LCAS and LCMAPS EDG WP 4 Fabric Gridification Team David Groep <davidg@nikhef. nl> Martijn Steenbakkers <martijn@nikhef. nl> Oscar Koeroo <okoeroo@nikhef. nl> Gerben Venekamp <venekamp@nikhef. nl> Wim Som de Cerff <sdecerff@knmi. nl> http: //www. dutchgrid. nl/Data. Grid/wp 4/ Data. Grid is a project funded by the European Union LCG VOMS/VOX meeting – LCAS and LCMAPS – n° 1
Authorization dn User dn + attrs authenticate service VOMS service Java C authr map Coarse-grained e. g. Spitfire pre-proc ACL authr Fine-grained e. g. Rep. Me. C LCAS pre-proc ACL LCMAPS Coarse-grained e. g. CE, Gatekeeper LCAS Fine-grained e. g. SE, /grid LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 2
Local Site Authorization Services u Local n Handles authorization requests to local fabric s s n Centre Authorization Service (LCAS) – since 2002 Authorization decisions based on user grid credential (full context) and job specification (RSL) backward compatible with grid map file mechanism Plug-in framework (hooks for external authorization plug-ins), e. g. , s Banned users (ban_users. db) s VOMS Auth. Z (full-fledged GACL-like processing) u Local Credential Mapping Service (LCMAPS) – since sep 2003 n Plug-in framework, driven by comprehensive policy language n Mapping based on grid identity, VO affiliation, and/or site-local policy n Supports UNIX uid/gid (static, pool accounts, groups), directories, AFS, Kerberos u Job. Repository (JR) – today n Job tracing, credential map tracing, cert chains, job information (RSL) n provides identifiers to link to existing batch accounting systems LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 3
EDG Gatekeeper (release 2. 1) Gatekeeper LCAS policy accept C=IT/O=INFN VOMS /L=CNAF pseudo/CN=Pinco Pallacert /CN=proxy GACL GSI Auth. N GSS context + RSL LCAS auth. Z call out Ye Olde Gatekeeper timeslot banned LCMAPS open, learn, &run: TLS auth … and return legacy uid assist_gridmap Jobmanager-* Job Manager fork+exec args, submit script LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 4
LCAS Authorisation Decision Service, will say YES or NO, based on u client_name u GSS u RSL (subject) Security ‘context’ (credential, extensions) (executable name, job information) Policy list will AND result from all modules u Default modules shipped n VOMS GACL expressions (user, group, role, cap) n black-list users n white-list users n wallclock constraints LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 5
LCMAPS Once authorisation has been obtained u acquire local (unix) credentials to run legacy jobs u enforce those credentials on n the job being run or n FTP session started LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 6
LCMAPS – requirements u Backward compatible with existing systems n should read a grid-mapfile n legacy API gss_assist_gridmap() transparent replacement for gss_assist lib n support for both (edg) gatekeeper and a patched gsi-wuftpd u Support for multiple VOs per user n VOMS groups, roles and capabilities map into UNIX groups n granularity can be configured per site (from 1 group/VO to 1 per unique triplet) u Mimimum system administration n poolaccounts, and pool ‘groups’ n understandable configuration u Extendible u Boundary and configurable conditions n Has to run in privileged mode n Has to run in process space of incoming connection (for fork jobs) LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 7
LCMAPS – control flow GK u User LCMAPS authenticates using (VOMS) proxy u LCMAPS Credential Acquisition library invoked n Acquire all relevant credentials n Enforce “external” credentials n Enforce credentials on current process tree at the end u Run n job manager CREDs & Enforcement Fork will be OK by default Batch systems may need primary group explicitly Batch clusters will need updated (distributed) UNIX account info u Order and function: policy-based Job Mngr LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 8
LCMAPS – modules u Modules u VOMS represent atomic functionality extract VOMS credentials from the proxy (A) u Pool. Accounts u Pool. Groups from (VOMS) groupname assign unique gid (A) u Local. Account u Local. Groups u VOMS (A) from username assign unique uid (A) from username assign local existing unique uid (A) from (VOMS) groupname assign local existing gid (A) Pool. Accounts from username+primary VOMS assign unique uid u AFS/Krb 5 get token based on user DN info via gssklogd (A) u POSIX process setuid() and setgid() (E) u POSIX LDAP update distributed user database (E) u… LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 10
LCMAPS – policy evaluation u State machine approach (superset of boolean expressions) FALSE Local. Account VOMS-group TRUE LDAP POSIX Pool. Account u Policy description file: path = /opt/edg/lib/lcmaps/modules /opt/edg/etc/lcmaps. db localaccount ="lcmaps_localaccount. mod -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount. mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix. mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms. mod -vomsdir /etc/grid-security/certificates -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount -> posix_enf poolaccount -> ldap -> posix_enf LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 11
LCMAPS – enabling new functionality u Local UNIX groups based on VOMS group membership, roles, caps u More than one VO/group per grid user u Primary u New group set to first VOMS group – important for accouting! mechanisms: n groups-on-demand, support granularity at any level n Central user directory support (nss_LDAP, pam-ldap) example # groupmapfile "/VO=iteam/GROUP=/iteam*" iteam "/VO=WP 6/GROUP=/WP 6*" wpsix "/VO=wilma/GROUP=/wilma" wilma "/VO=wilma/GROUP=/wilma/*". pool "/VO=fred/GROUP=/fred*". pool LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 12
JR Job Repository u Database will store information about every job run attempt n user credential (full chain) n RSL used to run the job n Detailed VOMS information (triplets) n unix userid and groupid(s) acquired Possible questions include: What jobs were run by someone called ‘%Templon%’ primarily as a member of LHCb but also claiming Dzero membership with an executable named ‘rereco’ in the RSL? and what is the userid under which any such files have been stored? LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 13
JR information sources u. A special information provider as an LCMAPS module u additional hooks in the job manager scripts Retrieval ua unique identifier in the job environment u command-line ua scripts + API to retrieve this info during execution link in the JR database to the batch job ID (for accounting) LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 14
More Information EDG Security Coordination Group Web site http: //hep-project-grid-scg. web. cern. ch/ LCAS, LCMAPS, JR Web site http: //www. dutchgrid. nl/Data. Grid/wp 4/ CVS site http: //datagrid. in 2 p 3. fr/cgi-bin/cvsweb. cgi/fabric_mgt/gridification/lcas/ http: //datagrid. in 2 p 3. fr/cgi-bin/cvsweb. cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern. ch LCG VOMS/VOX meeting– LCAS and LCMAPS – n° 15
Скачать презентацию LCAS and LCMAPS EDG WP 4 Fabric Gridification
586bbb1ca5c13e1b22bad879fcbc7727.ppt