Mine Altunay

1
Open Science Grid Security

• Mine Altunay
• OSG Security Officer

Gateway Security Summit January 28-30, 2008 San
Diego Supercomputer Center
2
OSG Security Team
Mine Altunay FNAL
Doug Olson LBNL
Bob Cowles SLAC
Don Petravick FNAL
3
OSG Security

• The big picture
• What OSG security does ?
• Security Infrastructure
• Authentication
• VOMS
• PRIMA/GUMS
• gPlazma
• gLexec
• How can someone become part of OSG

4
OSG Security

• A security framework that enables science and
  promotes autonomous and open science
  collaboration among VOs, sites, and software
  providers
• Operational
• Vulnerability analysis, patches,
• Incident response
• Interoperability
• Joint policy work, JSPG, MWSG, IGTF
• Why we are here how to build interoperability
  with other Grids TeraGrid
• Education
• Security tutorials, documents for naïve user

5
(No Transcript)
6
Security Infrastructure

• Authentication
• Performed by GSI
• OSG distributes IGTF approved root CAs (in VDT)
• Sites fetches automatic CRL updates
• Sites can update root CAs (optional tool in VDT)

7
AuthorizationVOMSPRIMAGUMS
VOMS Server
Attribute Repository
1 voms-proxy-init
2 receive VO permissions
3
Synch periodically to get VO membership
4 request account
5 account mapping
Batch system
6
8
VOMS

• VO Membership service
• VO manages access rights for its members
• FQAN Fully Qualified Attribute Name
• Based on RFC 3281
• Example /oscar.nikhef.nl/mcprod/Roleproduction/C
  apabilityNULL
• Different roles have different permissions
• Sites must honor VO permissions
• VOMS registration
• via VOMS, or VOMRS or manually
• Use voms-proxy-init instead of grid-proxy-init
• VO specific permissions FQAN inserted into X.509
  noncritical extensions

9
GUMS Grid User Management Service

• Maps user DNs/FQANs to accounts
• Replaces grid-map files
• Site-wide tool
• Sites recognize VO permissions
• Synch with VOMS periodically
• Downloads the VO memberships, FQANs
• Can work with LDAP instead of VOMS

10
GUMS

• Three types of mapping
• personal accounts (manual or from LDAP)
• group accounts (multiple DNs to a single UID,
  like VO -gt UID)
• pool accounts (dynamically generated)
• Guarantee that the same UID can be used by only
  one DN/FQAN at any given time
• Currently, the pool account is created when a
  DN/FQAN is first seen, and never released

11
GUMS

• Two kinds of grouping
• User groups
• Map (DN,FQAN) to (uid,gid)
• Host groups
• Connect host with user groups
• A M x N configuration
• A single host group can be used for
• Multiple hosts (like ".usatlas.bnl.gov")
• Multiple user groups (like usatlasGroup,atlas,dia
  l")

12
gPlazma Storage Authz
13
CE and SE Big Picture
14
Local or Remote Client Proxy with VO Membership
Role Attributes
15
Local or Remote Client Proxy with VO Membership
Role Attributes

16
Local or Remote Client Proxy with VO Membership
Role Attributes

17
Local or Remote Client Proxy with VO Membership
Role Attributes

gPLAZMALite Authorization Services suite
18
gLExec
Slide courtesy Igor Sfiligoi, Gabriele
Garzoglio, FNAL

• When a user submits a grid job to an OSG site,
  the job always carries the user's credentials. At
  the execution site, the job is assigned an
  appropriate userid under which to run. Another
  option for submitting grid jobs involves the
  concept of a pilot job. This type of job, once
  it's in a site's batch slot, coordinates and
  calls a series of user jobs according to VO
  priorities at launch time. If the pilot job and
  the user jobs all run under the same userid,
  however, the pilot job framework violates the
  security policies of any site that requires
  knowledge and control of its resource users.
• gLExec, a gLite product currently used on
  European Computing Elements, solves this problem.
  gLExec is a privileged executable that, given a
  user credential and an execution command, obtains
  the appropriate Unix ID from a site's GUMS server
  and executes the job under that Unix ID. In
  order to use gLExec within OSG, VOs must
  configure the pilot job such that it "calls home"
  to get the associated user credential. The pilot
  then forwards the credential to gLExec, which
  uses it to communicate with the site security
  service, thus returning control to the site.

19
gLExec
Slide courtesy Igor Sfiligoi, Gabriele
Garzoglio, FNAL
20
How to become an OSG member?

• Join the OSGEDU VO
• Run small applications after learning how to use
  OSG from schools
• Be part of the Engagement program and Engage VO
• Support within the Facility to bring applications
  to production on the distributed infrastructure
• Be a standalone VO and a Member of the
  Consortium
• Ongoing use of OSG participate in one or more
  activity groups.

21
Documents

• OSG Security twiki
• https//twiki.grid.iu.edu/twiki/bin/view/Security
  
• OSG Security Plan
• http//osg-docdb.opensciencegrid.org/cgi-bin/ShowD
  ocument?docid389
• Security Awareness for the OSG
• http//osg-docdb.opensciencegrid.org/cgi-bin/ShowD
  ocument?docid573