grid security roberto alfieri università di parma - infn parma parma, february 24-25 2004
TRANSCRIPT
GRID SecurityGRID Security
Roberto Alfieri Università di Parma - INFN Parma
Parma, February 24-25 2004
Parma, 24-25/02/2004
2
Contents• Introduction
– Grid concepts: a definition, architecture, projects, software
• Grid Security requirements
• Authentication, confidentiality, data integrity, single sign-on– PKIX: Pki, X.509, CA, RA, INFN-CA how-to– GSI: SSL, proxy, delegation
• Authorization– Globus: grid-mapfile– EDG: VO-LDAP, VOMS
• Firewalls
Parma, 24-25/02/2004
3
Introduction
Parma, 24-25/02/2004
4
Introduction
a GRID definition
“Enable communities (virtual organizations) to share geographically distributed resources as they pursue common goals” [I. Foster, ANL]
CPU servers
Disk servers
Tape silos and servers
Tier0 resources
at CERN
Atlas collaboration: 1850 members from 34 countries
Parma, 24-25/02/2004
5
Introduction
GRID architecture
User Interface
Grid services
USER
VO Server
grid services
VO admin
VO1 VO2
User Interface
grid services
USER
User Interface
Grid services
USER
User Interface
Grid services
USER
VO Server
grid services
VO adminResource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
GRID Login
GRID Authz
Local Authz
JOB Subm.WLM
?
?
Res.Info
Parma, 24-25/02/2004
6
Introduction
Grid projects (INFN related)
Project Purpose Funded
DataGrid EU scientific Grid:Evaluation, development, testbed
EU 2001-2003
Grid.it National Scientific Grid:Evaluation, development, testbed
MIUR 2002-2005
Egee European production Grid EU 2004-2006
LCG LHC production Grid LHC 2002-2008
INFN-grid INFN production Grid INFN
Parma, 24-25/02/2004
7
Introduction
DataGrid
Objectives: •develop a sustainable grid computing model for large scientific communities•Large scale testbeds
Scientific applications:•6 High Energy Physics•5 Earth Observation•9 Bio-informatics
Funded: IST (UE) 9.8 M€
Period: 2001-2003
Web site:http://eu-datagrid.web.cern.ch/eu-datagrid/
Parma, 24-25/02/2004
8
Introduction
GRID.it Objectives: •R&D Grid technological development project •Deployment of an Italian e-Science Grid infrastructure
Scientific fields:•Earth Observation•Geophysic•Astronomy•Biology and Genomics•Computational Chemistry
Funded: FIRB (MIUR) 8.1 M€
Period: 2002-2005
Web site: www.grid.it
Parma, 24-25/02/2004
9
Introduction EGEE
Objectives: Create a European wide production quality Grid for Scientific Applications
Period: 2004-2006
Funded: IST (EU) 35M€
Web site: http://www.eu-egee.org/
Parma, 24-25/02/2004
10
Introduction
LCG (LHC Computing Grid)
Purpose:Prepare and deploy the Computing Environment for the LHC expermients
Periods: 2002-20052006-2008
VO: Atlas, Alice, CMS, LHCB
Web site: lcg.web.cern.ch/LCG/
Parma, 24-25/02/2004
11
TORINO PADOVA
BARI
PALERMO
FIRENZE
PAVIA
GENOVA
NAPOLI
CAGLIARI
TRIESTE
ROMA
PISA
L’AQUILA
CATANIA
BOLOGNA
UDINETRENTO
PERUGIA
LNF
LNGS
SASSARI
LECCE
LNS
LNL
SALERNO
COSENZA
S.Piero
FERRARAPARMA
CNAF
ROMA2
MILANO
Introduction
INFN-Grid Objectives:• Promote computational Grid technologies • Middleware R&D through EU projects (DataGrid, DataTAG) and internal activities• Implement a INFN-Grid infrastructure• Partecipate to the implementation of new National and Eurepean Grid Infrastructures (LCG, grid.it, EGEE, .. )
Web site: http://server11.infn.it/grid/
Parma, 24-25/02/2004
12
Introduction
GRID Software: Globus Toolkit
• Open source software toolkit used for building grids.
• Developed (mainly) at Argonne National Labs (ANL).
