storage Management (WP5) Grid Security Infrastructure (GSI) from Globus • Interdomain – bridges gap between different local solutions • Uses X.509 certificates for authentication – machines and users have a globally unique “ID” • • • • • – Certifies the user’s identity Avoids clear-text passwords Single sign-on via grid-proxy-init Authentication not authorisation Grid enabled applications – GSI-ftp, GSI-ssh, globus-job-run etc. GRID security kept separate from local site security and authorisation mechanisms – Access to Grid resources granted via mapping in a gridmap file – To local username or Kerberos principal 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 5 Certificates for Globus • 3 components – Certificate; signed by trusted 3rd party • contains the public key – Private key - stored on disk of home machine – Pass-phrase to decrypt private key • Can get these from Globus, but not sufficient checks • DataGRID Testbed needs its own Certificate Authority (CA) or CA’s – “Set of National CA’s” is the current favourite 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 6 Certificates for UK testbed As an example … • UK Testbed (4 or 5 sites) starting November 2000 • Globus CA certificates not appropriate • RAL will issue Globus certificates – limited lifetime (~ 6 months) with fixed end date – only for use by globus (not e-mail etc) • For bona fide members of the UK HEP Testbed community • Use personal contact with nominated contacts at each UK site for confirming user credentials 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 7 Issues for coordination • Users want simple and easy access – DataGRID needs certificates that will be valid across the whole Testbed (or whole GRID?) • One CA for DataGRID (or even HEP) not appropriate – But could have one CA plus hierarchical user registration • Scaling problems with many CA’s – All globus clients need a list of trusted CA’s – For maintenance, must minimise # of CA’s 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 8 Issues (2) • Does a hierarchy add value? – A HEP root-CA could certify all national CA’s – May need mods to Globus code? • Structure – National, Experiments, …? • Use general or Globus-specific certificates? • Need to have agreed and written procedures – so we can trust each others certificates – Will sites trust each other? • Proxy certificates are limited – no chaining 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 9 Issues (3) • Authorisation via certificates? – should certificate include the users experiment affiliation? – An important architectural decision • Globus developments … – Community Authorisation Server – Group access control over distributed resources • DataGRID needs to decide how to manage authorisation – LDAP registry of users/groups may be needed 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 10 Issues (4) • How to revoke certificates? (very important) – people who leave – compromised certificates (or CA!) – CA maintains a CRL – How to distribute? • User education – Safety of private key and pass-phrase – No sharing of certificates 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 11 Future plans • DataGRID WP6 Testbed security contacts/experts meet soon – Probably early next month at CERN – To propose the CA structure and procedures • Need to check PPDG and GriPhyN plans Question to audience… • Are there other issues we need to consider? 3-Nov-00 D.P.Kelsey, HEPiX, JLAB 12