Authorization and Authentication in gLite

Authorization and Authentication in gLite
Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) Annamaria Muoio– INFN Catania Catania, Ottobre 2008

Outline Glossary Certificates Certification Authorities
X509 certificates Grid Security Basic concepts Grid Security Infrastructure Proxy certificates single sign-on delegation Commands used in UI Virtual Organization Concept of VO and authorization VOMS, LCAS, LCMAPS References Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Glossary Principal An entity: a user, a program, or a machine
Credentials Some data providing a proof of identity Authentication Verification of the identity for an end-entity Authorization Map an entity to some set of privileges Confidentiality Encrypt the message so that only the recipient can understand it Integrity Ensure that the message has not been altered during the transmission Non-repudiation Impossibility of denying the authenticity of a digital signature Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

The “third party” is called Certification Authority (CA).
X.509 and Certification Authorities The “third party” is called Certification Authority (CA). Responsibilities of CA: Issue Digital Certificates (containing public key and owner’s identity) for users, programs and machines Check identity and the personal data of the requestor Registration Authorities (RAs) do the actual validation Revoke certificates in case of a compromise Renew certificates in case of expiration Periodically publish a list of revoked certificates through web repository Certificate Revocation Lists (CRL): contain all the revoked certificates CA certificates are self-signed Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

identity of the owner (DN); info on the CA; time of validity;
X.509 Certificates An X.509 Certificate contains: owner’s public key; identity of the owner (DN); info on the CA; time of validity; Serial number; digital signature of the CA Structure of a X.509 certificate Public key Subject:C=TR, O=TRGrid, OU=ODTU, CN=Cevat Sener Issuer: C=TR, O=TRGrid, CN=TR-Grid CA Not before: Apr 6 14:08: GMT Not after: Apr 6 14:08: GMT Serial number: 95 (0 x 5F) CA Digital signature Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Private keys must be stored only by
The Grid Security Infrastructure (GSI) Based on X.509 PKI: every user/host/service has an X.509 certificate; certificates are signed by trusted (by the local sites) CA’s; every Grid transaction is mutually authenticated: John sends his certificate; Peter verifies signature in John’s certificate; Peter sends John a challenge string; John encrypts the challenge string with his private key; John sends encrypted challenge to Peter Peter uses John’s public key to decrypt the challenge. Peter compares the decrypted string with the original challenge If they match, Peter verifies John’s identity and John can not repudiate it. John Peter VERY IMPORTANT Private keys must be stored only by owners: in protected places AND in encrypted form John’s certificate Verify CA signature Random phrase Encrypt with John’s private key Encrypted phrase Decrypt with John’ s public key Compare with original phrase Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

More on Authentication
• In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country – A set of countries • A common trust domain for grid computing has been created to join the several existing certification authorities into a single authentication domain and thus enabling sharing of grid resources worldwide. – The International Grid Trust Federation (IGTF) has been created to coordinate and manage this trust domain. – IGTF is divided in three Policy Management Authorities (PMAs) covering the Asia Pacific, Europe and Americas. Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Classic Profile of a CA A network of subordinated RAs is necessary to perform the identity verification of the subjects • The RAs will be created at the level of the organizations or at the level of departments: – Operating at university or research centre wide level (more difficult) – Operating at the level of a department or group – The CA can also operate an RA but don’t forget that the physical presence of the subject is required for identity verification – It is fine to have more than one RA per university or research centre if they are operating for different departments • The RAs should be created only upon request, their creation should be user driven. Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Classic profile of a CA How to obtain a certificate:
Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Revocation Lists The CAs have the obligation of issue Certificate Revocation Lists (CRL) • The CRLs contain: – a list of the revoked certificates – the date when they were issued – the end date • CRLs are signed with the CA private key • The CRLs must be published so that the relying parties can check the validity of the certificates – Usually available through Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Steps for different browsers

RA di COMETA Authentication in PI2S2

Download Certificate INFN (1/3)

Request certificate INFN (2/3)