• Releases: – Globus 2: widely used distribution written in C
• 4 layer protocols:– Grid Security Infrastructure (GSI), Resource management
(GRAM), Information Service (GRIP), File Transfer (GridFTP)• 3 API categories:
– Portability and convenience API (globus_common), API implementing the four layer protocols (globus_io, Mpich-g2, ..), Collective layer API
– Globus 3: upcoming distribution implementing OGSI (WebService based)
Parma, 24-25/02/2004
13
Introduction
GRID Software: LCG-1
• Linux RedHat 7.3• Globus 2.2.4 core services (Gram, Gsi, Mds, Gass,
…)• Several EDG-2.0 components
– Resource Broker– Replica Management tools– Packaging (LCFG)– VO-LDAP– VOMS (soon)– …
• Glue 1.1 Information Schema• Few LCG modifications
globus2 based globus3(OGSI) based
EGEE-2EGEE-1LCG-2LCG-1
EDG
VDT
. . .
LCG EGEE
. . .
Parma, 24-25/02/2004
14
Grid Security RequirementsAuthentication: establish the identity of an entity (user, host, .. ) by
means of credentials– Grid-wide authentication– With single sign-on (Delegation support)– Credential mapping
Authorization: establish the rights of the entity on the resource– VO-level authorization– Local policies must not be overridden– Multi VO support (user and resources)
Auditing: establish a logging and traceability method– Every operation must be logged with the credential of the user (fine
grained)– The resource being used may be valuable
Confidentiality: a third party cannot understand the communication– The data may be sensitive (e.g. medical data)
Integrity: data are not modified during communication
Parma, 24-25/02/2004
15
EDG Security
Credential AuthenticationConfidentilityData integritySingle sign-on
• GSI (Globus) - PKIX (IETF) - SSL (IETF) - Proxy and Delegation (Globus)
Authorization
• Present:– Grid-mapfile (Globus)– VO-LDAP (EDG)
•Future:– VOMS (EDG)– LCAS, LCMAPS (EDG)
Parma, 24-25/02/2004
16
GSI
• In the GSI system each user has a set of credentials, based on a Public Key Infrastructure (PKI), they use to prove their identity on the grid– Consists of a X.509 certificate and private key
• Uses SSL for authentication and message protection• Adds features needed for Single-Sign on
– Proxy Credentials– Delegation
Parma, 24-25/02/2004
17
GSI
PKIX
• User’s credential is a key pair:– Private Key (known only to the entity)– Public Key (given to the world
encapsulated in a X.509 cert.)
• A key is a collection of bits (e.g. 2048 bit)
• The keys are used by special functions to encrypt and decrypt data (e.g. RSA): anything encrypted with the Private key can only be decrypted with the public key and vice versa.
DATA
DATA
Decrypt
Encrypt
Parma, 24-25/02/2004
18
GSI
Digital Signature
• I can sign a document by encrypting (a hash function of) it with my Private key.
• You can verify my signature decrypting it with my Public Key.
• But, how do you know that you have my correct public key?
• Answer: A third party named “Certification Authority”
• The CA joins the User Identity and his public key in a new document named “User’s Certificate” that is signed by the CA.
Hash
Name Carlo
Issuer INFNCA
Carlo’s Public key
CA signature
DATA
Signature
Encrypt
Parma, 24-25/02/2004
19
GSI
Certificate Authority (CA)
Name INFN CA
Issuer INFN CA
CA Public key
CA signature
• The CA signs it’s own certificate (typically self-sign) which is distributed to the world and can be used to verify certificates issued by the CA.
• The CA Certificate has a long term validity time (typically 5 years)
Parma, 24-25/02/2004
20
GSI
Certificate Policy (CP)
• Each CA has a Certificate Policy (CP) which states when and how the CA issues certificates; it states who will issue certificates for (typically people or host belonging to a stable Community such as Insitute, Industry, ..)
• Each CA has a namespace of certificates issued and constrains itself to sign certificates that are inside the namespace
• Each certificate issued has a FQDN• Each certificate issued has a validity time
(typically 1 year) • Certificates are published in a Directory (e.g.
LDAP or WWW) managed by the CA.• The CA periodically publishes a list of revoked
certificates that can be consulted manually (CRL) or automatically (OCSP protocol).
It
CNRINFN
Personal Cert.Host
Parma Firenze
Roberto Alfieri
INFN CA base DN
Parma, 24-25/02/2004
21
GSI
Sample CertificateCertificate: Data: Version: 3 (0x2) Serial Number: 1148 (0x47c) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN Certification Authority Validity Not Before: Jan 31 13:29:07 2003 GMT Not After : Jan 31 13:29:07 2004 GMT Subject: C=IT, O=INFN, OU=Personal Certificate, L=CNAF, CN=Vincenzo
Ciaschini/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ….. Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data EnciphermentSignature Algorithm: md5WithRSAEncryptionSignature: …
Parma, 24-25/02/2004
22
GSI
Registration Authority (RA)
• To request a certificate a user starts by generating a key pair.
• The user sign the public key to form what is called a Certificate Request.
• The user then takes the certificate to a Registration Authority (RA)
• A RA’s responsibility is to verify the user’s name
• Often the RA coexists with the CA and is not apparent to the user
Sign
CertificateRequest
Public Key
REGISTRATION
AUTHORITY
CERTIFICATION
AUTHORITY
Verify
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMS
pseudo-cert
State ofIllinois
Sign
MarioRossi
Parma, 24-25/02/2004
23
GSI
EDG - CA
21 national certification authoritiesCommon Cert. Policies mutual trusthttp://marianne.in2p3.fr/datagrid/ca/ca-table-
ca.html
Armenia - ArmeSFo
Canada - GirdCanada
CERN
France - CNRS
Cyprus - CyGrid
Czech R - CESNET
Germany - GermanGrid
Greece - HellasGrid
Italy - INFN
Netherlands - NIKHEF
Nordic - NorduGrid
Poland - PolishGrid
Portugal - LIP
Russia- Russian DG
Slovakia - SlovakGrid
Spain - DG-ES
Taiwan – ASCCG
UK – UK e-Science
US – ESnet, DOE, FNAL
INFN CA:38 Registration Auth. (24 INFN, 14 other Institutes)1231 certs issued since May 1998CRLhttps://security.fi.infn.it/CA/
Parma, 24-25/02/2004
24
GSI
Download the INFN CA cert
•http://security.fi.infn.it/CA/• Click on Certificato INFN CA
and follow the on-line instructions
Parma, 24-25/02/2004
25
GSI
Get your personal cert from INFN-CA
• Contact your local Registration Authority and get the ID code.
• http://security.fi.infn.it/CA/• Click on Richiesta certificati• Fill the details of the owner:
– Nome sezione;– Nome e Cognome;– E-mail, it must be the official
one, [email protected].
• Click on Sottometti Richiesta.• After the identity checks, you’ll
receive an e-mail with the instructions for the download with the same browser used to submit the request
Parma, 24-25/02/2004
26
GSI
Export the certificate
• Export the certificate (extension .p12) and save a copy on a floppy (two is better...).The copy can be imported in another browser.
• Protect the copy with a good password (it will be asked during the export procedure)
• Convert the certificatefor use by the globus toolkit:
openssl pkcs12 –nocerts –in user.p12 \ –out ~/.globus/userkey.pem
openssl pkcs12 –clcerts -nokeys \ –out ~/.globus/usercert.pem
Netscap
e
Explore
r
Parma, 24-25/02/2004
27
GSI
SSL Authentication
• Start by exchanging X.509 certificates
• Each side then sends over a challenges
• Challenge is signed with private key and sent back over
• Each side then verifies certificate using PKI and signature using certificate
• If everything checks then the identity from the certificate can be trusted
CHALLENGE
SIGN(CHALLENGE)
CHALLENGE
SIGN(CHALLENGE)
VERIFY
SIGN(CHALLENGE)
VERIFY
SIGN(CHALLENGE)
MUTUAL
AUTHENTICATION
Parma, 24-25/02/2004
28
GSI
SSL Confidentiality
After authentication a shared session key is established to be used for message protection
DECRYPT
SESSION KEY
ENCRYPT
SESSION KEY
START
ENCRYPTED
SESSION
START
ENCRYPTED
SESSION
Parma, 24-25/02/2004
29
GSI
Proxy Certificate
• A Proxy is a special type of X.509 certificate, signed by the normal end entity cert (or by another proxy).
• It allows process to act on behalf of user, supporting single sign-on and delegation
• The private key of the Proxy is not encrypted, it avoids the need to re-enter the user's pass phrase and reduces exposure of user’s private key
• proxy lifetime is short (typically 12 h) to minimize security risks.• the Subject of the proxy contains the Subject of the signing cert• It It is created by the grid-proxy-init command• stored in local file protected by file system security: must be readable
only by the owner
Parma, 24-25/02/2004
30
GSI
Starting a Grid session
• “login”: grid-proxy-init
• Your identity: /C=IT/O=INFN/CN=M.Rossi/[email protected] GRID pass phrase for this identity: *********Creating proxy ........................................ DoneYour proxy is valid until Feb 24 02:44:51 2004
– the proxy is stored in /tmp/x509up_uxxx
• You can now use use the grid services.
“logout”: grid-proxy-destroy
Parma, 24-25/02/2004
31
GSI Proxy certificate structure
• openssl x509 -text -noout -in /tmp/x509up_u504
Data: Version: 3 (0x2) Serial Number: 981 (0x3d5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT,O=INFN,CN=M.Rossi/[email protected] Validity Not Before: Nov 28 14:14:57 2002 GMT Not After : Nov 29 02:19:57 2002 GMT Subject: C=IT,O=INFN,CN=M.Rossi/[email protected], CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): ...................................... Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption ......................................
Parma, 24-25/02/2004
32
GSI Delegation
• Proxy creation can be recursive– each time a new private key and new X.509 proxy
certificate, signed by the original key• Allows remote process (agent) to act on behalf of the user• Avoids sending passwords or private keys across the
network• The proxy may be a “Restricted Proxy”: a proxy with a
reduced set of privileges (e.g. cannot submit jobs).
Parma, 24-25/02/2004
33
Authorization
Parma, 24-25/02/2004
34
Globus Authorization:the grid-mapfile
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farmManaged manually by the resource admin:
• No centralization
• No scalability
"/C=IT/O=INFN/L=Parma/CN=Roberto Alfieri/[email protected]" alfieri
"/C=IT/O=INFN/L=Parma/CN=Fabio Spataro/[email protected]" spataro
Parma, 24-25/02/2004
35
EDG Authorization: the present
• Each VO manages an LDAP Directory named VO-LDAP
• Each site periodically generates (mkgridmap) a “grid-mapfile” (mapping DN username).
• Dynamic mapping available (gridmapdir).• Mapping customizable by the local site managers
(mkgridmap.conf)
Parma, 24-25/02/2004
36
EDG Authorization
VO-LDAP Architecture
mkgridmap
grid-mapfile
VOVODirectoryDirectory
CN=Mario Rossi
o=xyz,dc=eu-datagrid, dc=org
CN=Franz ElmerCN=John Smith
Authentication
Certificate
Authentication
Certificate
Authentication
Certificate
ou=People ou=Testbed1
ou=???
local users ban list
infngrid INFN-Grid project
theophys
INFN theor. Phys.
virgo INFN Virgo exp.
bio Biology group
ingv Ingav Bologna
inaf INAF
gridit General Grid.it
alice LHC exper.
atlas LHC exper.
cms LHC exper.
lhcb LCH exper.
babar BABAR exper.
VO-list (http://grid-it.cnaf.infn.it)
Parma, 24-25/02/2004
37
EDG Authorization
Sample mkgridmap.conf
#### GROUP: group URI [lcluser]# EDG Standard Virtual Organizationsgroup ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org .alicegroup ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org .atlasgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=cms,dc=eu-datagrid,dc=org .cmsgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org .lhcbgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=biomedical,dc=eu-
datagrid,dc=org .biomegroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=earthob,dc=eu-datagrid,dc=org .eogroup ldap://marianne.in2p3.fr/ou=ITeam,o=testbed,dc=eu-datagrid,dc=org .iteamgroup ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org .wpsix# Other Virtual Organizationsgroup ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it .infngrid
#### Optional - ACL: deny|allow pattern_to_match deny *Cecchini*
#### Optional - GRID-MAPFILE-LOCAL gmf_local /opt/edg/etc/grid-mapfile-local
Parma, 24-25/02/2004
38
EDG Authorization
VO Registration
• Sign the usage guidelines–open the following URL and click on “Accept”: –https://marianne.in2p3.fr/cgibin/datagrid/register/account.pl
• Ask an account from your VO administrator.
