Jim BasneyOSG Security Policy Officer
Open Science Grid
TAGPMA
November 5, 2008
La Plata, Argentina
2
NERSC
BU
UNMSDSC
UTA
OU
FNALANL
WISC BNL
VANDERBILT
PSU
UVA
CALTECH
IOWA STATE
PURDUE
IU
BUFFALO
TTU
CORNELL
ALBANY
UMICH
INDIANAIUPUI
STANFORD
UWM
UNL
UFL
KU
UNI
WSUMSU
LTU
LSU
CLEMSON
MCGILL
UMISS
UIUC
UCRUCLA
LEHIGH
NSF
ORNL
HARVARD
UIC
SMU
UCHICAGO
(+Brazil, Mexico, Tawain, UK)
Open Science Grid
3
TeraGrid and OSG Compared
4
Open Science Grid
CS/IT Campus Grids: (DOSAR, Fermigrid, GLOW, GPN, GROW…)
Science Community Infrastructure (ATLAS, CMS, LIGO, …)
National & InternationalCyber Infrastructure for Science
(Teragrid, EGEE, …)
Campus Grids
Community Grids
National Grids
Need to be harmonized Into a well Integrated whole
5
Open Science Grid
The Vision:
Transform compute and data intensive science through a cross-domain self-managed national distributed cyber-infrastructure that brings together campus and community infrastructure and facilitating the needs of Virtual Organizations at all scales
129 Resources, 33 VOs, 10,000 users, 29 Support Centers
6
Open Science Grid: International Partners
An International Science Community: Common Goals, Shared Data, Collaborative work
ceResource
ResourceResource
ceResource
ceResource
ceResource
ceResource
7
How it all comes together
Resources that Trust the VO
VO Management Service
OSG Infrastructure
VO Middleware & Applications
Virtual OrganizationManagement services(VOMS) allow registration,administration and controlof members of the group.
Resources trust andauthorize VOs, notindividual users
OSG infrastructure providesthe fabric for jobsubmission and scheduling,resource discovery, security, monitoring, …
8
Globus
CondorGLexec
RSVGratia
VDT
Fermi grid
BNL_ATLAS_1
UCSDT2
ATLAS
CMS
Software• Check software vulnerabilities• Develop and announce patches
Interoperability • JSPG, IGTF:• Participate in EGEE’s response and operation teams:
Security Education for Sites and VOs• Raise security awareness• Teach OSG policies and best practices• workshops, tutorials, grid schools
Open Science Grid
•
Job Submissions
Policies for Site-VO interoperability• Develop policies : AUP, Service Agreements, pilot policies, MOU, membership
Inter
operability
Incident Response and Monitoring• Coordinating the response teams, communication with Sites and VOs• Banning compromised machines or users, monitoring for suspicious job submissions• Fire drills for practice
9
AuthorizationVOMS+PRIMA+GUMS
VOMSServer Attribute
Repository
GUMSServer DN/FQAN
Mapping(MySQL)
Synch periodically to get VO membership
Validate Proxy (GSI)
Gatekeeper
Gridmap callout
PRIMA Module
Batch system
Job submission
3
4: request account
5: account mapping
6
1: voms-proxy-init
2: receive VO permissions
10
Grid Site
VOMSVOMRS
VO Services
synchronize
regi
ster
get-voms-proxy
synchronize
SAZ
Sitewide Services
GUMS
CE
Gatekeeper
PR
IMA
/SA
ML
callo
uts
(C)
Job Manager
Submit request with voms-proxy
Privilege ProjectModule
LegendVO Management Services
user name
DN, FQAN
DN, FQAN user name
SE
SRM
gPlazma
Storage AuthService
DN
, FQ
AN
Prima/SAML Client (Java)
Sto
rage
priv
se
t
DN
, FQ
AN
Sto
rage
priv
se
t
certificate
VOMSExtendedproxy
VOMSExtendedproxy
Is authorized?
