160 likes | 281 Views
LCAS/LCMAPS and WSS Site Access Control boundary conditions. David Groep et al. NIKHEF. Outline. Local authorization Local authorization decisions Integrating with the Unix domain Managing the work space. Authorization context. Policy comes from many stakeholders. Graphics from
E N D
LCAS/LCMAPS and WSS Site Access Controlboundary conditions David Groep et al. NIKHEF
Outline • Local authorization • Local authorization decisions • Integrating with the Unix domain • Managing the work space Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Authorization context Policy comes from many stakeholders Graphics from Globus Alliance& GGF OGSA-WG Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Local Authorization • EGEE Architecture • Policy providers orchestrated by a master PDP (not shown) • Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world) • both provide set of PDP implementations (should be the same set, or a callout from one to the other) • PDPs foreseen: • user white/blacklist • VOMS-ACL • Proxy-lifetime constraints • Certificate/proxy policy OID checks • peer-system name validation(compare with subject or subjectAlternativeNames) Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Local Authorization Today • Current Implementation • Only a limited set of PDPs: • ban/allow and VOMS-ACL • Authorization interface is proprietary (at least for C/C++) • change foreseen soon to a ‘v2’ standard interface • Policy Enforcement Point (PEP) part of the (container) runtime(i.e. all evaluation is in-line) • source modifications needed to legacy (C-based) services (GT gatekeeper, GridFTP server) • AuthZ framework for Java as loadable classes • No separate authorization service (no site-central checking) • Policy format is not XACML everywhere (i.e. GACL) Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Black List Services • BL-PDPs return Deny or Not-Applicable • Master-DPD treats “Permit” as Not-Applicable • Only interested whether the black-list services deny access to the subject • They are not to be used for rendering of general purpose policy decisions • Query the configured black-list services before the general purpose PDPs • Pushing of black-list assertions or EPRs not allowed • “Deny-Override” rules for the black-list services • …pragmatic way to address deny-requirements… • note that you are still allowed to shoot yourself in the foot with deny-policies “behind” the PDP interface… Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
What’s within reach? • Some additional PDPs • Policy OID checking • Proxy certificate lifetime constraints • Limit to specific executable programs • … • Standard white list, blacklist service for all services • Better integration between Java and C worlds & the upcoming standards Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
LCMAPS Once authorisation has been obtained • acquire local (Unix) credentials to run legacy jobs • enforce those credentials on • the job being run or • FTP session started • LCMAPS is the back-end service used by • GT2-style edg-gatekeeper (LCG2) • edg-GridFTP (LCG2) • glexec/grid-sudo wrapper • WorkSpace Service Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
LCMAPS – control flow Service LCMAPS • User authenticates using (VOMS) proxy • … do local authorization … • LCMAPS invoked • Acquire all relevant credentials • Enforce “external” credentials • Enforce credentials on current process tree at the end • Order and function policy-based • Run task (e.g. job manager) Credential Acquisition & Enforcement CREDs Task Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
LCMAPS – functionality view • Unix mapping based on VOMS groups, roles, and capabilities • Possibly pool groups as well as pool accounts • Granularity set by the site administrator (see example following) • Primary group set to first VOMS group – accounting • More than one VO/group per grid user allowed [but…] • Each VOMS unique FQAN listed translates into 1 Unix group id • Each user-FQAN combination translates into 1 Unix user id • New mechanisms could mitigate issues: • groups-on-demand, support granularity at any level • Central user directory support (nss_LDAP, pam-ldap) Not ready – and priorities have not been assigned to this yet. Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
example # groupmapfile "/EGEE/picard/*“ iteam"/EGEE/picard/Role=Manager" iteamsgm “/Wilma/Role=prod” wilmgr "/Wilma/*" .wilma "/EGEE/riker/grp1" rikerhg “/EGEE/riker/grp2” rikermed “/EGEE/riker/grp3” rikerlow VOMS to Unix domain mapping Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Work Space Service On the road towards virtualized resources: Work Space Service • Managed accounts • enable life cycle management • controlled account management (VO can request/release) • “special” QoS requests • Use to request credentials (groups) with specific prios? • WS-RF style GT4 service • uses LCMAPS as a back-end http://www.mcs.anl.gov/workspace/ Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
LCMAPS usage in the job chain Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
Summary • Control over running jobs is via site mechanisms • Authorization to (Java) services part of container • Fine-grained control is left as a service specific issue • Standard hooks for this are about to appear • Mapping of credentials required for legacy programs • limited to Unix domain account mechanisms • Needs to remain manageable for site administrators • Scheduling/priorities based on Unix user and group names • Accounting based on uid, gid pairs • Unix domain is not very flexible. Sorry. • Virtualisation is coming, but how far down the road? Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
? Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Ye Olde Gatekeeper TLS auth VOMSpseudo-cert assist_gridmap Jobmanager-* EDG Gatekeeper (current) Gatekeeper LCAS accept policy GACL GSI AuthN GSS context+ RSL timeslot LCAS authZ call out banned LCMAPS open, learn,&run: … and return legacy uid Job Manager fork+exec args, submit script Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005