WP4-Gridification-wp7sec-20020304
Download
Report
Transcript WP4-Gridification-wp7sec-20020304
WP4 Gridification
Security Components in the Fabric
overview of the WP4 architecture as of D4.2
for Gridification Task: David Groep
[email protected]
Fabric security components
External
issues relating to the three core Grid protocols (GRAM, GSIFTP,GRIP)
network issues (firewall admin, NAT)
fabric authorization interoperability (multi-domain, AAA, co-allocing)
Internal
(“Grid”) components
components
authenticated installation services
secure bootstrapping services
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 2
WP4 Subsystems and relationships (D4.2)
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 3
Job submission protocol & interface
Current design
Gatekeeper does authentication,
authorization and user mapping
RSL passed to JobManager
authorization and user mapping done too
early in process
Identical components
GRAM (attributes over HTTPS)
Identified design differences
Client tools connect to gatekeeper
Protocol must stay the same (GRAM)
Separation of JobManager (closer to
RMS) and GateKeeper will remain
Issues: scalability problems with many jobs within one centre (N jobmanagers)
authorization cannot take into account RMS state (budget, etc.)
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 4
Authorization and AAA
Current design:
Local local site policy in authorization
Identified design points
Authorization and user mapping are
combined (see next slide)
new component, taking concepts from
generic AAA architectures
coordinate with AuthZ group and GGF
Identical components
towards generic
AAA architectures/servers
(LCAS will be like an ASM)
distributed AAA decisions/brokering
concepts from new
SciDAC/SecureGRID/AAAARCH work
Accounting framework yet to be considered…
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 5
Credential Mapping
Current design:
Kerberos by external service (sslk5)
move to later in the process
(after the authorization decision)
Extend for multiple credential types…
Identical components
Gatekeeper map file with GridMapDir
(on connection establishment)
Identified design points
Authorization and user mapping are
combined
gridmapdir patch by Andrew McNab
sslk5/k5cert service
Issues in current design
mapping may be expensive (updating
password files, NIS, LDAP, etc.)
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 6
Local security service (FLIdS)
Current design:
Policy driven automatic service
policy language design (based on generic
policy language or ACLs)
Identical components
Technology ubiquitous (X.509 PKI)
Identified design points
Component is not Gridcomponent→not there
PKI X.509 technology (OpenSSL)
use by GSI and HTTPS
Issues:
mainly useful in untrusted environments
(e.g., outside a locked computer centre)
prevents CA overloading…
Non-critical for grid services
needed for intra-fabric security
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 7
Information Services (GriFIS)
Current design:
Modular information providers
Identical components
MDS2.1: LDAP protocol with back-ends
or F-Tree
NO fundamental changes by WP4
GIS/Ftree and/or GMA/R-GMA or …
Just More information providers
Correlators between RMS, Monitoring
and CDB (internal WP4 components)
Issues design
How will global scheduling decisions
be made (AAA-wise)?
distributed AAA based on new standard
future for LCAS
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 8
Network access to large fabrics
Current Globus design
Identified issues
Is not in scope of Globus toolkit
Needed component for large farms
Needed for bandwidth provisioning,
brokerage & selective firewall adminning
Farm nodes not visible from outside!
Identical components
0st order: no functionality
1st order: IP Masquerading routers
2nd order: IP Masq & protocol translation
(IPv6 → IPv4 and v.v.)
later: use of intelligent edge devices,
managed bandwidth (and connections)
per job, AAA interaction (with LCAS)
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 9
Intra-fabric security issues
How
to install a node in an untrusted network environment
distribution of sensitive config data (SSH host keys)
integrity of configuration data
bootstrapping problem!
Secure
install scenario requires a local quasi-CA
(FLIdS = Fabric-Local Identity Service)
See
use-case on next slide (don’t be terrified by the arrows…)
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 10
Bootstrapping a machine on a hostile net
CFG Configuration Database
LCA root cert
CFG data ACLs
11: CFG web server can check
hostname in cert against
requesting IP address
and check ACLs
Secured http server
4: sens config data encrypted
using session key
7: FLIDS checks signature of operator, and signs
request with LCA key. Request DN namespace limited.
3:https server checks CFG data ACL
(operator has all rights), can verify ID
of operator using LCA root cert
FLIDS engine
10: https requests to CFG
authenticated with new
signed host certificate
LCA cert and privkey
Automated CA,
Will sign when request
Approved by `operator’
2:agent makes https request
using operator credentials
New host to be installed
6: request sent to FLIDS engine,
signed by operator key (in cleartext)
(FLIDS hostname known from CFG data)
5: host generates key pair
(but without a passphrase to
protecting private part)
9: host checks signature on cert
using the LCA root cert on the boot disk
1:Operator boots system
8: signed host cert back to host (in clear)
Operator install disk:
-kernel and init
-CFG https agent
-Signed cert of operator
-Protected private key of operator
-LCA root certificate
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 11
Component Summary
LCAS
take as much as possible from existing gridmapdir work, generalize for K5
1st goal: solve addressing issue; later: managed firewalls etc; allow plug-in to LCAS
FLIdS
should evolve into an “ASM” to allow inter-domain co-allocation
FabNAT
accepted jobs WILL run
LCMAPS
comprehensive local authorization taking RMS issues into account
build secure fabrics on an insecure network (smaller uni’s etc.), prevent CA overload
Key is to stay compatible and interoperable!
GRAM protocol (& RSL) [Globus, GGF]
Information framework (GRIP, GMA, R-GMA, …) [Globus, GGF and EDG WP3]
All work on security in AAAARCH, PKIX, GGF sec. area, SecureGRID
David Groep – WP4 gridification security components and D4.2 – 2002.03.04 - 12