VOMS and LCMAPS on Global Permissions and Local Credentials David Groep & Gridification Team partly based on CHEP 2003 talk by Luca dell’Agnello et al. (SCG, WP 4, WP 6) davidg@nikhef. nl http: //hep-project-grid-scg. web. cern. ch/ Data. Grid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1
Talk Outline u Introduction u Authorization requirements u VO Membership Service u Spitfire Trust. Manager u Local site enforcement mechanisms (LCAS, LCMAPS) n LCMAPS architecture n Evolution Manager and the Policy Language n Credential Enforcement Gotchas u Conclusions WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 2
Introduction (2) u Authorization (cont. ) n Resource granting established by agreements VO’s - RP’s. s s VO’s administer user membership, roles and capabilities RP’s evaluate authorization granted by VO to a user and map into local credentials to access resources n n LCAS/LCMAPS for farms Slash. Grid for storage (Andrew’s talk) Need tool to manage membership for large VO’s (10000 users) s n Trust/Authorization Manager for Java (e. g. Spitfire) Globus mechanism (grid-mapfile) not scalable VO membership service (VOMS) s s Extends existing grid security infrastructure architecture with embedded VO affiliation assertions Permits authorization control on grid services for job submission, file and database access. WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 4
Authorization requirements u Architecture n centralized and scalable (for an Auth policy VO based) u Attributes support n group membership (subgroup, multiple inheritance, . . ) n Roles (admin, student, . . ), capabilities (free form string), . . n Temporal bounds u Resource Provider n keep full control on access rights n traceability user level (not VO level) u Security issues n Auth Server must not be a Single point of failure n Auth communications must be trusted, secured and reserved WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 5
Globus Authorization Mechanism u grid-mapfile n Grid credentials (user’s Certificate) to local credentials (unix account) mapping n “Boolean” authorization n Information provided via VO-LDAP servers n Managed “manually” by the resource admin (via mkgridmap) "/C=IT/O=INFN/L=Parma/CN=Roberto Alfieri/Email=roberto. alfieri@pr. infn. it" alfieri "/C=IT/O=INFN/L=Parma/CN=Fabio Spataro/Email=fabio. spataro@pr. infn. it" spataro u No centralization u No scalability u Lack of flexibility WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 6
VO-LDAP Architecture o=xyz, dc=eu-datagrid, dc=org Adopted by Data. Grid Testbed 0 (2001/02) ou=People ou=Testbed 1 ou=? ? ? Data. Grid Testbed 1 (2003) Data. TAG Testbed (2003) CN=Mario Rossi CN=John Smith Authentication Certificate VO Directory CN=Franz Elmer Authentication Certificate mkgridmap local users grid-mapfile ban list WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 7
The Virtual Organization Membership Service u The Virtual Organization Membership Service (VOMS) n n Developed by European Datagrid and Datatag collaborations to solve current LDAP VO servers limitations Grants authorization data to users at VO level s s n Each VO has its own VOMS Support for group membership (subgroup, multiple inheritance, . . ), “forced” groups (i. e. for negative permissions), roles (admin, student, . . ) and capabilities (free form string) Essentially a front-end to an RDBMS s User client – queries the server for authorization info s User server – returns authorization info to the client s administration client – used by VO administrators for management s administration server – executes client update operations on db s transition tool – interface to mkgridmap++ (see below) n All client-server communications are secured and authenticated n Authorization info is processed by the gatekeeper s full functionality of VOMS achieved via LCAS/LCMAPS plug-ins (see below) WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 8
VOMS overview GSI voms-proxy-init Tomcat & java-sec Perl CLI Java GUI browser vomsd soap axis servlet VOMS impl DB http Apache & mod_ssl mkgridmap JDBC https DBI voms-httpd VOMS server WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 9
VOMS Operations 1. Authentication Mutual authentication Client-Server n Secure communication channel via standard Globus API 2. Server sends back the required info (signed by itself) in a “Pseudo-Certificate” 5. Client checks the validity of the info received 6. Client repeats process for other VOMS’s 7. Client creates proxy certificates containing all the info received into a (non critical) extension 8. Client may add user-supplied auth. info (kerberos tickets, etc…) y er Qu Server checks correctness of request 4. VOMS pseudocert Client sends request to Server 3. Request C=IT/O=INFN VOMS /L=CNAF pseudo/CN=Pinco Pallacert /CN=proxy Auth DB WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 11
