1 / 14

LCAS and LCMAPS

LCAS and LCMAPS. EDG WP4 Fabric Gridification Team David Groep <davidg@nikhef.nl> Martijn Steenbakkers <martijn@nikhef.nl> Oscar Koeroo <okoeroo@nikhef.nl> Gerben Venekamp <venekamp@nikhef.nl> Wim Som de Cerff <sdecerff@knmi.nl> http://www.dutchgrid.nl/DataGrid/wp4/. dn. User. VOMS.

chavez
Download Presentation

LCAS and LCMAPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LCAS and LCMAPS EDG WP4 Fabric Gridification TeamDavid Groep <davidg@nikhef.nl>Martijn Steenbakkers <martijn@nikhef.nl>Oscar Koeroo <okoeroo@nikhef.nl>Gerben Venekamp <venekamp@nikhef.nl>Wim Som de Cerff <sdecerff@knmi.nl> http://www.dutchgrid.nl/DataGrid/wp4/

  2. dn User VOMS dn + attrs service authenticate service Java C authr LCAS pre-proc pre-proc ACL ACL map authr LCMAPS LCAS Coarse-grainede.g. Spitfire Fine-grainede.g. RepMeC Coarse-grainede.g. CE, Gatekeeper Fine-grainede.g. SE, /grid Authorization

  3. Local Site Authorization Services • Local Centre Authorization Service (LCAS) – since 2002 • Handles authorization requests to local fabric • Authorization decisions based on user grid credential (full context) and job specification (RSL) • backward compatible with grid map file mechanism • Plug-in framework (hooks for external authorization plug-ins), e.g., • Banned users (ban_users.db) • VOMS AuthZ (full-fledged GACL-like processing) • Local Credential Mapping Service (LCMAPS) – since sep 2003 • Plug-in framework, driven by comprehensive policy language • Mapping based on grid identity, VO affiliation, and/or site-local policy • Supports UNIX uid/gid (static, pool accounts, groups), directories, AFS, Kerberos • JobRepository (JR) – today • Job tracing, credential map tracing, cert chains, job information (RSL) • provides identifiers to link to existing batch accounting systems

  4. C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Ye Olde Gatekeeper TLS auth VOMSpseudo-cert assist_gridmap Jobmanager-* EDG Gatekeeper (release 2.1) Gatekeeper LCAS accept policy GACL GSI AuthN GSS context+ RSL timeslot LCAS authZ call out banned • LCMAPS open, learn,&run: • … and return legacy uid Job Manager fork+exec args, submit script

  5. LCAS Authorisation Decision Service, will say YES or NO, based on • client_name (subject) • GSS Security ‘context’ (credential, extensions) • RSL (executable name, job information) Policy list will AND result from all modules • Default modules shipped • VOMS GACL expressions (user, group, role, cap) • black-list users • white-list users • wallclock constraints

  6. LCMAPS Once authorisation has been obtained • acquire local (unix) credentials to run legacy jobs • enforce those credentials on • the job being run or • FTP session started

  7. LCMAPS – requirements • Backward compatible with existing systems • should read a grid-mapfile • legacy API gss_assist_gridmap() transparent replacement for gss_assist lib • support for both (edg) gatekeeper and a patched gsi-wuftpd • Support for multiple VOs per user • VOMS groups, roles and capabilities map into UNIX groups • granularity can be configured per site (from 1 group/VO to 1 per unique triplet) • Mimimum system administration • poolaccounts, and pool ‘groups’ • understandable configuration • Extendible and configurable • Boundary conditions • Has to run in privileged mode • Has to run in process space of incoming connection (for fork jobs)

  8. LCMAPS – control flow GK LCMAPS • User authenticates using (VOMS) proxy • LCMAPS library invoked • Acquire all relevant credentials • Enforce “external” credentials • Enforce credentials on current process tree at the end • Run job manager • Fork will be OK by default • Batch systems may need primary group explicitly • Batch clusters will need updated (distributed) UNIX account info • Order and function: policy-based Credential Acquisition & Enforcement CREDs Job Mngr

  9. LCMAPS – modules • Modules represent atomic functionality • VOMS extract VOMS credentials from the proxy (A) • PoolAccountsfrom username assign unique uid (A) • PoolGroupsfrom (VOMS) groupname assign unique gid (A) • LocalAccountfrom username assign local existing unique uid (A) • LocalGroupsfrom (VOMS) groupname assign local existing gid (A) • VOMS PoolAccountsfrom username+primary VOMS assign unique uid (A) • AFS/Krb5get token based on user DN info via gssklogd (A) • POSIX processsetuid() and setgid() (E) • POSIX LDAPupdate distributed user database (E) • …

  10. LCMAPS – policy evaluation • State machine approach (superset of boolean expressions) • Policy description file: FALSE LocalAccount VOMS-group POSIX LDAP PoolAccount TRUE /opt/edg/etc/lcmaps/lcmaps.db path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount.mod \ -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms.mod -vomsdir /etc/grid-security/certificates \ -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount localaccount -> posix_enf poolaccount -> ldapldap -> posix_enf

  11. LCMAPS – enabling new functionality • Local UNIX groups based on VOMS group membership, roles, caps • More than one VO/group per grid user • Primary group set to first VOMS group – important for accouting! • New mechanisms: • groups-on-demand, support granularity at any level • Central user directory support (nss_LDAP, pam-ldap) example # groupmapfile "/VO=iteam/GROUP=/iteam*" iteam "/VO=WP6/GROUP=/WP6*" wpsix "/VO=wilma/GROUP=/wilma" wilma "/VO=wilma/GROUP=/wilma/*" .pool "/VO=fred/GROUP=/fred*" .pool

  12. JR Job Repository • Database will store information about every job run attempt • user credential (full chain) • RSL used to run the job • Detailed VOMS information (triplets) • unix userid and groupid(s) acquired Possible questions include:What jobs were run by someone called ‘%Templon%’ primarily as a member of LHCb but also claiming Dzero membership with an executable named ‘rereco’ in the RSL?and what is the userid under which any such files have been stored?

  13. JR information sources • A special information provider as an LCMAPS module • additional hooks in the job manager scripts Retrieval • a unique identifier in the job environment • command-line scripts + API to retrieve this info during execution • a link in the JR database to the batch job ID (for accounting)

  14. More Information EDG Security Coordination Group Web site http://hep-project-grid-scg.web.cern.ch/ LCAS, LCMAPS, JR Web site http://www.dutchgrid.nl/DataGrid/wp4/ CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/ http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern.ch

More Related