The Open Science Grid Security Team has undertaken a project to study the security of users sending jobs without certificates, in response to problems and concerns about the certificate management process.
Certificate management has required a measure of manual work to request, install, and renew certificates, possibly in multiple machines or browsers. Manual approvals of certificate requests can cause frustrating delays. New pilot-based systems, like GlideinWMS, make it possible for users to submit jobs without their own certificates- from trusted submission systems.
Certificates fulfill several functions in the functioning of the OSG. They provide identification of the user submitting a job, which provides traceability. Traceability allows us to both track where a user has or had jobs running, or identify who is the user running a particular job on a particular system. They are also used for access control. They can limit access to a resource to only certain VOs, or prevent access from known compromised certificates.
To provide these functions without certificates, some changes will need to be made. The biggest change will be moving from a model of trusted users submitting jobs via possibly unknown systems, to users submitting jobs via known, trusted submission systems associated with a VO. This requires that sites be able to trust user management policies of the VO and submission system admins.
The OSG security team conducted security drills to evaluate if traceability is possible by trying to determine the individual who was running a job submitted via Glidein without an end user x509 cert. It required coordination of admins at worker node, factory and frontend systems in some cases, but all information was preserved in the logs. Therefore, we concluded that the system is capable of tracing the end user in the absence of end user certificates.
In the meantime, lack of end user certificates requires VOs to take a more active role, especially when one of their user’s actions on the grid causes a problem. In such cases, a VO needs to disable the problem user’s access to its trusted job submission system, because the sites do not have a way of disabling access to the individual. As part of our project, we also evaluated whether the VOs that want to submit certificate-free jobs on their users behalf have the capacity to respond and ban problematic users should something go wrong with a user.