Pseudo-Certificate Format u The pseudo-cert is inserted in a noncritical extension of the user’s proxy n 1. 3. 6. 1. 4. 1. 8005. 100. 1 u It will become an Attribute Certificate u One for each VOMS Server contacted /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo. Ciaschini@cnaf. infn. it /C= IT/O=INFN/CN=INFN CA user’s identity /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce. pr. infn. it/Email=alfieri@pr. infn. it /C=IT/O=INFN/CN=INFN CA server identity VO: CMS URI: http: //vomscms. cern. ch TIME 1: 020710134823 Z TIME 2: 020711134822 Z GROUP: montecarlo ROLE: administrator CAP: “ 100 GB disk” user’s info SIGNATURE: . . L. . . B]. . 3 H. . . . =". h. r. . . ; C'. . S. . . o. g. =. n 8 S'x. . . . A~. t 5. . 90'Q. V. I. . /. Z*V*{. e. RP. . . X. r. . . . q. Ebb. . . A. . . WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 12
Authorization dn User dn + attrs authenticate service VOMS service Java C authr map Coarse-grained e. g. Spitfire pre-proc ACL authr Fine-grained e. g. Rep. Me. C LCAS pre-proc ACL LCMAPS Coarse-grained e. g. CE, Gatekeeper LCAS Fine-grained e. g. SE, /grid WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 13
Spitfire u Provides uniform access to various implementations of database back ends via a grid-enabled front end n SOAP interface n JDBC interface to RDBMS u Trust. Manager: certificate validator for Java services n Permits (mutual) secure client-server authentication n Supports X 509 certificates and CRL’s u Support for connections via HTTP(S) using GSI certificate for authentication u Role-based authorization n Support for Authorization info provided by VOMS WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 14
Local Site Authorization Services u Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s s n Authorization decisions based on proxy user certificate and job specification Supports grid-mapfile mechanism Plug-in framework (hooks for external authorization plug-ins) s Allowed users (grid-mapfile or allowed_users. db) s Banned users (ban_users. db) s Available timeslots (timeslots. db) s Plugin for VOMS (to process Authorization data) u Local Credential Mapping Service (LCMAPS) n Provides local credentials needed for jobs in fabric n Plug-in framework, driven by comprehensive policy language n Mapping based on user identity, VO affiliation, site-local policy n Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb 5 WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 15
EDG Gatekeeper (release 2. 1) Gatekeeper LCAS policy accept C=IT/O=INFN VOMS /L=CNAF pseudo/CN=Pinco Pallacert /CN=proxy allowed GSI Auth. N timeslot LCAS auth. Z call out Ye Olde Gatekeeper banned LCMAPS open, learn, &run: TLS auth … and return legacy uid assist_gridmap Jobmanager-* Job Manager fork+exec args, submit script WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 16
LCMAPS – requirements u Backward compatible with existing systems (grid-mapfile, k 5 cert) u Support for multiple VOs per user (and thus multiple UNIX groups) u Mimimum system administration n Poolaccounts n Pool”groups” n Understandable configuration u Extendible u Boundary conditions n Has to run in privileged mode n Has to run in process space of incoming connection (for fork jobs) WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 17
LCMAPS – control flow GK LCMAPS u User authenticates using (VOMS) proxy u LCMAPS library Credential Acquisition invoked n Acquire all relevant credentials n Enforce “external” credentials n Enforce credentials on current process tree at the end u Run job manager n n n CREDs & Enforcement Fork will be OK by default Batch systems may need primary group explicitly Batch systems will need updated (distributed) UNIX account info u Order and function: policy-based Job Mngr WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 18
LCMAPS – plugin introspect u Framework is “resistent” to new module functionality and v. v. u Invocation and arguments list for modules discovered via the ”introspection API” n Information in (VOMS) proxy cert access by symbolic names n Argument description by name, type, range, modifiability n Credential acquisition in named and typed lists u Various modules can support different interfaces u Modules from multiple generation can be “mixed” u An “old” framework will work with “bleeding-edge” modules u See apidoc for more details… WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 19
