Mine Altunay - PowerPoint PPT Presentation

About This Presentation
Title:

Mine Altunay

Description:

Use voms-proxy-init instead ... https/SOAP. SAML response. SAML query. Get storage authz for this username ... http://osg-docdb.opensciencegrid.org/cgi-bin ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 22
Provided by: malt9
Category:
Tags: altunay | cgi | http | mine | proxy | server | tutorial

less

Transcript and Presenter's Notes

Title: Mine Altunay


1
Open Science Grid Security
  • Mine Altunay
  • OSG Security Officer

Gateway Security Summit January 28-30, 2008 San
Diego Supercomputer Center
2
OSG Security Team
Mine Altunay FNAL
Doug Olson LBNL
Bob Cowles SLAC
Don Petravick FNAL
3
OSG Security
  • The big picture
  • What OSG security does ?
  • Security Infrastructure
  • Authentication
  • VOMS
  • PRIMA/GUMS
  • gPlazma
  • gLexec
  • How can someone become part of OSG

4
OSG Security
  • A security framework that enables science and
    promotes autonomous and open science
    collaboration among VOs, sites, and software
    providers
  • Operational
  • Vulnerability analysis, patches,
  • Incident response
  • Interoperability
  • Joint policy work, JSPG, MWSG, IGTF
  • Why we are here how to build interoperability
    with other Grids TeraGrid
  • Education
  • Security tutorials, documents for naïve user

5
(No Transcript)
6
Security Infrastructure
  • Authentication
  • Performed by GSI
  • OSG distributes IGTF approved root CAs (in VDT)
  • Sites fetches automatic CRL updates
  • Sites can update root CAs (optional tool in VDT)

7
AuthorizationVOMSPRIMAGUMS
VOMS Server
Attribute Repository
1 voms-proxy-init
2 receive VO permissions
3
Synch periodically to get VO membership
4 request account
5 account mapping
Batch system
6
8
VOMS
  • VO Membership service
  • VO manages access rights for its members
  • FQAN Fully Qualified Attribute Name
  • Based on RFC 3281
  • Example /oscar.nikhef.nl/mcprod/Roleproduction/C
    apabilityNULL
  • Different roles have different permissions
  • Sites must honor VO permissions
  • VOMS registration
  • via VOMS, or VOMRS or manually
  • Use voms-proxy-init instead of grid-proxy-init
  • VO specific permissions FQAN inserted into X.509
    noncritical extensions

9
GUMS Grid User Management Service
  • Maps user DNs/FQANs to accounts
  • Replaces grid-map files
  • Site-wide tool
  • Sites recognize VO permissions
  • Synch with VOMS periodically
  • Downloads the VO memberships, FQANs
  • Can work with LDAP instead of VOMS

10
GUMS
  • Three types of mapping
  • personal accounts (manual or from LDAP)
  • group accounts (multiple DNs to a single UID,
    like VO -gt UID)
  • pool accounts (dynamically generated)
  • Guarantee that the same UID can be used by only
    one DN/FQAN at any given time
  • Currently, the pool account is created when a
    DN/FQAN is first seen, and never released

11
GUMS
  • Two kinds of grouping
  • User groups
  • Map (DN,FQAN) to (uid,gid)
  • Host groups
  • Connect host with user groups
  • A M x N configuration
  • A single host group can be used for
  • Multiple hosts (like ".usatlas.bnl.gov")
  • Multiple user groups (like usatlasGroup,atlas,dia
    l")

12
gPlazma Storage Authz
13
CE and SE Big Picture
14
Local or Remote Client Proxy with VO Membership
Role Attributes
15
Local or Remote Client Proxy with VO Membership
Role Attributes

16
Local or Remote Client Proxy with VO Membership
Role Attributes

17
Local or Remote Client Proxy with VO Membership
Role Attributes

gPLAZMALite Authorization Services suite
18
gLExec
Slide courtesy Igor Sfiligoi, Gabriele
Garzoglio, FNAL
  • When a user submits a grid job to an OSG site,
    the job always carries the user's credentials. At
    the execution site, the job is assigned an
    appropriate userid under which to run. Another
    option for submitting grid jobs involves the
    concept of a pilot job. This type of job, once
    it's in a site's batch slot, coordinates and
    calls a series of user jobs according to VO
    priorities at launch time. If the pilot job and
    the user jobs all run under the same userid,
    however, the pilot job framework violates the
    security policies of any site that requires
    knowledge and control of its resource users.
  • gLExec, a gLite product currently used on
    European Computing Elements, solves this problem.
    gLExec is a privileged executable that, given a
    user credential and an execution command, obtains
    the appropriate Unix ID from a site's GUMS server
    and executes the job under that Unix ID. In
    order to use gLExec within OSG, VOs must
    configure the pilot job such that it "calls home"
    to get the associated user credential. The pilot
    then forwards the credential to gLExec, which
    uses it to communicate with the site security
    service, thus returning control to the site.

19
gLExec
Slide courtesy Igor Sfiligoi, Gabriele
Garzoglio, FNAL
20
How to become an OSG member?
  • Join the OSGEDU VO
  • Run small applications after learning how to use
    OSG from schools
  • Be part of the Engagement program and Engage VO
  • Support within the Facility to bring applications
    to production on the distributed infrastructure
  • Be a standalone VO and a Member of the
    Consortium
  • Ongoing use of OSG participate in one or more
    activity groups.

21
Documents
  • OSG Security twiki
  • https//twiki.grid.iu.edu/twiki/bin/view/Security
  • OSG Security Plan
  • http//osg-docdb.opensciencegrid.org/cgi-bin/ShowD
    ocument?docid389
  • Security Awareness for the OSG
  • http//osg-docdb.opensciencegrid.org/cgi-bin/ShowD
    ocument?docid573
Write a Comment
User Comments (0)
About PowerShow.com