EDG Configuration and Authentication

Slides:



Advertisements
Similar presentations
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Advertisements

Alessandro Cavalli – MDS October n° 1 MDS 2.1 Configuration for Testbed 1 Alessandro Cavalli INFN - CNAF
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
27-29 September 2002CrossGrid Workshop LINZ1 USE CASES (Task 3.5 Test and Integration) Santiago González de la Hoz CrossGrid Workshop at Linz,
Security Mechanisms The European DataGrid Project Team
National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.
Linux Operations and Administration
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
1 Web Server Administration Chapter 9 Extending the Web Environment.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
GRID The GRID distribution toolkit at INFN Flavia Donno (INFN Pisa) Andrea Sciaba` (INFN Pisa) Zhen Xie (INFN Pisa) presented by Massimo Sgaravatto (INFN.
The In’s and Out’s of the IIS 6.0 Migration Tool The In’s and Out’s of the IIS 6.0 Migration Tool Chris Adams Web Platform Supportability Lead Microsoft.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
Support for system administrators Feedback from site admins after Testbed1 experience 05/03/2002 4th EDG WS Paris G. Merino, IFAE.
CERN Manual Installation of a UI – Oxford July - 1 LCG2 Administrator’s Course Oxford University, 19 th – 21 st July Developed.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Nadia LAJILI User Interface User Interface 4 Février 2002.
Ron Trompert – Testbed1 Software – 7 November n° 1 Partner Logo Testbed1 Software Ron Trompert sara.nl.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.
First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.
Globus Toolkit Installation Report. What is Globus Toolkit? The Globus Toolkit is an open source software toolkit used for building Grid systems.
Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
1 Linux Networking and Security Chapter 5. 2 Configuring File Sharing Services Configure an FTP server for anonymous or regular users Set up NFS file.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Guide to Linux Installation and Administration, 2e1 Chapter 11 Using Advanced Administration Techniques.
GRID Zhen Xie, INFN-Pisa, on DataGrid WP6 meeting1 Globus Installation Toolkit Zhen Xie On behalf of grid-release team INFN-Pisa.
Status of NorduGrid testbed DataGrid Workshop, Oxford 2 nd – 5 th of July Anders Waananen.
Maite Barroso - 10/05/01 - n° 1 WP4 PM9 Deliverable Presentation: Interim Installation System Configuration Management Prototype
Linux Operations and Administration
Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
15-Feb-02Steve Traylen, RAL WP6 Test Bed Report1 RAL/UK WP6 Test Bed Report Steve Traylen, WP6 PPGRID/RAL, UK
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
Tests at Saclay D. Calvet, A. Formica, Z. Georgette, I. Mandjavidze, P. Micout DAPNIA/SEDI, CEA Saclay Gif-sur-Yvette Cedex.
Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.
How to use Drupal Awdhesh Kumar (Team Leader) Presentation Topic.
Jean-Philippe Baud, IT-GD, CERN November 2007
AuthN and AuthZ in StoRM A short guide
The EDG Testbed Deployment Details
Oxana Smirnova, Jakob Nielsen (Lund University/CERN)
Connect:Direct for UNIX v4.2.x Silent Installation
Classic Storage Element
How to connect your DG to EDGeS? Zoltán Farkas, MTA SZTAKI
MyProxy Server Installation
Operating a glideinWMS frontend by Igor Sfiligoi (UCSD)
Installation and configuration of a top BDII
Peter Kacsuk – Sipos Gergely MTA SZTAKI
Cryptography and Network Security
LINUX ADMINISTRATION 1
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Installation, Configuration, Examples of use
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
CMS report from FNAL demo week Marco Verlato (INFN-Padova)
Viet Tran Institute of Informatics Slovakia
Interoperability & Standards
Update on EDG Security (VOMS)
SCL, Institute of Physics Belgrade, Serbia
Security in ebXML Messaging
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
From Prototype to Production Grid
EGEE Middleware: gLite Information Systems (IS)
Planning and Storyboarding a Web Site
APACHE WEB SERVER.
Grid Security Infrastructure
Grid Computing Software Interface
Information Services Claudio Cherubino INFN Catania Bologna
The DZero/PPDG D0/PPDG mission is to enable fully distributed computing for the experiment, by enhancing SAM as the distributed data handling system of.
Presentation transcript:

EDG Configuration and Authentication October 29, 2001 CERN Anders Wäänänen, Niels Bohr Institute, NorduGrid waananen@nbi.dk

Summary Overview of the EDG Globus Configuration Gatekeeper and Jobmanager GridFTP Information system Authentication and Security Issues Certificate Authorities Certificates for Testbed 1 Open ports

Running a Testbed site 101 To run a testbed site or “being part of the Grid” means providing services to Grid users The users need to be able to contact these services (jobmanagers) through a single point (gatekeeper). Information about the resources should also be provided (MDS) to let the user and brokers get detailed information about the site. The site needs to now the users (authentication) and whether to allow them access or not (authorization).

