OSG Authentication and Authorization Infrastructure - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

OSG Authentication and Authorization Infrastructure

Description:

Certificate Revocation List (CRL) locations. Contact Information. Signing Policies. CRL Updates ... Conference Name and or location: Your Name. 15. Open Science Grid ... – PowerPoint PPT presentation

Number of Views:253
Avg rating:3.0/5.0
Slides: 21
Provided by: gri4
Category:

less

Transcript and Presenter's Notes

Title: OSG Authentication and Authorization Infrastructure


1
OSG Authentication and Authorization
Infrastructure
  • Rob Quick
  • September 8, 2006

2
Agenda
  • Intro to OSG
  • Authentication
  • TAGPMA
  • DOEGrids CP/CPS
  • Cert Types
  • Personal
  • Host
  • Service
  • Using Certificates
  • Authorization
  • VOs and VOMS
  • Software on CE
  • Role Based Cert Extensions
  • Certificate Mapping
  • Other Security Procedures

3
The Open Science Grid
  • 26 Registered Virtual Organizations
  • 64 Compute Resources, 11 Storage Resources (US,
    South America, and Asia)
  • Currently 4100 Running Jobs, 4600 Idle Jobs
    (1300 ET Tuesday, Sept 5)
  • Current usage largely LHC science
  • Interoperation with EGEE, TeraGrid, Regional and
    Campus Grids

4
Authentication
Authentication merely ensures that the individual
is who he or she claims to be, but says nothing
about the access rights of the individual.
5
TAGPMA
  • Three Regional Policy Management Authorities for
    Grids
  • EUGridPMA
  • APGridPMA
  • The Americas Grid Policy Management Authority
    (TAGPMA)
  • International Grid Trust Federation
  • Defining authentication profiles and minimum
    requirements to be trusted globally.
  • Currently using IGTF 1.8 Distribution
  • Purpose
  • Bring together relying parties and certificate
    authorities in the Americas to agree on
    authentication profiles
  • Reflect geographic realities
  • Develop new profiles for use by members

6
DOEGrids Certificates
  • Certificate Authority
  • The entity/system that issues X.509 identity
    certificates
  • Registration Authority
  • The entity that is responsible for identification
    authentication of certificate subjects.
  • Formerly iVDGL now OSG (www.grid.iu.edu/osg-ra)
  • VO Sponsors
  • Local identification of OSG users.
  • Each VO is responsible for assuring the identity
    of its users and setting policy related to
    procuring credentials

7
OSG VO Authentication Process
  • User requests cert from DOEGrids
  • OSG RA confirms identity via
  • Digitally Signed Mail
  • Phone
  • Only if RA and Requester have previously met
  • Face to Face Meeting
  • RA Approves Certificate

8
Personal Certificate Policies
  • Distinguished name must be unique
  • Minimum key length 1024
  • End Entity must generate private key.
  • Certificate lifetime of no more than 12 months.

9
Certificate Types
  • Personal
  • /DCorg/DCdoegrids/OUPeople/CNRobert Quick
    290407
  • usercert.pem - userkey.pem
  • Host
  • DCorg/DCdoegrids/OUServices/CNfeynman.uits.iup
    ui.edu
  • hostcert.pem - hostkey.pem
  • Service
  • DCorg/DCdoegrids/OUServices/CNfeynman.uits.iup
    ui.edu
  • servicecert.pem - servicekey.pem
  • Service http, tomcat, container, ldap, etc.

10
Using Certs
  • PKCS12
  • Personal Information Exchange Syntax Standard
  • Certificate Delivered (.p12)
  • Privacy Enhanced Mail (.pem)
  • Public Key
  • openssl pkcs12 -in YourCert.p12 -clcerts -nokeys
    -out HOME/.globus/usercert.pem
  • Private Key
  • openssl pkcs12 -in YourCert.p12 -nocerts -out
    HOME/.globus/userkey.pem
  • Cert Validation During Grid Transactions
  • Proxy certificates (RCF 3820)
  • Trusted CA CRL downloaded from VDT
  • Updated CRLs on each resource or GUMS server

11
Authorization
Authorization allows the user to access resources
based on the users identity.
12
VOs
  • Virtual Organizations
  • Usually Experiment or Service Based
  • Each Responsible for Allow Members
  • System Admins choose which VOs to allow based on
    site policy and experimental alignment
  • IU Sponsored VOs OSG, OSGEDU, fMRI, iVDGL,
    GridEx, and MIS

13
VOMS
  • Virtual Organization Membership Service
  • Web Based Tool for Managing VO Membership
  • Developed at CERN by EU DataGrid

14
Compute Element Software
  • CA Certificates
  • Based on IGTF 1.8 Distribution (August 2006)
  • Root Certificates and related meta-information
  • Certificate Revocation List (CRL) locations
  • Contact Information
  • Signing Policies
  • CRL Updates
  • Runs as daemon on each gatekeeper or GUMS server
    updating each day

15
Role Based Certificate Extensions
  • Motivation
  • Previously all many-to-one local mapping
  • All VO Users Mapped to the same local account
  • Decreases System Security
  • Decreases Data Security
  • Hinders Accounting
  • Centralized Management of Grid-Identity
  • Centralized Identity Mapping
  • Need to be able to map Roles within a VO
  • Role Based Identity Mapping

16
Role Based Certificate Extensions (Cont)
17
Centralized Mapping Requirements
  • PRIMA Module
  • Gatekeeper must be equipped with Grid-map callout
    introduced in GT3.2
  • Must be able to open outgoing HTTPS connection to
    GUMS server
  • GUMS
  • Tomcat
  • Incoming HTTPS Connections
  • MySQL
  • Synchronization with VOMS of all VOs

18
Role-Based Identity MappingRequirements
  • Each Gatekeeper needs the set of public-key certs
    that are trusted to issue VOMS-extended proxies
  • VOMS-proxy-init
  • Client
  • VOMS Versions 1.2.19 or later
  • VOMS server accepting incoming connections from
    every possible VO members workstation

19
Certificate Mapping
  • Grid User Management System
  • Sites that do not use GRID credentials natively
  • UNIX accounts
  • Kerberos principals
  • Gatekeeper enforce site mapping established by
    GUMS
  • Good in heterogeneous environments using multiple
    gatekeepers
  • Gridmap File
  • Pulls to a local file from VOMS Servers

20
Other Security Concerns
  • Local OSG Infrastructure Services
  • Risk Assessment Plan
  • Public Input to OSG GOC
  • security_at_, abuse_at_,incident_at_
Write a Comment
User Comments (0)
About PowerShow.com