LCMAPS – modules u Modules represent atomic functionality u VOMS from role info and local mapfile assign gid (A) u Pool. Accounts from username assign unique uid (A) u Pool. Groups from (VOMS) groupname assign unique gid (A) u Local. Account from username assign local existing unique uid (A) u AFS/Krb 5 get token based on user DN info (A) u POSIX process setuid() and setegid() (E) u POSIX LDAP update distributed user database (E) u Krb 5 run job via k 5 cert (E) u… WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 20
LCMAPS – policy evaluation u State machine approach (superset of boolean expressions) FALSE Local. Account VOMS-group TRUE LDAP POSIX Pool. Account u Policy description file: path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount. mod -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount. mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix. mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms. mod -vomsdir /etc/grid-security/certificates -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount -> posix_enf poolaccount -> posix_enf WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 21
LCMAPS – invocation and running LCMAPS from GK Plugin Mngr Evolution Mngr any Plug-in Local init Read and evaluate policy Load all Initialise all Introspect for API terminations WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 22
LCMAPS – enabling new functionality u Local UNIX groups based on VOMS group membership and roles u More than one VO/group per grid user u No pre-allocation of pool accounts to specific groups u New mechanisms: n groups-on-demand n Central user directories (nss_LDAP, pam-ldap) u Why do we (still) need LCAS: n Centralized decisions on authorized users (like at FNAL) n Coordinated access control across multiple CEs n (and save on expensive account allocation mechanisms in LCMAPS) WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 23
Status and Future Works LCAS was in release 1. 4. x and is currently used VOMS release delayed till after 2. 0. 0 Unit deployment VOMS (Client/server, Admin, mkgridmap++) in Feb. ‘ 03 LCMAPS release foreseen for $DATE (see status talk ) Work in progress u VOMS n n Support for time cyclic/bound permissions and roles n u Certificates will be substituted by true Attribute Certificates (RFC 3281) Database Replication LCAS/LCMAPS n Framework ready, evolution manager ready, doc & apidoc available n Completed plug-ins: localaccount, poolaccount, POSIX n In development (various stages): VOMS, AFS/Krb 5, Pool. Groups, LDAP WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 24
mkgridmap++ u Need for a tool for the transition to LCAS/LCMAPS mechanism VO-LDAP VOMS u VOMS and VO-LDAP can and MUST coexist n access VOMS can also be used for grid-mapfile generation. n restricted New directive in the config file u New feature n Authenticated access to VOMS (not LDAP) servers based on https protocol to restrict the clients allowed to download the list of the VO members CE mkgridmap++ group ldap: //… group https: //…. grid-mapfile WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 25
More Informations EDG Security Coordination Group Web site http: //hep-project-gris-scg. web. cern. ch/ VOMS Web site http: //grid-auth. infn. it/ CVS site http: //cvs. infn. it/cgi-bin/cvsweb. cgi/Auth/ Developers’ mailing list sec-grid@infn. it LCAS-LCMAPS Web site http: //www. dutchgrid. nl/Data. Grid/wp 4/ CVS site http: //datagrid. in 2 p 3. fr/cgi-bin/cvsweb. cgi/fabric_mgt/gridification/lcas/ http: //datagrid. in 2 p 3. fr/cgi-bin/cvsweb. cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern. ch Spitfire Web site http: //spitfire. web. cern. ch/Spitfire/ WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 26
Related Works u CAS (Globus Team) n Proxy generated by CAS server, not by user (difficult traceability) n Proxy not backward compatible n Attributes are permissions (resources access controlled by VO) u Permis (Salford Univ. , England) n AC’s stored in a repository at the local site n Good policy engine n VOMS complementary (flexible VOMS AC + PERMIS pol. engine) u Akenti (US Gov. ) n Target Web sites, not easy migration in a VO environment WP 4 meeting EDG Barcelona 2003 – VOMS and LCMAPS – n° 27
Скачать презентацию VOMS and LCMAPS on Global Permissions and Local
95972b917d0fe0113b6e4cd6d2251843.ppt