Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Outline u EDG Testbed Overview u Sysadmins’ issues u Existing VO u Pool accounts u SlashGrid u GridSite u Grid ACL’s u GACL library u LCAS/LCMAPS Site Access Control

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Existing EDG Testbed Currently ~300 users at ~20 sites across Europe

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Testbed site administrators’ initial worries... u How can Grid users gain access without me creating new accounts every day? u How can I limit what they can do? u How can I audit what they’ve done to me? u How can I keep track of files they’ve created? u Local access control and account management usually boils down to n mapping Grid identities into appropriate local Unix identities n while respecting the above.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Existing EDG LDAP VO u EDG currently uses VO authorisation servers: centrally provided authorisation listings n published via LDAP (~300 users in ~10 VO ’s) n mkgridmap tool for building local grid-mapfile with local choice of VO ’s. n GUI tools allow VO managers to manage VO membership u Provides a list of certificate DN’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n can’t be defined on ad-hoc basis by small groups of users u Will eventually meet scaling issues since each site must frequently (daily?) fetch listings for VO ’s it accepts. n VOMS or CAS “visa” model would help a lot with this

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Joining an application VO u Users first join the Acceptable Use Policy VO, with their web browser, using their certificate n this involves agreeing to the DataGrid wide AUP, that sets out obligations of sites and users n legal wording done in conjunction with CERN legal experts (who understandably have a lot of experience of international law) u Users can then join the VO of their application (eg an LHC experiment) n VO manager can choose whether to accept user u At each site, AND of AUP VO and Application VO controls access

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Pool accounts u The other half of removing account creation burden from admins n pre-create pools of accounts and allocate these to users when they request access u Widely used by EDG Testbed sites, but not obligatory n in practice, almost all have chosen to use it u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing gridmapdir lock files with NFS. u Existing system works ok for CPU-only jobs. n but not really appropriate if users are creating long lived files at the site in question. u Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 SlashGrid / certfs / curlfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. u certfs.so plugin provides local storage governed by Access Control Lists based on Grid DN’s and VO groups n certfs is quite solid: you can build a bootable Linux kernel on a certfs filesystem (~100,000 file operations in a few minutes) u Since new ACL’s just have creator’s DN, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u HTTP/HTTPS plugin (curlfs) ultimately aims to provide some NFS/AFS-like functionality, again governed by Grid creds + ACL’s.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 SlashGrid as container environment u Basic SlashGrid use maps area like /var/spool/slashgrid/grid/xxx to /grid/xxx, with mapping controlled by plugin code. u But also allows virtual directory hierarchies which don’t correspond to real areas on disk n “gridmap” plugin, populated with symbolic links: eg /grid/p/atlas001 -> /grid/u/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u Could go further and create whole user environments on demand n can be a “sandbox” if we prevent operations outside this environment n can be tailored to user’s application (eg default shared library versions) u This means we could achieve a lot of the security and uniformity between sites that, say, a Java VM has, but with native binaries. u This would be very complementary to new GT3 GRAM.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 GridSite u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers u ACL’s control level of read and write access to file/directory n Write access either by HTML forms (interactive) or HTTP PUT (programmatic) u Website admins can define groups of users with specific rights n Can delegate administration of that group to one or more members. n Group membership can also be published in EDG VO LDAP format. u fileGridSite is a cut-down version without any HTML page- formatting or HTML-editing forms n provides streamlined HTTPS fileserver with Grid access control u GridSite used by EDG Testbed website, and GridPP and e-Science support websites in the UK.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Current ACL’s u When building GridSite, SlashGrid and the Storage Element, we needed a simple ACL format to use for prototyping. u Current SlashGrid and GridSite use per-directory XML ACL in.gacl n As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. n Sysadmins want disk filesystem ACL’s on same physical disk as files if possible (or managed off-site!) u Implementing ACL’s also solves some other Grid vs Unix issues that emerged during with Testbed: n eg per-UID tape storage: can store all tape files with one UID but associate ACL with the file and use that. u Clearly, isn’t a recognised standard, and we could go to, say, a subset of XACML: however, things like filesystems are very performance sensitive.

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Current ACL format ldap://ldap.abc.ac.uk/ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcVOMS Abc readers /O=Grid/DN=Andrew

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Grid ACL vs fine-grained VO: CAS, VOMS etc u CAS or VOMS provides ACL-like feature of specifying what capability (eg write) is permissible on an object (eg higgs-wg-montecarlo). n (If using lots of subgroups within an LDAP VO, could achieve much the same thing: eg define a group of people in higgs-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, we think this is too coarse-grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to have to set up a new entry on the central CAS or VOMS machine u The two types of system should be seen as complementary n when you create some Higgs Monte Carlo data, you set its ACL to give write access for people with “higgs-wg-montecarlo-admin” credential. n applications should “find their own level” of when splitting policy between local ACL or VO-wide authorisation service

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but have several products in use which need to use it: GridSite; SlashGrid; and EDG Storage Element. u ACL will almost certainly change again in the future; and may need to understand different ACL’s (eg XACML?) from other projects. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles read/list/write ACL’s in a reasonably general way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as new types. u Despite current C implementation, API is readily translatable to object-orientated languages n Java API and implementation being produced

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 LCAS / LCMAPS site access u LCAS - provides site-specific callouts to check authorisation based on user identity, what is requested, quotas, free-slots in batch system etc. n currently implemented as patched Globus gatekeeper, plus plugins to enforce policies n allows sites to implement complex, locally defined rules for access, including locally written extensions to check site-specific features (eg load on locally written tape-library service) n some of this functionality will also be provided by recent Globus proposal for authorisation callouts (but currently limited to yes/no on identity?) u LCMAPS - manages current mappings of Grid to local identity n makes this available to other local site components n important when not just using a simple, shared grid-mapfile for mapping

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6

Andrew McNab - EDG Access Control - 17 Jan 2003 GridPP / EDG / WP6 Summary u Most of the concerns of Testbed site admins are being addressed u LDAP VO system is currently sufficient, but VOMS or CAS would be more flexible and scalable. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs provides a solution to this. u Virtual container filesystems also possible via SlashGrid. u GridSite provides a way of controlling access via Grid credentials. u GACL library provides API for handling Grid ACL’s u LCAS/LCMAPS allows flexible, locally configurable site policies u See for links to source code and details of all tools mentioned in this talk