Castor Security Overview
The goal of this project is to provide- Authentication and Authorization on all client protocols
- Authentication and Authorization on administrative services
- Authentication and Authorization among back-end service
| Client | Server | |
|---|---|---|
| SLC4 | 2.1.8-6 | 2.1.8-7 GSI only! |
| SLC5 | 2.1.8-6 | 2.1.8-7 |
User Guide
See CastorSecureUserGuideDeployment
See CastorSecurityDeploymentTrouble-Shooting
See CastorSecureTroubleShootingRoadmap
In the first phase we are focusing on the client protocols:- interaction with the Request Handler (RH) to open a file BUG:46754
- Name Server (NS) connections BUG:46736
- interaction with the Disk Server via rfio BUG:46755
- GSI (X509 grid certificates): to be compatible with the WLCG grid services
- KerberosV: every CERN user has a Kerberos principal and the authentication is faster, uses less CPU resources
- SRM: GSI authentication
- gridftp: GSI authenticaiton
- xrootd: both GSI and KerberosV authentication
Authentication and Mapping
The authenticated client will be mapped into a uid/gid pair, which correspond to a real CERN user and group. We cannot use virtualized users and groups because of the Castor scheduler BUG:46759
Kerberos
The mapping from Kerberos principals to CERN uid is straightforward: there is a username corresponding to each principal for which there is a unique uid provided by the CERN user database.Certificates
Currently we are generating a staticgridmap-file for certificate based authentication in SRM and gridftp
services from the content of VOMS database.
However automatic mapping of CERN X509 certificates would also straightforward like Kerberos: the username
is included in the certificate distinguished name (DN) for which there is a unique uid provided by the CERN user
database BUG:46757.
Mapping external certificates is slightly more complicated, however the CERN CA
provides a possibility to external users to register their certificates with a CERN user account. From this
database we can generate a gridmap-file, which can be used by the GSI based authentication modules
(RH, NS, rfio, SRM, xrootd) to map to a unique uid. BUG:46758
Groups
The authorization will only be based on the primary group of the user, as we have to use the CERN user database to assign a group (the primary one) to each uid. In GSI in combination with VOMS we could also associate multiple groups or dynamically replace the primary group based on the user's request. However we cannot yet pass this information through the current request handling infrastructure, so we will only support single group in the first stage. This is a limitation, which we might remove later BUG:46762.
Deployment Plans
We plan to deploy the secure services in parallel to the insecure endpoints for a transitional period and then gradually close insecure access as the extra deployment requirements for authentication become clear. See also CastorSecurityDeployment for more details!Status
The Request Handler, Name Server and rfio calls are secured via GSI and KerberosV, however there are some unexpected problems:- The SLC4 Kerberos library (version 1.3.4) is not thread safe, so the multi-threaded Request Handler and Name Server is failing. We have tried to put locking around the Kerberos library calls, however it has degraded the performance of the GSI server as well to the level of a single-threaded server, thus we have abandoned the idea. The solution is to upgrade to SLC5, which has a thread-safe version of the Kerberos library.
- The MIT KerberosV replay cache uses
fsync()calls after each change, which significantly degrades the performance of a multi-threaded server. We can disable this feature, to speed up request handling, in exchange for a potential vulnerability window of replay attacks. The other alternative is to implement an alternative replay cache for the Kerberos library. See more at KerberosReplayCachePerfomance.
gridmap-file to uid/gid pairs.
The xrootd service is able to handle both KerberosV and GSI authentication with the above mentioned limitations.
You can also track the status of individual items as
Castor security bugs in Savannah.
Tests
See CastorSecureTestsDocuments and Presentations
- Presentation of the plans to FIO in 2008 Castor Security Plans
Last edit: AkosFrohner on 2009-05-28 - 10:37
Number of topics: 1
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 png |
Castor2-Security-mapping.png | r1 | manage | 36.9 K | 2009-02-09 - 11:46 | AkosFrohner |
Topic revision: r14 - 2009-05-28 - AkosFrohner
DataManagement Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback