Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist

06/19/06EGEE Execution Rights Management Workshop 2006 Requirements l Mapping PKI credentials to local accounts u Mapping attributes into account attributes l Creating a mapping creates an implied policy u The PKI credential mapped to an account can access and manage this account l Resource allocation aspect u Account is a resource u Allocate accounts from a pool, manage those pools u Pools may be allocated on a per-attribute basis l Policy management aspect u Account access policies: mapping multiple identities to a local account u Account management policies: who can manage this mapping

06/19/06EGEE Execution Rights Management Workshop 2006 DMSDMS Dynamic Account Services Dynamic Account Factory Service useradd (dynamic) Database/Derby (pool) LCMAPS (pool) request an account WSRF-based, secure GT4 management interfaces Back-end implementation Dynamic Account Management Service Account Resource: -Termination time -Account policies manage an account query account mapping DMSDMS PEP Dynamic Accounts Backend Back-end adapters Account creation within a Trusted Computing Base (TCB)

06/19/06EGEE Execution Rights Management Workshop 2006 Authorizing Workspace Use l Authorization based on VOMS proxy attributes l Creation (Factory) u Authorization via a DN ACL u Authorization via an attribute ACL l Management and Inspection (Service) u Management functions accessible based on management policies l Authorization callouts are customizable u LCAS /DC=org/DC=doegrids/OU=People/CN=Timothy Freeman /O=Grid/OU=GlobusTest/OU=simpleCA-prnb3/CN=TimF /EGEE/egee/manager /egtest/mytemp/Role=NULL/Capability=NULL

06/19/06EGEE Execution Rights Management Workshop 2006 Using Dynamic Accounts Service: GRAM Example Dynamic Account Factory and Management Services (1) request an account and set policies DMSDMS PEP (4) renegotiate lifetime and policies as needed GRAM PEP (3) check for DN mapping to a specific account (specified by RSL localUserId) l A service needs to be configured to work with the DA Service (configurable in GT4 GRAM) l Prototype extended SAML interface to enable GUMS substitution u Paper: Authorization Attributes, Obligations and Flexible Account Management in the OpenScienceGrid, GRID 2005 (2) request job execution

06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Resource Aspect l Pool Accounts u A site admin creates a finite pool of accounts u Accounts are assigned from a pool and potentially restored to the pool after they have been used l The same account may get assigned to multiple users -- audit issue l The number of available accounts is limited l How do we “clean” accounts? l How and when can accounts be quarantined? l Truly dynamic accounts u Created by UNIX useradd call u Flexibilty: accounts created based on need u No need to recycle, simplifies audit u Could potentially interfere with local account management systems

06/19/06EGEE Execution Rights Management Workshop 2006 Dynamic Accounts Backend l Creation: poolindex function u DN+attributes -> pool lease + groups l Termination u Via explicit destroy call or TTL termination u Expires the lease u Callout to clean: kill processes, delete files, revert groups back to default u Default script, configurable by site administrator l Quarantine u Puts the account in a “quarantine pool” u Mandatory quarantine: if the termination script exits with errors or checks fail u Optional quarantine: configurable by site administrator u Quarantine removal can be manual or automatic

06/19/06EGEE Execution Rights Management Workshop 2006 Backend Adapters l LCMAPS u Developed at NIKHEF u Based on a gridmapdir patch u Maps credentials to pool accounts based on policy/algorithm by creating a hardlink u Allows for multiple pool leases l Database (Derby) u A site administrator creates account pools and describes them in files (one file per pool), the database is populated from these files u The policies are managed in the database, uses db methods for persistence, transactions, etc. l Truly dynamic accounts in prototype stage

06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Policy Aspect l Account Access Policy: what DNs can map to this account? u “owner” access is implied u Optional: specify a list of DNs at creation u Enforcement depends on infrastructure l Plugins configure gridmapfile, lcmaps structures l Account management policy u “owner” management is implied u Can I determine management policies for this account? u Management policies imply adding or limiting access to the account

06/19/06EGEE Execution Rights Management Workshop 2006 Managing Accounts: Identity Mapping l Account creation u Credential attributes are used for authorization u Credential attributes are mapped into attributes associated with the new credential, e.g.: l VOMS attributes -> UNIX groups, l An attribute -> account pool u Implied semantics attached to attributes within a system (TCB-specific policies) PIPPDPapplication VOMS Shib? message context

06/19/06EGEE Execution Rights Management Workshop 2006 Future Directions: CAS Interface l CAS overview u WS Policy Management Interface u SAML-based OGSA-Authz authorization query u CAS is enhanced to accommodate dynamic, real- time policy management and enforcement l CAS policy management as an alternative interface to the dynamic accounts service u Leverage CAS’ full featured policy lifecycle management interface u Potentially also leverage CAS’ more expressive policy language to write more sophisticated policies about accounts

06/19/06EGEE Execution Rights Management Workshop 2006 Status l Available as part of GT distribution u Contribution, an incubator project l Leverages GT4 features u GT4 logging for audit, persistence, security, etc. l Integration with Globus services u GT4 GRAM patch available u Can be used with GT2 GRAM via a C client callout l Documentation and download at

06/19/06EGEE Execution Rights Management Workshop 2006 Workspaces and Dynamic Accounts l Workspaces u Dynamically created and managed environment based on an authorized request u Associated with a resource allocation u Associated with an environment and its deployment capability u Associated with access and management policies l Examples: u A physical machine configured to meet TeraGrid requirements u A cluster of virtual machines configured to meet OSG requirements l Dynamic Accounts Service is part of the Workspace suite of tools u Also used to go by the name of WorkSpace Service (WSS)

06/19/06EGEE Execution Rights Management Workshop 2006 Workspaces (cntd) l Workspace creation: u Provision resources, provide/complete configuration, provide access u Dynamic accounts provide access l Workspace Implementations: u Physical machines u Virtual Machines l Virtual Workspace Service u Allows you to create an independently configured, isolated environment, manage its resource allocation on a fine-grained level u Used in OSG Edge Services u

06/19/06EGEE Execution Rights Management Workshop 2006 Summary l Some current issues u Mapping into UNIX accounts: separating policy management and querying from resource management concerns u Agreement on interfaces for identity mapping and policy management l E.g., GUMS/Dynamic Accounts effort u Formalizing of attribute mapping between different domains l Right now typically defined by the implementation -- essentially requiring everybody to use the same implementation l More information at