Security_Workshop_10may01.ppt
Download
Report
Transcript Security_Workshop_10may01.ppt
DataGrid Security Workshop
29/30 March 2001
SUMMARY
David Kelsey
CLRC/RAL, UK
[email protected]
10-May-01
D.P.Kelsey, Security Workshop Summary
1
Agenda – Day 1
• Middleware Requirements
– WP1 M Ruda
CESnet
– WP2 B Segal
CERN
– WP3 S Fisher
RAL
– WP4 L Cons
CERN
– WP5 J Gordon
RAL
• Discussion and conclusions on middleware
– M9 and longer term
• WP6: Testbed Certificate Authorities
D Kelsey/RAL
– including efforts to agree on CA CP/CPS
– plans for Testbed0/M9
10-May-01
D.P.Kelsey, Security Workshop Summary
2
Agenda – Day 2 (am)
• Experiment/Application requirements
– WP8 - LHCb
Eric van Herwijnen CERN
– WP8 - Alice, Atlas, CMS Ingo Augustin
CERN
– WP9 - Earth Observation No input
– WP10 - Biology
Vincent Breton
IN2P3
• Site/Network Requirements Denise Heagerty
CERN
• Work of the AAAARCH research group in the IRTF and possible
emerging co-operation between GGF and IETF/IRTF
Cees
deLaat
Utrecht, NL
• Ideas for M9 authorisation
– Tools from INFN
Francesco Giacomini
INFN
– Ideas for map files Andrew McNab
Manchester
10-May-01
D.P.Kelsey, Security Workshop Summary
3
Agenda – Day 2 (pm)
• Discussion of Authorisation possibilities
– For M9
– Longer term (CAS etc)
• Other M9 requirements
– Audit?
– Incident tracking?
• Plans for continuation of this work
• Summary and conclusions
10-May-01
D.P.Kelsey, Security Workshop Summary
4
Summary – Day 1 (M9)
• Authentication - GSI seems OK
• Some authorisation required
– GIIS – will require MDS V3 – but not critical
– Grid mapfile probably OK
• No requirement for groups? (probably yes)
• Tools to maintain and manage this
– Job (re) submission – renew authorisation
• MyProxy may be useful
• List of appropriate clusters for WP1
• WAN access to SE only by ReplicaManager
– But users need more (e.g. remote database updates)
• Audit and Incident management?
10-May-01
D.P.Kelsey, Security Workshop Summary
5
Summary – Day 1 – long term
Longer term
• Security very important – can we trust it?
– Can we afford it? Warn PMB?
• Retain local control
• Authorisation the big problem to solve
– Revocation of authorisation
• Policies – language?
• Accounting
• Audit
• Firewalls (& NAT?)
• DOS
• Incident monitoring, tracking etc.
10-May-01
D.P.Kelsey, Security Workshop Summary
6
WP8/9/10 requirements
• Single sign-on
• Authorisation, quotas, accounting
– By role, by group
• Policies
• Encryption for WP10
• Light-weight access for WP10
• Web servlets for LHCb
• Long lived credentials
10-May-01
D.P.Kelsey, Security Workshop Summary
7
Site security requirements
Denise’s slide:
• How to agree a common security policy across site boundaries?
– national laws may differ, e.g privacy
• Are firewalls feasible at high data rates?
– do we need common configurations across sites?
• How to detect intrusions?
• How to respond to incidents across sites?
– blocking access, tracing break-ins, a GRID-CSIRT?
• What issues are raised by a grid-wide SSO?
• How do we protect access to resources?
• What are the time scales and priorities?
– Are there already security issues for the Testbed?
10-May-01
D.P.Kelsey, Security Workshop Summary
8
AAAArch
• See Cees de Laat slides
• AAA Architecture
10-May-01
D.P.Kelsey, Security Workshop Summary
9
Tools for Grid Mapfile
• INFN
– Users and Groups in LDAP
– Tool to aid grid mapfile maintenance
• Gridmapdir patch to Globus (A McNab/Manchester)
– Maps to generic accounts
• Babar001, babar002, atlas001 etc
• Leased (and expired?)
10-May-01
D.P.Kelsey, Security Workshop Summary
10
Future plans
• WP6 Security concerns
– Responsibility of Site managers, Security mgrs
– CA – next meeting CERN 5th June
– Authentication, Authorisation
– User/Group registration
– Many management issues
• New Security task force
– Coordinate activities in middleware WP’s
– Identify missing resources
– Architectural design (with ATF)
– Propose meeting at CERN on 6th June
10-May-01
D.P.Kelsey, Security Workshop Summary
11