Globus Configuration Has historically been quite complex Many different configuration files Same information occur in several places Very easy to make errors Not easy to update information Steep learning curve for busy site administrators

EDG Globus Configuration Centralized configuration Information should only be entered once Should be easy to update/change information Sensible default values System administrators should only need to enter site specific configuration Allow “Expert” configuration Should work “out of the box” (almost) No hard-wired site specific values - Not even EDG specific

File locations Globus root: /opt/globus Relocation not (yet) supported – use soft links Red Hat / Linux file locations instead of Globus centric locations: /opt/globus/sbin -> /etc/rc.d/init.d (SysV scripts) /opt/globus/etc -> /etc/profile.d (user profiles) /opt/globus/var -> /var/log (log files) /opt/globus/var -> /var/run (pid files) … In the future /opt/globus could be made read-only and on a shared filesystem

/etc/globus.conf Common configuration file /etc/globus.conf Works identically to Red Hat’s /etc/sysconfig/ files Simple format: # at start of line means a comment MACRO=VALUE Example: # This is a comment line GLOBUS_LOCATION=/opt/globus It is not a shell script, but can be used in shell scripts by sourcing

Notes on MACRO names Try to be consistent with MACRO names across sub-packages Same MACROS for same functionality GLOBUS_LOCATION is used by all packages to specify Globus install path Consistent MACRO naming while trying to maintain the original Globus namespace as much as possible: X509_GATEKEEPER_KEY X509_GIIS_KEY GATEKEEPER_LOGFILE GRID_INFO_LOGFILE

EDG Config packages Should replace the Globus setup packages No manual setup using these packages are needed EDG config RPMs are named as: globus_<package>-edgconfig Where “package” as a first approximation is the name of the corresponding setup package which it replaces Current EDG configuration packages: core, common, profile, gatekeeper, gsi_wuftpd, mds, doc These packages (together with the CA packages) fully replaces the standard GLOBUS setup procedure No RPM post-install scripts (requirement) Local (internal) configuration files are (re)created by each restart of service with parameters from /etc/globus.conf

Core, Common and Profile Replaces globus_core_setup Basic scripts (Globus file system layout, Unix tools locations) Common Replaces globus_common_setup Common scripts (hostname,domainname) Profile Set user environment including path

Common options GLOBUS_LOCATION X509_CERT_DIR GRIDMAP Root of Globus installation (/opt/globus) X509_CERT_DIR CA certificate directory (/etc/grid-security/certificates) GRIDMAP Grid Mapfile (/etc/grid-security/grid-mapfile)

Gatekeeper & Jobmanager The gatekeeper machine act as an interface to the local scheduler. It runs the gatekeeper daemon and the jobmanagers which calls the low level schedulers – all on the same host. Started through the SysV script called globus-gatekeeper: /etc/rc.d/init.d/globus-gatekeeper Maintained on Red Hat with service and chkconfig(8): chkconfig globus-gatekeeper on service globus-gatekeeper start Not (yet) support for start-up through (x)inetd

Gatekeeper Options GATEKEEPER_PORT GATEKEEPER_LOG GATEKEEPER_USER Port number of Gatekeeper (2119) GATEKEEPER_LOG Gatekeeper logfile (/var/log/globus-gatekeeper.log) GATEKEEPER_USER Username of the gatekeeper (not specfied (root)) X509_GATEKEEPER_CERT Gatekeeper certificate (/etc/grid-security/hostcert.pem) X509_GATEKEEPER_KEY Gatekeeper key (/etc/grid-security/hostkey.pem)

Jobmanager Options To setup the local job-managers simply define GLOBUS_JOBMANAGERS: Eg.: GLOBUS_JOBMANAGERS=“fork pbs” An empty GLOBUS_JOBMANAGERS makes a very dull gatekeeper The contact string is then given by: hostname/jobmanager-<jobmanager_type> Eg: grid.cern.ch/jobmanager-lsf or grid.cern.ch:12345/jobmanager-fork The default job-manager (simply called “jobmanager”) will be the first jobmanager listed in GLOBUS_JOBMANAGERS At the moment the fork manager is needed by some client programs (globus- job-get-output and globus-job-clean) You should provide a fork job-manager if you want to support these clients If fork is not the default job-manager this must be specfied by the users when running these programs

Jobmanager Options (continued) Supported Testbed 1 job-managers: fork, pbs and lscf The location of the backend jobmanager programs must be specified in /etc/globus.conf (if they are not in root’s path): Example for PBS: GLOBUS_GRAM_JOB_MANAGER_QDEL=/usr/local/pbs/bin/qdel GLOBUS_GRAM_JOB_MANAGER_QSTAT=/usr/local/pbs/bin/qstat GLOBUS_GRAM_JOB_MANAGER_QSUB=/usr/local/pbs/bin/qsub The GRAM reporter (reporting system for the backend scheduler) setup is handled by the MDS system

