Security in theOpen Science Gridby Igor Sfiligoi (UCSD)
Reminder – Single sign-on         • The user should use the same           mechanism to submit jobs to any site           ...
Passwords a non-starter         • We all know username/password is the           preferred authentication mechanism       ...
Adding an intermediary         • A better approach is to introduce a           highly trusted intermediary         • Have ...
Adding an intermediary         • A better approach is to introduce a           highly trusted intermediary         • Have ...
Technical implementations         • Many technical solutions               -   x.509 PKI               -   Kerberos       ...
x.509 PKI         • Based on public key cryptography               - A user has a (private,public) key pair               ...
x.509 authentication         • Sites have CA public key pre-installed         • User authenticates by signing a site      ...
Mutual authentication         • The OSG clients also require servers           to authenticate               - Same princi...
Impersonation         • Sometimes your jobs need to           impersonate you               - For example to access remote...
Impersonation         • Sometimes your jobs need to           impersonate you               - For example to access remote...
Proxy delegation         • The job is indeed not you         • Create a proxy certificate for the job               - Add ...
Proxy delegation         • The job is indeed not you         • Create a proxy certificate for the job               - Add ...
Risk mitigation         • Proxy delegation is risky               - Your proxy could be stolen         • In OSG, we mitiga...
Risk mitigation         • Proxy delegation is risky            - Your proxy could be stolen              If using glideinW...
x.509 in Overlay systems         • x.509 is typically used in Overlay           systems as well         • For glideinWMS, ...
Authentication vs. Authorization     • Just because you can authenticate yourself,       it does not mean you are authoriz...
Per-user authorization not an option         • The naive approach is using a list               - Since we do not want let...
Adding roles         • Sites want to operate on higher level concepts               - Some kind of attribute         • Lik...
Need for an attribute authority     • Users can have many roles          - But dont want to have multiple certs          -...
VO and VOMS      • VO decides who is worthy of an attribute            - Site decides based on that attribute             ...
VO and VOMS      • VO decides who is worthy of an attribute            - Site decides based on that attribute             ...
More security considerations      • There is much more than authentication        and authorization to security           ...
Sharing of resources         • Modern CPUs are many-core, so               - Very likely your job will be                 ...
Privacy         • By default, no privacy in OSG               - Assume all your files are publicly readable               ...
Acceptable conduct         • Each OSG user is bound by its AUP           (Acceptable User Policy)               - And site...
Acknowledgements         • This document was sponsored by           grants from the US NSF and US DOE,           and by th...
Upcoming SlideShare
Loading in …5
×

Security in the Open Science Grid

268 views

Published on

Introduction talk about security in OSG.

Simplified version of the lecture presented at the OSG User School 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
268
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security in the Open Science Grid

