1 / 26

Credential Management in HTCondor

Credential Management in HTCondor. Zach Miller zmiller@cs.wisc.edu. Overview. Jobs often need to access data or services while they are running These services often require authorization Authorization often requires proving identity Examples: x509 Certificate/proxy Username/password

rdavila
Download Presentation

Credential Management in HTCondor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credential Management in HTCondor Zach Miller zmiller@cs.wisc.edu

  2. Overview • Jobs often need to access data or services while they are running • These services often require authorization • Authorization often requires proving identity • Examples: • x509 Certificate/proxy • Username/password • Tokens/capabilities

  3. Overview • Jobs may also want to store their output on a server somewhere instead of bringing it back to the submit machine • Servers typically require some kind of authorization to write data to them. • Examples: • box.com • AFS home directory

  4. Existing Support • HTCondor has long supported GSI • These are x509 certificates and proxies • The proxy travels along with the job • Any other credentials can be moved using HTCondor’s file transfer mechanism • MAKE SURE THE TRANSFER IS SECURE! • encrypt_input_files

  5. Generalizing • Credentials should not be treated as regular files • Need to be moved securely • May need to be refreshed during the job • May wish to limit their abilities (make them shorter lived, limited in capability, etc.) • Might need to use them to retrieve actual input data • Which means they need to be handled first

  6. The Components • condor_credd • Runs alongside the condor_schedd • Manages credentials on the submit machine • Has a “private” (root-owned and protected) directory on submit machine • SEC_CREDENTIAL_DIRECTORY

  7. The Components • condor_credd • Views credentials as opaque objects • Other than creating and destroying, is not able to manipulate the credentials

  8. The Components • Credential Monitor • Supplied by the site administrator (not the HTCondor developers) • Aware of how to manipulate and refresh credentials • Monitors and transforms files in the SEC_CREDENTIAL_DIRECTORY

  9. The Components • SEC_CREDENTIAL_PRODUCER • Script or executable provided by site administrator • Runs on behalf of user to generate a credential that is given to the condor_credd • Storing credential must succeed before job submission will continue

  10. Submit Process condor submit SEC_CREDENTIAL_ PRODUCER 1 2 condor credd credential monitor 3 5 4 condor schedd 6

  11. Credential Monitor • Two types of credentials • “Top” level • “Use” level • The SEC_CREDENTIAL_PRODUCER supplies the “top” level • The Credential Monitor converts the “top” into a “use” credential

  12. Example • At CERN they use krb5 tickets and want jobs to run with a ticket • Tickets are used to access services • Tickets are also needed to generate AFS tokens (aklog) • However….

  13. Example • Jobs may be in the HTCondor queue longer than the normal ticket lifetime • Jobs need some way to generate a fresh TGT • The credential that allows this is the “top” level credential (.cred in the directory) • The Credential Monitor uses that to generate a credential cache for the user (.cc in the directory) and obtain AFS tokens

  14. Submit Process condor submit SEC_CREDENTIAL_ PRODUCER 1 2 condor credd credential monitor 3 5 4 condor schedd 6

  15. Job Execution • When a job is matched, a daemon called the condor_starter is launched on the execute machine • Before transferring regular files, the starter contacts the condor_shadow on the submit machine to fetch the credentials into its own SEC_CREDENTIAL_DIRECTORY • A Credential Monitor can also be run on the execute machine to keep creds fresh.

  16. Job Execution • The condor_starter places the credential cache (use-level) into the job’s sandbox • Also sets $KRB5CCNAME to point to it • Now the job can access krb5 services • AFS tokens are also obtained and stored in the kernel keyring • The job can now read/write the user’s home directory in AFS

  17. Job Execution • When a user has no jobs left running on a machine, their creds are marked for removal • A timer periodically causes all marked credentials to be removed • Likewise, when a user has no jobs left in the job queue, their creds are marked and periodically removed.

  18. A Different Model • OAuth has slightly different model • The “top” credential is a refresh credential. This is presented to a token server to get “use” credentials which are access tokens • Only the access tokens are shipped to the execute machine • Periodically refreshed by pulling from the submit machine

  19. OAuth • Here, the user needs to obtain their “top” (refresh) tokens before the job can be submitted • condor_submit returns a URL to the user if they lack necessary tokens. • The OAuth Credential Monitor hosts a web interface at this URL to assist the user in this, receives the refresh tokens, and uses them to keep copies of fresh access tokens

  20. OAuth • The job can then use its tokens to get/put data, such as contacting a server (box.com, Google Drive, XRootD, stashcache) • Again, only the access tokens are sent with the job • No need for a Credential Monitor on the execute side. • This keeps users’ identity credentials off all the execute machines

  21. SciTokens

  22. SciTokens • This is already getting used in the OSG • Bioinformatics group at Clemson is using SciTokens to send data to an XRootD server • This in turn writes the data into the “Stash” storage at the University of Chicago

  23. Summary • You heard about SciTokens in the previous talk • The same general HTCondor components and architecture supports that, more general OAuth support, as well as Kerberos support as you’ll see in a moment • Site-specific pieces can be provided by the local admin

  24. Summary • Using customizable pieces allows for flexibility and also expansion of the credential management system • New types of credential support can be added without HTCondor code changes

  25. Summary • Still a work in progress… • For v8.8 things will be documented • Reference versions of the Credential Monitor for OAuth and Kerberos will be supplied with the HTCondor release • Many thanks to the folks at CERN and DESY for working through this initial implementations

  26. Next Up… • Details on the implementation used at DESY • Before that…. Quick questions? • Thank you!

More Related