Information system At the moment 2 different information system exists MDS 2.1 (integrated with Globus) OpenLDAP Ftree (does not require Globus) Both have advantages and disadvantages Can be run in parallel on the same machine (uses different ports) Will hopefully be merged soon

Globus MDS 2.1 Very new – Globus just delivered a couple of weeks ago The new MDS 2.1 provides among other things support for virtual organizations (VO) Runs off a single port (2135) with both GRIS and GIIS Started through SysV with name: globus-mds Support non-anonymous queries to the GIIS Configured completely through /etc/globus.conf Configuration not completely finalized Run as non-root using GRID_INFO_USER

Globus GRIS Configuration GRIS – Grid Resource Information Service GRIS startup: GRID_INFO_GRIS_ACTIVE Start the GRIS (y) Registration to GIIS: GRID_INFO_GRIS_REG_HN= GRID_INFO_GRIS_REG_PORT= GRID_INFO_GRIS_REG_PERIOD= Void values means a local GIIS GRAM reporter automatically setup using GLOBUS_JOBMANAGERS

Globus GIIS Configuration GIIS – Grid Index Information Server Certificate and key for non-anonymous queries X509_GIIS_CERT X509_GIIS_KEY Multiple Virtual Organizations (VO’s) on different/same node. Many more details in the afternoon demo

OpenLDAP Ftree New OpenLDAP backend “ftree” GRIS and GIIS on separate ports Interface to various backend programs from WP1, WP4, WP5, WP7 Port setup: Site GIIS: cached: 2173 Using referrals: 2169 Compute Elements (ce): PBS: 2171 LSF: 2172 Afternoon demo?

Testbed 1 Certification Authorities To use Globus and the Grid one needs certificates Certificate authorities can issue certificates Testbed 1 approved certificate authorities: http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html From the list (currently 13) one should identify which CA one belongs to. This CA will provide user, host and server certificates A host might need several certificates (gatekeeper, mds, …) Instructions for interacting with each CA can be found from the local CA’s web pages

Authenticating on Testbed 1 Each host running a Grid service needs to be able to authenticate users and other hosts Therefore the CA certificate for each CA needs to be installed (This certificate can be thought of the public key of the CA). RPMs can be found from: http://datagrid.in2p3.fr/distribution/config/security.html RPM naming: ca_<CA_ALIAS> Eg: ca_CERN Installing these RPMs does not allow access (authorization) to local grid services. It just provides authentication. All CA certificates should and can safely be installed without compromising local site security.

Authenticating on Testbed 1 (continued) CA certificate location: /etc/grid-security/certificates/ Controlled by X509_CERT_DIR in /etc/globus.conf CA filenames are made of the hash of the CA certificate with .0 appended: eg. 1f0e8352.0 To specify which certificates a CA can sign a policy file for each CA is needed. The policy file is located in the same directory as the CA certificate with a .signing-policy appended to the hash: eg. 1f0e8352.signing-policy This replaces ca-signing-policy.conf from Globus 1. Other CA specific files used by various tools are located in the CA certificate directory To get the hash of a certificate: openssl x509 –in certificate –noout –hash

grid-cert-request Some CA support certificate requests through the Globus grid-cert-request program. For this to work one should install the “local” CA RPMs: http://datagrid.in2p3.fr/distribution/config/security.html These packages replaces the globus-sslutils-setup scripts. Current CA with “local” support: CERN, GridPP, INFN, NorduGrid, Russia

Certificate Revocation Certificates can be revoked for several reasons: Comprised keys, forgotten passwords, no longer used,.. To communicate this to site maintainers each CA provides online Certificate Revocation Lists (CRL’s). Each CA makes this available in different ways. The tool edg-fetch-crl provides a common interface to all the CRLs and should be run on a regular basis (eg. each day) from cron(8) on all machines providing Grid services It is provided by the RPM package edg-utils Basic usage: edg-fetch-crl -o /opt/grid-security/certificates CRL filenames is the hash of the CA certificate with .r0 appended.

Default Port numbers / firewalls Port numbers can be specified in /etc/services eg.: globus-gatekeeper 2119/tcp # Globus Gatekeeper Useful for netstat(8) and lsof(8), but not required The default port numbers used by the Testbed software: 2119 (Gatekeeper) 2811 (GSI WU-FTPD) 2135 (Globus MDS) 2169, 2173 (Ftree site GIIS) 2171, 2172 (Ftree compute elements)

Documentation Under Construction… Contents: Administrators Guide (exists) User’s Guide Developer’s Guide globus.conf template (exists) Includes all valid configuration options

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.