Request certificate INFN (3/3)
An will arrive with specific address in the form Da: INFN CA To: < specificata nel form di richiesta> Subject: [INFN CA #xyz] Certificato per <UTENTE> Spettabile Utente, il certificato da lei richiesto e' pronto. Per completare la procedura, deve aprire l'indirizzo qui sotto con lo *stesso* browser con cui ha fatto la richiesta: Mi permetto di ricordarle quanto segue: - e' fondamentale che il browser che usera' sia _lo stesso_ utilizzato per la richiesta; - una volta che il certificato sia stato scaricato, potra' essere esportato e importato in altri browser (per maggiori informazioni sulla procedura, la prego di guardare in - la prego di fare immediatamente delle copie di salvataggio, da conservare, opportunamente protette, su floppy o chiave usb. … - messaggio di errore; - nome nodo da cui e' stata fatta la richiesta; - giorno e ora del tentativo; - modello e versione del browser utilizzato. La prego inoltre di leggere la Certification Policy e il CPS di questa CA, disponibile in Saluti -- INFN CA - INFN Certification Authority Tel: Via G. Sansone 1, I Sesto Fiorentino Si segua il link per scaricare il certificato Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Export certificate from browser: IE

Export certificate from IE (1/8)
Attention during all the steps you have to use the same web browser used for the request! You have export the certificate to use it on Grid and place it in a sure directory The file’s extension is *.pfx for Internet Explorer. To follow menù Strumenti -> Opzioni Internet -> Contenuto -> Certificati Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Export certificate from browser: Mozilla/Firefox

Export certificate from Firefox (1/6)
Attention during all the steps you have to use the same web browser used for the request! You have export the certificate to use it on Grid and place it in a sure directory The file’s extension is *.pfx for Internet Explorer. To follow menù Strumenti -> Opzioni Internet -> Contenuto -> Certificati Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Revocation certificate COMETA
The revocation certificate must be advanced to the RA and it is be able to forward it to INFN CA. The user will be informed via - or he can consult the state of own certificate to URL: Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Revocation certificate COMETA

GENIUS web portal Grid Enabled web eNvironment for site Independent
The GENIUS GENIUS Grid Enabled web eNvironment for site Independent User job Submission INFN / NICE Collaboration GENIUS web portal OS & Net services Basic Services High level GRID middleware ALICE ATLAS CMS LHCb Applications’ specific layer Other apps GLOBUS toolkit EGEE (LCG/gLite) architecture Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA 39 39

GENIUS Grid Portal Reference Web Site: https://infn-ui-01.ct.infn.it
Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA 40

VOMS PROXY INIT SERVICE

A CAPTCHA Code is required to start the VOMS Proxy Applet for the proxy initialization Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Jointly developed by NICE and INFN Catania
VOMS PROXY INIT SERVICE Jointly developed by NICE and INFN Catania Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

acceptance of VO’s rules

Users “Groups” Grid Sites GRID Security: Components
Large and dynamic population Different accounts at different sites Personal and confidential data Heterogeneous privileges (roles) Desire Single Sign-On Users “Group” data Access Patterns Membership “Groups” Grid Sites Heterogeneous Resources Access Patterns Local policies Membership Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Accept of Rules (http://www.consorzio-cometa.it/pi2s2/tc/regole.php)

Registration to VO COMETA
With the certificate installed on the browser, to open the URL Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Certificate on the UI Copy your certificate .p12 o .pfx on the UI
Create a directory .globus: $ mkdir .globus To follow the command line to convert the certificate from .p12 to .pem: $ openssl pkcs12 -clcerts -nokeys -in <your cert> -out usercert.pem $ openssl pkcs12 -nocerts -in <your cert> -out userkey.pem Change the permission to public key : usercert.pem $ chmod 644 usercert.pem Change the permission to private key: userkey.pem $ chmod 400 userkey.pem Move the files usercert.pem e userkey.pem in the directory .globus: $ mv usercert.pem userkey.pem $HOME/.globus/ Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

