1 / 22

Grid Authentication and Authorization Overview

Explore advanced grid authentication and authorization methods like VOMS, LCAS, and LCMAPS for efficient resource access and management.

gwenj
Download Presentation

Grid Authentication and Authorization Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp

  2. Talk Outline • Introduction on AuthN & AuthZ in EDG • Why do we need VOMS, LCAS, LCMAPS … ? • Gridification architecture • LCAS • Architecture, plug-ins, examples • LCMAPS • Architecture, plug-ins • Policy languange (PDL) • examples • Job Repository • Status and Future Developments

  3. AuthN & AuthZ in EDG (1) • GLOBUS • Authentication: Grid Security Infrastructure (GSI) • X509 certificates (PKI), Certificate Authorities • Mutual authentication • Single sign-on, proxy delegation • Authorization: grid-mapfile • Grid credentials (user’s Certificate) to local credentials (unix account) mapping • “Boolean” authorization • Information provided via VO-LDAP servers (EDG) • Managed “manually” by the resource admin (via mkgridmap, EDG) • Problems • No centralization • No scalability • Lack of flexibility • Problems addressed by VOMS, LCAS/LCMAPS

  4. Authentication Request OK C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS user AuthN & AuthZ in EDG (2) • VOMS (VO Membership Service) • authorization at VO level • Each VO has its own VOMS • VO affiliation assertions embedded in proxy • Support for group membership, roles, capabilities • A user can be member of many VOs • LCAS/LCMAPS • Separated pure authZ (LCAS) from user account mapping (LCMAPS) • Flexible/dynamic assignment of local credentials • Resource manager remains in full control

  5. WP4 Gridification components Resource Broker Resource (WP1) Broker WP4 non - gridification WP4 non - gridification (WP1) Gridification component Gridification component Resource request in RSL in VOMS-signed established Security context Non - WP4 subsystem Non - WP4 subsystem External to fabric Internal to fabric CE plugins LCAS - SE (EDG - )Gatekeeper SE (EDG - )Gatekeeper allow list allow list wallclocktime wallclocktime StorageElement (WP5) ban list ban list Jobmanager VOMS/GACL Jobmanager VOMS/GACL RMS RMS plugins LCMAPS - Worker Policy farms Worker JobRepository uid/gid uid/gid node node (Configuration Mgmt) other tokens other tokens Enforce Enforce credentials credentials

  6. C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Ye Olde Gatekeeper GSI auth VOMSpseudo-cert assist_gridmap Jobmanager-* AuthN, AuthZ control flow in GK Gatekeeper LCAS accept policy allowed GSI AuthN timeslot LCAS authZ call out banned • LCMAPS open, learn,&run: • … and return legacy uid Job Manager fork+exec args, submit script

  7. LCAS • Local Centre Authorization Service (LCAS) • Handles authorization requests to local fabric • Authorization decisions based on proxy user certificate and job specification (RSL) • Supports grid-mapfile mechanism and/or GACL • Plug-in framework (hooks for external authorization plug-ins) • Allowed users (grid-mapfile or allowed_users.db) • Banned users (ban_users.db) • Available timeslots (timeslots.db) • Plug-in for VOMS (to process Authorization data) • Uses VOMS API • authZ policy in GACL format (or grid-mapfile) • Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl

  8. LCAS - ban_user.db # This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"

  9. LCAS - timeslots.db # This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## '*' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *

  10. LCAS - lcas.gacl <?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry> <entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>

  11. LCMAPS • Local Credential MAPping Service • Backward compatible with existing systems (grid-mapfile, AFS) • Provides local credentials needed for jobs in fabric • Mapping based on user identity, VO affiliation, site-local policy • Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 • Pool accounts, Pool groups • Support for multiple VOs per user (and thus multiple UNIX groups) • Plug-in framework • driven by comprehensive policy language: PDL • Extendible • Credential acquisition and enforcement plug-ins • Boundary conditions • Has to run in privileged mode • Has to run in process space of incoming connection (for fork jobs)

  12. LCMAPS – control flow GK LCMAPS • User authenticates using (VOMS) proxy • LCMAPS library invoked • Acquire all relevant credentials • Enforce “external” credentials • Enforce credentials on current process tree at the end • Run job manager • Fork will be OK by default • Batch systems may need primary group explicitly • Batch systems will need updated (distributed) UNIX account info • Order and function: policy-based Credential Acquisition & Enforcement CREDs Job Mngr

  13. LCMAPS – invocation and running LCMAPS Plugin Mngr Evaluation Mngr any Plug-in from GK Local init Initialize Load policy Load all Initialize all Introspect for API Evaluate policy Run Run plugin and report Terminate terminations

  14. LCMAPS - modules • Modules represent atomic functionality • VOMS acquisition modules: • Voms extract: extract VOMS info from proxy • Voms local group: from VOMS attributes assign GID • Voms pool group: from VOMS attributes assign GID from pool • Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool • Standard acquisition modules: • Local account: from user DN assign local UID • pool account: from user DN assign UID from pool • Enforcement modules • POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process • LDAP enforcement: update distributed user database • In progress • Get AFS/Krb5 token based on user DN (gssklog)

  15. LCMAPS – Policy Description Language State machine approach: # LCMAPS policy file/plugin definition## default pathpath = /opt/edg/lib/lcmaps/modules# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf FALSE VOMS extract Start here Local Account TRUE VOMS Local Group POSIX Enforcement VOMS Pool Group LDAP Enforcement VOMS Pool Account

  16. LCMAPS – VOMS groupmapfile # Example groupmapfile:# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix

  17. LCMAPS – LDAP and AFS • LDAP enforcement plug-in • Updates a central LDAP user directory • Secure (as opposed to NIS) • more flexible • AFS plug-in • Gives local AFS access • Uses gssklog to obtain AFS token • Requires gssklog daemon to run on the AFS server • Mapping DN to AFS user maintained in gssklog mapfile

  18. Job Repository – Intro. • What? • JB is a Relational Database • The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job • Why? • Central repository, Logging, Accounting, Auditing • Where? • CE – Plug-in for LCMAPS • CE - Various scripts controlled by the Job Manager • The database has to be installed close to (or on) the CE.

  19. Job Repository • How? • ODBC layer • Currently a MySQL backend • Multiple programs/scripts gathering information • Who? • Sys-admins (only) • A new tool for LCG needs to get the local GIDs from the VOMS info

  20. Job Repository – The DB Layout Users User certificates VOMS * Update needed outside the LCMAPS Plugin To get all info. Jobs* VOMS Issuer Job Status* Issuer Certificates Credentials (UID/GIDs)

  21. Status • LCAS and LCMAPS • Incorporated in EDG 2.1 • Deployed on application testbed since last week • AFS plug-in almost completed • Job Repository • LCMAPS plug-in nearing completion • Small changes needed to LCMAPS code for VOMS-to-GID tool • Documentation: • http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/ • http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16

  22. Future developments • LCAS, LCMAPS (and the JobRep?) will be part of EGEE • gridFTP will be patched to use LCAS and LCMAPS • LCAS will evolve into an authorization service and take on the use of XACML to express VO access control • DAGGR (?): Authorization Decision Service • LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3

More Related