yes/no
11
VOMS
• VO Membership service– VO manages access rights for its members– FQAN: Fully Qualified Attribute Name– Based on RFC 3281– Example:
/oscar.nikhef.nl/mcprod/Role=production/Capability=NULL– Different roles have different permissions
• Sites must honor VO permissions• VOMS registration
– via VOMS, or VOMRS or manually• Use voms-proxy-init instead of grid-proxy-init
– VO specific permissions (FQAN) inserted into X.509 noncritical extensions
12
GUMS
• Grid User Management Service
• Maps user DNs/FQANs to accounts– Replaces grid-map files– Site-wide tool
• Sites recognize VO permissions
• Synch with VOMS periodically– Downloads the VO memberships, FQANs– Can work with LDAP instead of VOMS
13
GUMS
• Three types of mapping– personal accounts (manual or from LDAP)– group accounts (multiple DNs to a single UID,
like VO -> UID)– pool accounts (dynamically generated)
• Guarantee that the same UID can be used by only one DN/FQAN at any given time
• Currently, the pool account is created when a DN/FQAN is first seen, and never released
14
GUMS
• Two kinds of grouping
• User groups– Map (DN,FQAN) to (uid,gid)
• Host groups– Connect host with user groups– A M x N configuration– A single host group can be used for
• Multiple hosts (like "*.usatlas.bnl.gov")• Multiple user groups (like “usatlasGroup,atlas,dial")
15
A simple usage scenario
grid job
Researcher A from University X, which isa member of the VO
VO trusts Researcher Site trusts VO
Site allows access by Researcher
VO-accessible Site Resources
VO Infra. &
Services
Data Storage 1
WN WN
WN WN
WN
WN
Cluster 1
16
Researcher A from University X
Researcher B from University Y
Job 1’s
Data
Job 2’s
Data
VOMRS
Group : Univ. XRole: Researcher
Group : Univ. Y Role: Researcher
VO mappings
• VOMRS manages member-role mappings
• GUMS retrieves membership info from VO• Enforces VO assigned privileges at the Site
GUMSRetrieve VO mappings
17
Researcher A fromGroup 1
grid job 1
VO
VO Infra. &
Services
Site
Researcher B fromGroup 2
Group 1’s
Data
Group 2’s
Data
Unauthorized access
Enforced Policy outcome• Researcher A cannot modify Researcher B’s data (due to VO policy)
18
Researcher A fromGroup 1
grid job 1
VO
VO Infra. &
Services
Site
Researcher B fromGroup 2
DN name is blacklisted
Group 1’s
Data
Group 2’s
Data
Enforced Policy outcome• Researcher B denied access• due to Site policy
Unauthorized access
19
Enforced Security Policy
VO Policy
Site Policy
Enforced Policy
• VO Policy determines:• each VO member’s privileges
Site’s data storage
• Site Policy determines:• VO has access to the storage• can still blacklist particular VO members, if desired
WN WN
WN WN
WN
WN
20
Site Resources
Accessible to VO
Data Storage 1 Data Storage 2
Site Database
Site Web Services
WN WN
WN WN
WN
WN
Cluster 1
NOT Accessible to
VO
Example site access policy:• for each resource, only allow authorized users AND• deny any requests from black-listed users
21
GUMS
Gatekeeper
Prim
a/S
AM
L ca
llout
s (C
)
Job Manager
Pilot DN
Pilot UID
Pilot
User Job WN
Pilot UID
Pilot UID
Pilot
User queue
User job
User DN
User DN
Pilot DN
Request
• User job and Pilot job runs in the same user account modifications between jobs• Site does not auth/authz the useronly auth/authz pilot job
Pilot Jobs
22
GUMS
Gatekeeper
Prim
a/S
AM
L ca
llout
s (C
)
Job Manager
Pilot DN
Pilot UID
Use
r D
NU
ser
UID
Pilot
User Job WN
Pilot UID
User DN
User UID
Pilot
User queue
User job
User DN
User DN
Pilot DN
Request
Pilot Jobs
• gLExec isolates user jobs from one another• gLExec relies on site GUMS to authorize job owners• gLExec logs user access via standard mechanisms
23
Incident Response
• OSG Incident Response Team (IRT) consists of project security, operations, software, and executive staff– Central team coordinates with VO and site security contacts– Site CSIRTs not proactively engaged with OSG
• Large VOs span EGEE and OSG– Requires coordination with EGEE IRT– Adoption of JSPG incident response policy
• Single point of contact– [email protected]– +1 317 278 9699– 24/7/365 response
https://twiki.grid.iu.edu/bin/view/Security/IncidentResponseProcess
24
Thanks
• For more information:– www.opensciencegrid.org– [email protected]– [email protected]
This material is based upon work supported by the United States National Science Foundation and Department of Energy. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation or Department of Energy.