grid-proxy-init User certificate file Private Key (Encrypted) Pass
User enters pass phrase, which is used to decrypt private key. Private key is used to sign a proxy certificate with its own, new public/private key pair. User’s private key not exposed after proxy has been signed User certificate file Private Key (Encrypted) Pass Phrase User Proxy Proxy placed in /tmp the private key of the Proxy is not encrypted: stored in local file: must be readable only by the owner; proxy lifetime is short (typically 12 h) to minimize security risks. NOTE: No network traffic! Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Modalità di accesso a Cometa
Vi sono 2 modalità di accesso all'infrastruttura di Cometa come membri della VO trigrid: 1) Accesso mediante SSH da IP statico alla User Interface (UI) di Catania Serve Comunicare l’IP dal quale si intende accedere. 2) Accesso mediante UI virtuale: 3) Via web – genius Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Delegation Delegation = remote creation of a (second level) proxy credential New key pair generated remotely on server Client signs proxy cert and returns it Allows remote process to authenticate on behalf of the user Remote process “impersonates” the user Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Long term proxy --> Myproxy
Proxy has limited lifetime (default is 12 h) Bad idea to have longer proxy However, a grid task might need to use a proxy for much longer time Grid jobs in HEP on LCG last up to 2 days myproxy server: Allows to create and store a long term proxy certificate: myproxy-init -s <host_name> --voms <your_vo> -s: <host_name> specifies the hostname of the myproxy server myproxy-info Get information about stored long living proxy myproxy-get-delegation Get a new proxy from the MyProxy server myproxy-destroy Check out the myproxy-xxx --help option for more information A dedicated service on the RB can renew automatically the proxy File transfer services in gLite validates user request and eventually renew proxies contacting myproxy server Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

VOs and authorization Grid users MUST belong to virtual organizations
It was called “groups” previously. It defines sets of users belonging to a collaboration User must sign the usage guidelines for the VO You will be registered in the VO-LDAP server (wait for notification) List of supported VOs: VOs maintain a list of their members on a LDAP Server The list is downloaded by grid machines to map user certificate subjects to local “pool” accounts Sites decide which VOs to support /etc/grid-security/grid-mapfile "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Birsen Omay" .seegrid "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Hakan Bayindir" .trgridb "/C=TR/O=TRGrid/OU=TUBITAK-ULAKBIM/CN=Onur Temizsoylu" .dteam Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Evolution of VO management
Before VOMS • User is authorised as a member of a single VO • All VO members have same rights • Gridmapfiles are updated by VO management software: map the user’s DN to a local account • grid-proxy-init – derivesproxy from certificate – the “single sign-on to the grid” VOMS User can be in multiple VOs Aggregate rights VO can have groups Different rights for each Different groups of experimentalists … Nested groups VO has roles Assigned to specific purposes E,g. system admin When assume this role Proxy certificate carries the additional attributes voms-proxy-init Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Registration process Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

COMETA VOMS (https://voms.ct.infn.it:8443/voms/gilda/)
New registrations at: Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

VOMS concepts Virtual Organization Membership Service Extends the proxy with info on VO membership, group, roles Fully compatible with Globus Toolkit Each VO has a database containing group membership, roles and capabilities information for each user User contacts voms server requesting his authorization info Server sends authorization info to the client, which includes them in a proxy certificate ~]$ voms-proxy-init --voms cometa Enter GRID pass phrase: Your identity: /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Riccardo Bruno Cannot find file or dir: /home/brunor/.glite/vomses Creating temporary proxy Done Contacting voms.ct.infn.it:15003 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "cometa" Done Creating proxy Done Your proxy is valid until Sat Oct 4 04:02: Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

FQAN and AC short for Fully Qualified Attribute Name, is what VOMS uses to express membership and other authorization info Groups membership, roles and capabilities may be expressed in a format that bounds them together <group>/Role=[<role>][/Capability=<capability>] FQAN are included in an Attribute Certificate Attribute Certificates are used to bind a set of attributes (like membership, roles, authorization info etc) with an identity ACs are digitally signed VOMS uses AC to include the attributes of a user in a proxy certificate ~]$ voms-proxy-info -fqan /cometa/Role=NULL/Capability=NULL /cometa/grelc/Role=NULL/Capability=NULL /cometa/grelc/das/Role=NULL/Capability=NULL /cometa/grelc/das/grelc02.unile.it/Role=NULL/Capability=NULL /cometa/grelc/das/grelc02.unile.it/sakila/Role=NULL/Capability=NULL /cometa/grelc/das/grid009.ct.infn.it/Role=NULL/Capability=NULL /cometa/grelc/das/grid009.ct.infn.it/sakila/Role=NULL/Capability=NULL Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

