1 / 19

gridmapdir patch

gridmapdir patch. Overview of the problem Constraints from local systems Outline of how it works How to implement it locally Longer term solutions?. Andrew McNab - Manchester HEP - 29/30 March 2001. Overview of the problem.

saniya
Download Presentation

gridmapdir patch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. gridmapdir patch • Overview of the problem • Constraints from local systems • Outline of how it works • How to implement it locally • Longer term solutions? Andrew McNab - Manchester HEP - 29/30 March 2001

  2. Overview of the problem • In Globus 1.1.3, grid identities (certificate subjects) are mapped to local Unix usernames via grid-mapfile. • For testbeds, either have to create lots of local Unix accounts - lots of administrative overhead • Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability Andrew McNab - Manchester HEP - 29/30 March 2001

  3. Dynamic accounts • The obvious solution, but introduces many complications • Account creation / management is intimately related to local policies, tools etc • Need to respect local site autonomy and minimise the changes required by local sysadmins • Instead of trying to produce a long term solution before M9, look at what will be sufficient for now Andrew McNab - Manchester HEP - 29/30 March 2001

  4. Use pool of accounts • Sysadmin creates a pool of normal Unix accounts, with names like gpool001, gpool002, gpool003, … • They can use their normal tools to do this, create quotas, Unix group(s) etc. • Temporarily lease accounts when presented with a certificate whose subject is in our grid-mapfile • Expire the lease “when they are finished” (defined locally) Andrew McNab - Manchester HEP - 29/30 March 2001

  5. Security and “auditability” • Authentification: still have to provide a valid certificate, signed by a CA the local site trusts • Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess • “Auditability”: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was Andrew McNab - Manchester HEP - 29/30 March 2001

  6. Implementation of leasing • Want to share files created by gatekeeper, sshd-gsi, gsiftpd "logins" - so want these to share the same database of leases • Need some form of locking. Run a lease daemon? Simplest way is to use link(2) with some sort of flag files, and rely on the atomicity of the file system. • (Should even work across NFS to synchronise leases between nodes of a cluster or farm) Andrew McNab - Manchester HEP - 29/30 March 2001

  7. gridmapdir format • “Lease database” takes the form of a directory containing empty files, with the same names as the pool usernames • A lease is created by making a second link to the username using the subject name (URL-encoded.) • Checking return code of link(2) and link count from stat(2) will enforce one-to-one mapping of subjects and pool usernames Andrew McNab - Manchester HEP - 29/30 March 2001

  8. Patch to Globus 1.1.3 • All subject->username mapping done by functions in Security/gss-assist/gridmap.c • Patch these to map subjects to pool users if their “username” in grid-mapfile is like “.” or “.subpool” • Five new functions in gridmap.c implement leasing as described • Subpools with privileges, quotas etc are possible: eg .cms will only be mapped to cms001, cms002, ... Andrew McNab - Manchester HEP - 29/30 March 2001

  9. Lease expiration • To reuse pool accounts, lease must be terminated somehow - but mechanics very site dependent • Probably easiest to run a script from cron to expire leases: • Either based on an expiration time (if you can guarantee the job will be finished by that time) • Or by job completion flagging the lease as not needed (eg via PBS prologue / epilogue scripts) Andrew McNab - Manchester HEP - 29/30 March 2001

  10. Advantages of this patch • Minimum impact on local systems • Minimum changes to Globus • Changes are transparent to users and other sites • Allows easy local choices about account characteristics and lease expiration Andrew McNab - Manchester HEP - 29/30 March 2001

  11. Limitations of the patch • Sharing of lease “database” via filesystem and NFS is a hack! • Termination of leases is messy • Need to block submission of cron jobs etc from pool accounts (batch nodes should be doing this already though) Andrew McNab - Manchester HEP - 29/30 March 2001

  12. Making grid-mapfile • Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP. • If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid. Andrew McNab - Manchester HEP - 29/30 March 2001

  13. Future solutions (1) • “Next Version of Globus” will have CAS framework - need to coexist with this • “NVoG” will be able to get grid-mapfile info from LDAP • Can already get Unix “passwd” info from LDAP on Linux and Solaris (via a PAM) • Should we concentrate dynamic account creation or leasing on a “smart” local LDAP auth server? Andrew McNab - Manchester HEP - 29/30 March 2001

  14. Future solutions (2) • An alternative method is to combine account creation / leasing with resource reservation • This simplifies the enforcement of lease expiration, since presumably we already enforce process termination, file deletion at end of reservation • But has more overhead and complexity than a smart LDAP server that just manages dynamic accounts Andrew McNab - Manchester HEP - 29/30 March 2001

  15. More information ... • http://www.hep.grid.ac.uk/gridmapdir/ has a copy of the patch itself, more explanation and some example scripts for managing pool accounts • The gridmapdir patch is included in development versions of Globus RPM’s at http://www.hep.grid.ac.uk/download/development/ Andrew McNab - Manchester HEP - 29/30 March 2001

  16. make-ca-signing-policy • Simple script to rebuild ca-signing-policy.conf when CA's are installed or removed • Looks for policy.*.conf files in $GLOBUS_INSTALL_PATH/share/certificates • Concatenates a header and all the policy files it finds. Andrew McNab - Manchester HEP - 29/30 March 2001

  17. make-c-s-p: RPM’s • When used in a CA RPM, adding or removing a CA just becomes a single rpm command: eg rpm -i ukhepca-0.1-1.rpm • RPM installs files, then reruns script • At uninstall, files removed and script rerun • Can deal with multiple CA's in the same RPM (or tar file.) Andrew McNab - Manchester HEP - 29/30 March 2001

  18. Demonstration: ukhepca • Have ukhepca RPM which everyone who needs to trust UK HEP CA can install • Separate ukhepca-request RPM which only UK sites install (includes files to generate requests for certs from this CA) • http://www.hep.grid.ac.uk/make-c-s-p/ has explanation and all the sources necessary to make compatible RPM or tar files for other CA’s Andrew McNab - Manchester HEP - 29/30 March 2001

  19. Summary • Modular method for installing CA info now available • Can easily co-exist with non EU Datagrid CA’s • Works with RPM or tar file installation • Doesn’t do CRL fetching - use NIKHEF proposal? Should installation of a CA define how to fetch its CRL (perhaps by installing a script?) Andrew McNab - Manchester HEP - 29/30 March 2001

More Related