Parma, 24-25/02/2004
39
EDG Authorization
VO-LDAP drawbacks
•Flexibility– Only group membership supported (no roles or other
Authz info)– No Multi-VO support for users– Grid Authz info are mapped to Unix ACL (site-oriented)
•Reliability– Authz info obtained using a Pull model are less reliable
•Scalability– LDAP vs RDBMS
Parma, 24-25/02/2004
40
EDG Authorization: the future
• Virtual Organization Membership Service (VOMS)– Grants authorization data to users at VO level– Each VO has its own VOMS
• Local Centre Authorization Service (LCAS)– Handles authorization requests to local fabric
• Local Credential Mapping Service (LCMAPS)– Provides local credentials needed for jobs in fabric
Parma, 24-25/02/2004
41
EDG Authorization
VOMS Architecture
DBJDBC
GSI
Tomcat & java-secTomcat & java-sec
axisaxisVOMSimpl
VOMSimpl
servletservlet
vomsdvomsd
soapPerl CLI
Java GUI
browser
voms-proxy-init
httpsmkgridmap
Apache & mod_sslApache & mod_ssl
voms-httpdvoms-httpd
DBI
http
VOMS serverVOMS server
User
VO-manager
resource
Parma, 24-25/02/2004
42
EDG Authorization
VOMS: User Client Operations
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
User’sattribu
tes
AuthDB
Authentication
Request
User’sattribut
es
1. Mutual authentication and encrypted communication Client-Server (via SSL)
2. Client sends request to Server
3. Server checks correctness of request
4. Server sends back the required info, signed by itself
5. Client checks results6. Client repeats process for
other VOMS’s 7. Client creates proxy
certificates containing all the info received into a (non critical) extension
1
2 3
6
45
7
Parma, 24-25/02/2004
43
EDG Authorization
VOMS tables structure
• VO’s Users• Attributes
– Group (hierarchically organized)
– Role (admin, staff, student, ..)– Capability (free-form string)
• SQL Query– for personalization by the VO
• Administrators• Admin ACL
– controls the operations of the Administrators
• Certification Authorities
Parma, 24-25/02/2004
44
EDG Authorization
voms-proxy-init Options
All the queries have an implicit <userid> field, derived from the user’s certificate. A : all info regarding the user (default option);G <group> : user is member of <group>;R <role> : user has role <role>;B <group>:<role> : user is member of <group> with
role <role>;
The administrator can add VO-specific SQL queriesL : lists all available queries;S <qid> : executes the query <qid>.
Example:voms-proxy-init -voms cms -voms infngrid:Gtestbed1
Parma, 24-25/02/2004
45
EDG Authorization
Authorization Info
/C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/[email protected]
/C= IT/O=INFN/CN=INFN CA
/C=IT/O=INFN/OU=voms//L=PR /CN=gridvoms.pr.infn.it/[email protected]
/C=IT/O=INFN/CN=INFN CA
VOname: CMS
VOurl: http://cms.cern.ch
TIME1: 020710134823ZTIME2: 020711134822ZGROUP: montecarloROLE: administrator
SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A...
Inserted in a non-critical extension of the user’s proxy OID:
1.3.6.1.4.1.8005.100.100.1
One for each VOMS Server contacted.
user’s identity
VOMS identity
user’s info
Parma, 24-25/02/2004
46
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 976 (0x3d0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IT, O=INFN, OU=Personal Certificate, L=Parma, CN=Roberto Alfieri
Validity
Not Before: Dec 17 15:48:24 2002 GMT
Not After : Dec 18 03:53:24 2002 GMT
Subject: C=IT, O=INFN, OU=Personal Certificate, L=Parma, CN=Roberto Alfieri, CN=proxy
Subject Public Key (omissis)
X509v3 extensions:
1.3.6.1.4.1.8005.100.100.1:
SIGLEN:128
SIGNATURE:.......2.;...@.+.G...B.d.X`..H......&.+..r._cF._..=...........M)i.........".z=...;..9.....]R..../...^[email protected]...
USER:/C=IT/O=INFN/OU=Personal Certificate/L=Parma/CN=Roberto Alfieri
UCA:/C=IT/O=INFN/CN=INFN Certification Authority
SERVER:/C=IT/O=INFN/OU=cas server/L=Bologna/CN=cas/aaa-test.cnaf.infn.it
SCA:/C=IT/O=INFN/OU=Authority/CN=INFN CA (2)
VO:unspecified
021217155324Z
021217155824Z
DATALEN:8
NO DATA
Signature (omissis)
EDG Authorization
Proxy Certificate with Authz info
Parma, 24-25/02/2004
47
EDG Authorization
VOMS Traceability
• every table has a corresponding “archive” table;• rows are never deleted or modified: they are moved to the
corresponding archive table.• every table has a pair of columns:
– createdBy: the id of the requester of the operation that created this record;
– createdSerial: a database-wide unique, ordered serial number that identifies this exact operation (it is a transaction id);
• archive tables have the same scheme as data tables, plus:– deletedBy: the requester of the operation that expired
the row;– deletedSerial: the transaction number of the
operation.• The server can query the state of the database at any given
time or transaction number.
Parma, 24-25/02/2004
48
EDG Authorization
Authn/Authz control flow
SSL auth+ encrypt
LCAS client
apply creds
Jobmanager
GatekeeperLCAS
ACL
timeslot
gridmap
config
LCMAPS clnt
LCMAPS
role2uid
role2afs
config
Id
Yes/no
Id
credlist
EDG-gatekeeper (EDG1.4 and later distributions) supports plug-ins in the authorization processing flow.
LCAS is an access permission plug-in actually based on the grid-mapfile
LCMAPS is a plug-in for the VO credential to local credential mapping.
The resource manager can customize these plug-ins for the user’s attribute processing.
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMS
pseudo-cert
Parma, 24-25/02/2004
49
EDG Authorization
mkgridmap-2.x
We support a transitional period where VOMS and VO-LDAP can coexist: VOMS can also be used for grid-mapfile generation by an enhanced version of mkgridmap
• New feature: Authenticated access to VOMS (not LDAP) servers to restrict the clients allowed to download the list of the VO members
• New directive in the config file:
authn and
restricted
access
mkgridmap group ldap://…
group https://….
grid-mapfile
VO-LDAP VOMS
CE
group ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it .infngridgroup https://vo-iteam.datagrid.cnrs.fr/iteam .iteam
Parma, 24-25/02/2004
50
EDG AA: workflow
User Interface
Grid services
USER
VO-LDAP
grid services
VO admin
VO1 VO2
User Interface
grid services
USER
User Interface
Grid services
USER
User Interface
Grid services
USER
VOMS
grid services
VO admin
NEW USER
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
VO reg
grid-mapfile
daily rebuilt
lcas
lcmaps
RInf InfoIndex
grid services
?
?JS WLM RBroker
grid services
RA
CA
cert req
cert
grid-proxy-initvoms-proxy-init
Check
grid-mapfile
PRESENTFUTURE
Parma, 24-25/02/2004
51
EDG Firewalls
Parma, 24-25/02/2004
52
EDG FirewallingEDG Firewall: Table-ports (upd. Feb 2004)
Each EDG Grid Element has a list of TCP ports that must be open
Parma, 24-25/02/2004
53
Firewall issues for EDG
• the list is not stable (yet)
• Globus may use many services (e.g. Gass, GridFTP) bound to client ports random>1023, so you need to
open inbound connections to ports > 1023 You can restrict the range of client’s ports by setting GLOBUS_TCP_PORT_RANGE (e.g. 30000 – 31000)
• Worker Nodes are often kept on private Networks, but outbound connectivity on the GridFTP port is required for the input and output of sandboxes.
Parma, 24-25/02/2004
54
EDG Firewall policiesLight: Outgoing : accept all Incoming < 1024: accept only needed ports (see table)Incoming > 1024: accept all
Medium:Outgoing: accept allIncoming: accept only needed ports (see table)Restrict the range of dynamic port used by globus from 30000 to
31000 (TCP_PORT_RANGE env) and accept this rangeHeavy:An ACL per machine Restrict the range of dynamic port used by Globus from 30000 to
31000 (TCP_PORT_RANGE env) and accept this range
Future: Grid Services (based on HTTP/HTTPS protocol) will ease firewall and
proxy management.
Parma, 24-25/02/2004
55
Further Information
• EDG Security Coordination Group: http://cern.ch/hep-project-grid-scg
• EDG CAs: http://marianne.in2p3.fr/datagrid/ca • EDG Authz Working Group: http://grid-auth.infn.it/ • EDG Java Security: http://cern.ch/edg-wp2/security/voms• EDG Security Requirements:
http://edms.cern.ch/document/340234• Grid Security Infrastructure (GSI): http://www.globus.org
/security/