VOMS and AC Server creates and signs an AC containing the FQAN requested by the user, if applicable AC is included by the client in a well-defined, non critical, extension assuring compatibility with GT-based mechanism ~]$ voms-proxy-info -all subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Riccardo Bruno/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Riccardo Bruno identity : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Riccardo Bruno type : proxy strength : 512 bits path : /tmp/x509up_u509 timeleft : 11:57:56 === VO cometa extension information === VO : cometa subject : /C=IT/O=INFN/OU=Personal Certificate/L=Catania/CN=Riccardo Bruno issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it attribute : /cometa/Role=NULL/Capability=NULL attribute : /cometa/grelc/Role=NULL/Capability=NULL attribute : /cometa/grelc/das/Role=NULL/Capability=NULL attribute : /cometa/grelc/das/grelc02.unile.it/Role=NULL/Capability=NULL attribute : /cometa/grelc/das/grelc02.unile.it/sakila/Role=NULL/Capability=NULL attribute : /cometa/grelc/das/grid009.ct.infn.it/Role=NULL/Capability=NULL attribute : /cometa/grelc/das/grid009.ct.infn.it/sakila/Role=NULL/Capability=NULL Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Groups The number of users of a VO can be very high:
– E.g. the experiment ATLAS has 2000 member • Make VO manageable by organizing users in groups: Examples: – VO GILDA Group Catania • INFN Group Barbera • University Group Padua  /GILDA/TUTORS can write to normal storage  /GILDA/STUDENT only write to volatile space Groups can have a hierarchical structure, indefinitely deep Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Roles Roles are specific features that an user has and that distinguishes him from others in his group: – Software manager – VO-Administrator • Difference between roles and groups: – Roles have no hierarchical structure – there is no sub-role – Roles are not used in ‘normal operation’  They are not added to the proxy by default when running vomsproxy-init  But they can be added to the proxy for special purposes when running voms-proxy-init • Example: – User Emidio has the following membership  VO=gilda, Group=tutors, Role=SoftwareManager – During normal operation the role is not taken into account, e.g. Emidio can work as a normal user – For special things he can obtain the role “Software Manager” he has to explicitly request with the appropriate option to command Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

LCAS & LCMAPS At resources level, authorization info is extracted from the proxy and processed by LCAS and LCMAPS Local Centre Authorization Service (LCAS) Checks if the user is authorized (currently using the grid-mapfile) Checks if the user is banned at the site Checks if at that time the site accepts jobs Local Credential Mapping Service (LCMAPS) Maps grid credentials to local credentials (eg. UNIX uid/gid, AFS tokens, etc.) Map also VOMS group and roles (full support of FQAN) Both LCAS and LCMAPS are based on ACL’s which translates VOMS extensions to pool of users "/VO=dteam/GROUP=/dteam" dteam "/VO=eumed/GROUP=/eumed/ROLE=SoftwareManager" eumed "/VO=eumed/GROUP=/eumed" eumed Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

GSI environment variables
User certificate files: Certificate: X509_USER_CERT (default: $HOME/.globus/usercert.pem) Private key: X509_USER_KEY (default: $HOME/.globus/userkey.pem) Proxy: X509_USER_PROXY (default: /tmp/x509up_u<id>) Host certificate files: Certificate: X509_HOST_CERT (default: /etc/grid-security/hostcert.pem) Private key: X509_HOST_KEY (default: /etc/grid-security/hostkey.pem) Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

GSI environment variables
Trusted certification authority certificates: X509_CERT_DIR (default: /etc/grid-security/certificates) Voms server public keys X509_VOMS_DIR (default: /etc/grid-security/vomsdir) Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

References Grid Background
LCG Security: LCG Registration: Globus Security: VOMS: IGTF for trusted CAs: CA: Background GGF Security: IETF PKIX charter: PKCS: Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione 2008) - CATANIA

Authorization and Authentication in gLite

Presentazioni simili

Presentazione sul tema: "Authorization and Authentication in gLite"— Transcript della presentazione:

Presentazioni simili

Sul progetto

Feed-back

Entrare

Autorizzarsi attraverso i social network:

Authorization and Authentication in gLite

Presentazioni simili

Presentazione sul tema: "Authorization and Authentication in gLite"— Transcript della presentazione:

Presentazioni simili

Sul progetto

Feed-back