  1. 1. Security in theOpen Science Gridby Igor Sfiligoi (UCSD)
  2. 2. Reminder – Single sign-on • The user should use the same mechanism to submit jobs to any site - And there are 100s of them in OSG Hi. I am Igor Hi. I am Igor Hi. I am I gorFrom the 2012 OSG User School OSG Security 2
  3. 3. Passwords a non-starter • We all know username/password is the preferred authentication mechanism - Almost everybody use it! • But not a good solution for distributed systems - Uses a shared secret between the user and the service provider - And secrets stay secret only if few entities know it  Sharing passwords between sites a bad idea!From the 2012 OSG User School OSG Security 3
  4. 4. Adding an intermediary • A better approach is to introduce a highly trusted intermediary • Have been used in real life for ages - e.g. States as issuers of IDs/Passports - Getting the ID can be a lengthy process, but using it is easy afterwards m y ID r e is Hi. I am Igor He Hi. D e is my I Hi. Her Use this ID Hi. Here is my IDFrom the 2012 OSG User School OSG Security 4
  5. 5. Adding an intermediary • A better approach is to introduce a highly trusted intermediary • Have been used in real life for ages - e.g. States as issuers of Ids/Passports Chain of trust. - Getting the ID can be a lengthy process, You are trusted because but usingtheis easy afterwards it site trusts the issuer, y ID and the issuer trusted you. is m ere Hi. I am Igor Hi. H D e is my I Hi. Her Use this ID Hi. Here is my IDFrom the 2012 OSG User School OSG Security 5
  6. 6. Technical implementations • Many technical solutions - x.509 PKI - Kerberos - OpenID - many more... • All based on the same basic principle - Each has strengths and weaknesses - OSG standardized on x.509 Will not argue if it is the best one.From the 2012 OSG User School OSG Security 6
  7. 7. x.509 PKI • Based on public key cryptography - A user has a (private,public) key pair  One signs, the other verifies • The highly trusted entity is called a Certification Authority (CA) You should - The user is given a certificate have one by now. - Cert. has user name in it - Cert. also contains the (priv,pub) key pair - Cert. has a limited lifetime - Cert. is signed by the CA private keyFrom the 2012 OSG User School OSG Security 7
  8. 8. x.509 authentication • Sites have CA public key pre-installed • User authenticates by signing a site provided string and providing the public part of the certIgors Hi, here is my pub certPub Cert Please sign “10011011” Here it is “00111011” Hi, IgorAssociated CA pubPrivate KeyFrom the 2012 OSG User School OSG Security 8
  9. 9. Mutual authentication • The OSG clients also require servers to authenticate - Same principle as before - The sites server owns a x.509 certificate - User client must have the CA pre-installed • So we have mutual authenticationFrom the 2012 OSG User School OSG Security 9
  10. 10. Impersonation • Sometimes your jobs need to impersonate you - For example to access remote data CE Scheduler Hi... ehm... I am Igor SE Job Storage ElementFrom the 2012 OSG User School OSG Security 10
  11. 11. Impersonation • Sometimes your jobs need to impersonate you - For example to access remote data Obviously will not work. CE The job does not have your private key. Scheduler We have similar problems in real life, too • e.g. attorney representing you in court • Nobody will buy it that he Hi... ehm... I amhe can speak on your is you, Igor SE yet Jobbehalf Storage ElementFrom the 2012 OSG User School OSG Security 11
  12. 12. Proxy delegation • The job is indeed not you • Create a proxy certificate for the job - Add another level of trust delegation • And send it with the job CE Scheduler Hi... I am Igor SE Job Storage ElementFrom the 2012 OSG User School OSG Security 12
  13. 13. Proxy delegation • The job is indeed not you • Create a proxy certificate for the job - Add another level of trust delegation YES! • And send it with the job You are sendingCE the proxys private key to the WN. Scheduler Hi... I am Igor SE Job Storage ElementFrom the 2012 OSG User School OSG Security 13
  14. 14. Risk mitigation • Proxy delegation is risky - Your proxy could be stolen • In OSG, we mitigate by limiting lifetime - At most few hours recommended - After the proxy expires, the proxy is useless • Can be annoying - Must keep renewing, if long running job! But we dont have anything better.From the 2012 OSG User School OSG Security 14
  15. 15. Risk mitigation • Proxy delegation is risky - Your proxy could be stolen If using glideinWMS, • In OSG, we mitigate by limiting lifetime Condor will automatically - At most few hours recommended create a short lived proxy - After the proxy expires, the proxy is useless and keep re-delegating it. • Can be annoying - Must keep renewing, if long running job! Completely But we dont have transparent anything better. to you.From the 2012 OSG User School OSG Security 15
  16. 16. x.509 in Overlay systems • x.509 is typically used in Overlay systems as well • For glideinWMS, all communication between processes is mutually authenticated using x.509 (proxy) certificatesFrom the 2012 OSG User School OSG Security 16
  17. 17. Authentication vs. Authorization • Just because you can authenticate yourself, it does not mean you are authorized, too - e.g. your passport tells who you are, but does not allow you to drive a car • x.509 PKI only covers authentication - Tells the site who you are Need a different mechanism for authorizationFrom the 2012 OSG User School OSG Security 17
  18. 18. Per-user authorization not an option • The naive approach is using a list - Since we do not want let just anyone in! • However, the problem is scale - OSG has ~10,000 users! - Sites do not want to decide on a user-by-user basis! Server authorization is easy. The client decides Just require host name which host to talk to. in the certificate name; CA will enforce this.From the 2012 OSG User School OSG Security 18
  19. 19. Adding roles • Sites want to operate on higher level concepts - Some kind of attribute • Like in real life - Think about passport vs drivers license - Both tell a cop who you are (and to 1st approx. are issued by the same entity) - But the drivers license tells him you are allowed to use a car, too  “Class:C”From the 2012 OSG User School OSG Security 19
  20. 20. Need for an attribute authority • Users can have many roles - But dont want to have multiple certs - e.g. I may be running HEP jobs or School jobs • So the attributes cannot come from the CA - And you would not just trust the user • In OSG, we use VOMS - Virtual Organization Management System - OSG expects well organized VOs (e.g. CMS)From the 2012 OSG User School OSG Security 20
  21. 21. VO and VOMS • VO decides who is worthy of an attribute - Site decides based on that attribute Register VOMS Hi. Get proxy+attrs Iw or k for C MS m y ID r e is Hi. I am Igor He Hi. D e is my I Hi. Her Use this ID Hi. Here is my IDFrom the 2012 OSG User School OSG Security 21
  22. 22. VO and VOMS • VO decides who is worthy of an attribute - Site decides based on that attribute Register VOMS Hi. Site still knows who you are Get proxy+attrs I w and can act on your name alone. or k fo rC MS m y ID s But they willedoi it only re Hi. I am Igor Hi. H for exceptional cases.my ID is e Hi. Her Use this ID Hi. Here is my IDFrom the 2012 OSG User School OSG Security 22
  23. 23. More security considerations • There is much more than authentication and authorization to security - But we dont have the time to cover everything • Just briefly - Sharing of resources - Privacy - Acceptable conductFrom the 2012 OSG User School OSG Security 23
  24. 24. Sharing of resources • Modern CPUs are many-core, so - Very likely your job will be sharing the node with other jobs • Sites will map your Grid name into UID - Hopefully unique... be sure to ask • Standard *NIX protections - Act accordingly - e.g. no file should be world writableFrom the 2012 OSG User School OSG Security 24
  25. 25. Privacy • By default, no privacy in OSG - Assume all your files are publicly readable - Apart from your proxy • If you need privacy, you will have to take explicit measures - Both during network transfers, and - For files on disk • x.509 can be used for encryption - But remember, proxy has new keysFrom the 2012 OSG User School OSG Security 25
  26. 26. Acceptable conduct • Each OSG user is bound by its AUP (Acceptable User Policy) - And sites are allowed to have additional rules in place • In a nutshell - Use only for the declared science purpose - Do not overload the system - Do not attempt to circumvent security Else, you will be banned!From the 2012 OSG User School OSG Security 26
  27. 27. Acknowledgements • This document was sponsored by grants from the US NSF and US DOE, and by the UC systemFrom the 2012 OSG User School OSG Security 27

×