WP 3 Security and RGMA Linda Cornwall RAL

WP 3 Security and R-GMA Linda Cornwall, RAL

Current Status WP 3 • Currently, no security in R-GMA. • We have looked at Spitfire Security • Currently this is being removed from Spitfire, and turned into a separate package • Their Trust. Manager should be used for Authentication for testbed 2. • Their Authorization is not really suitable for us. Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 2

Security for TB 2 WP 3 • Access via https, no http access allowed. – Partly due to limited Authorization functionality. A certificate acceptable to EDG will be needed to do anything. • Mutual Authentication must take place between all components. • Authentication will take place between users and R-GMA. Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 3

Security for TB 2 - continued WP 3 • Authorization will be limited to job control information • Access to job control information will be restricted such that users can only see information on their own jobs. • All other information, including both read and write access, will be open to everyone with EDG authentication Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 4

Get a certificate! WP 3 • All users will need a user certificate • All services will need a service certificate. – SCG decided to go for CA signed service certificates for TB 2. We expect this is the way we will go. • All users and developers who don’t have a certificate from a CA accepted by EDG should apply for one. • We recommend users and developers also register with an EDG VO Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 5

Security in the Future – Authentication WP 3 • http or https will be allowed. • https – if authentication either of the service, or of the user, is needed. • http – to avoid overhead of https. Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 6

Security in the Future Authorization WP 3 • Authorization will need to apply to any action e. g. – – Setup a table Read from a table Read a specific item of information Find what information producers exist Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 7

Authorization dependency WP 3 • Nothing – e. g. some information may be visible to anyone. • Authentication of the user only • User’s VO membership • User’s Role • Individual DN or list of DN’s (See D 7. 5) Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 8

Authorization implementation WP 3 • Need to pass user’s DN, VO membership and Role to R-GMA. • Whenever a user makes a request – it will be necessary to decide whether they are authorized to carry out that action. • Authorization policy will need to go with each table, and with each row of each table. Authorization policy goes with the data. Security and R-GMA, Data. Grid Workshop, Budapest Linda Cornwall, RAL - 02/09/2002 9

R-GMA – TB 2 Application Code WP 3 Consumer Instance Consumer API Registry Schema API If job info –does DN match? Producer API Sensor Code Security and R-GMA, Data. Grid Workshop, Budapest Registry API Producer Instance Schema “Event Dictionary” Linda Cornwall, RAL - 02/09/2002 10