220 likes | 398 Views
LCAS and LCMAPS. David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp. Talk Outline. Introduction on AuthN & AuthZ in EDG Why do we need VOMS, LCAS, LCMAPS … ? Gridification architecture LCAS Architecture, plug-ins, examples LCMAPS Architecture, plug-ins
E N D
LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp
Talk Outline • Introduction on AuthN & AuthZ in EDG • Why do we need VOMS, LCAS, LCMAPS … ? • Gridification architecture • LCAS • Architecture, plug-ins, examples • LCMAPS • Architecture, plug-ins • Policy languange (PDL) • examples • Job Repository • Status and Future Developments
AuthN & AuthZ in EDG (1) • GLOBUS • Authentication: Grid Security Infrastructure (GSI) • X509 certificates (PKI), Certificate Authorities • Mutual authentication • Single sign-on, proxy delegation • Authorization: grid-mapfile • Grid credentials (user’s Certificate) to local credentials (unix account) mapping • “Boolean” authorization • Information provided via VO-LDAP servers (EDG) • Managed “manually” by the resource admin (via mkgridmap, EDG) • Problems • No centralization • No scalability • Lack of flexibility • Problems addressed by VOMS, LCAS/LCMAPS
Authentication Request OK C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Query AuthDB VOMSpseudo-cert VOMSpseudo-cert VOMS user AuthN & AuthZ in EDG (2) • VOMS (VO Membership Service) • authorization at VO level • Each VO has its own VOMS • VO affiliation assertions embedded in proxy • Support for group membership, roles, capabilities • A user can be member of many VOs • LCAS/LCMAPS • Separated pure authZ (LCAS) from user account mapping (LCMAPS) • Flexible/dynamic assignment of local credentials • Resource manager remains in full control
WP4 Gridification components Resource Broker Resource (WP1) Broker WP4 non - gridification WP4 non - gridification (WP1) Gridification component Gridification component Resource request in RSL in VOMS-signed established Security context Non - WP4 subsystem Non - WP4 subsystem External to fabric Internal to fabric CE plugins LCAS - SE (EDG - )Gatekeeper SE (EDG - )Gatekeeper allow list allow list wallclocktime wallclocktime StorageElement (WP5) ban list ban list Jobmanager VOMS/GACL Jobmanager VOMS/GACL RMS RMS plugins LCMAPS - Worker Policy farms Worker JobRepository uid/gid uid/gid node node (Configuration Mgmt) other tokens other tokens Enforce Enforce credentials credentials
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy Ye Olde Gatekeeper GSI auth VOMSpseudo-cert assist_gridmap Jobmanager-* AuthN, AuthZ control flow in GK Gatekeeper LCAS accept policy allowed GSI AuthN timeslot LCAS authZ call out banned • LCMAPS open, learn,&run: • … and return legacy uid Job Manager fork+exec args, submit script
LCAS • Local Centre Authorization Service (LCAS) • Handles authorization requests to local fabric • Authorization decisions based on proxy user certificate and job specification (RSL) • Supports grid-mapfile mechanism and/or GACL • Plug-in framework (hooks for external authorization plug-ins) • Allowed users (grid-mapfile or allowed_users.db) • Banned users (ban_users.db) • Available timeslots (timeslots.db) • Plug-in for VOMS (to process Authorization data) • Uses VOMS API • authZ policy in GACL format (or grid-mapfile) • Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl
LCAS - ban_user.db # This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"
LCAS - timeslots.db # This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## '*' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *
LCAS - lcas.gacl <?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry> <entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>
LCMAPS • Local Credential MAPping Service • Backward compatible with existing systems (grid-mapfile, AFS) • Provides local credentials needed for jobs in fabric • Mapping based on user identity, VO affiliation, site-local policy • Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 • Pool accounts, Pool groups • Support for multiple VOs per user (and thus multiple UNIX groups) • Plug-in framework • driven by comprehensive policy language: PDL • Extendible • Credential acquisition and enforcement plug-ins • Boundary conditions • Has to run in privileged mode • Has to run in process space of incoming connection (for fork jobs)
LCMAPS – control flow GK LCMAPS • User authenticates using (VOMS) proxy • LCMAPS library invoked • Acquire all relevant credentials • Enforce “external” credentials • Enforce credentials on current process tree at the end • Run job manager • Fork will be OK by default • Batch systems may need primary group explicitly • Batch systems will need updated (distributed) UNIX account info • Order and function: policy-based Credential Acquisition & Enforcement CREDs Job Mngr
LCMAPS – invocation and running LCMAPS Plugin Mngr Evaluation Mngr any Plug-in from GK Local init Initialize Load policy Load all Initialize all Introspect for API Evaluate policy Run Run plugin and report Terminate terminations
LCMAPS - modules • Modules represent atomic functionality • VOMS acquisition modules: • Voms extract: extract VOMS info from proxy • Voms local group: from VOMS attributes assign GID • Voms pool group: from VOMS attributes assign GID from pool • Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool • Standard acquisition modules: • Local account: from user DN assign local UID • pool account: from user DN assign UID from pool • Enforcement modules • POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process • LDAP enforcement: update distributed user database • In progress • Get AFS/Krb5 token based on user DN (gssklog)
LCMAPS – Policy Description Language State machine approach: # LCMAPS policy file/plugin definition## default pathpath = /opt/edg/lib/lcmaps/modules# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf FALSE VOMS extract Start here Local Account TRUE VOMS Local Group POSIX Enforcement VOMS Pool Group LDAP Enforcement VOMS Pool Account
LCMAPS – VOMS groupmapfile # Example groupmapfile:# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix
LCMAPS – LDAP and AFS • LDAP enforcement plug-in • Updates a central LDAP user directory • Secure (as opposed to NIS) • more flexible • AFS plug-in • Gives local AFS access • Uses gssklog to obtain AFS token • Requires gssklog daemon to run on the AFS server • Mapping DN to AFS user maintained in gssklog mapfile
Job Repository – Intro. • What? • JB is a Relational Database • The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job • Why? • Central repository, Logging, Accounting, Auditing • Where? • CE – Plug-in for LCMAPS • CE - Various scripts controlled by the Job Manager • The database has to be installed close to (or on) the CE.
Job Repository • How? • ODBC layer • Currently a MySQL backend • Multiple programs/scripts gathering information • Who? • Sys-admins (only) • A new tool for LCG needs to get the local GIDs from the VOMS info
Job Repository – The DB Layout Users User certificates VOMS * Update needed outside the LCMAPS Plugin To get all info. Jobs* VOMS Issuer Job Status* Issuer Certificates Credentials (UID/GIDs)
Status • LCAS and LCMAPS • Incorporated in EDG 2.1 • Deployed on application testbed since last week • AFS plug-in almost completed • Job Repository • LCMAPS plug-in nearing completion • Small changes needed to LCMAPS code for VOMS-to-GID tool • Documentation: • http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/ • http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16
Future developments • LCAS, LCMAPS (and the JobRep?) will be part of EGEE • gridFTP will be patched to use LCAS and LCMAPS • LCAS will evolve into an authorization service and take on the use of XACML to express VO access control • DAGGR (?): Authorization Decision Service • LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3