Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

Slides:

Advertisements

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

Advertisements

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The GridSite Security Framework Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”

Andrew McNab - Manchester HEP - 29 January 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

IOS110 Introduction to Operating Systems using Windows Session 8 1.

BaBar MC production BaBar MC production software VU (Amsterdam University) A lot of computers EDG testbed (NIKHEF) Jobs Results The simple question:

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.

Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester

Chapter 10: Rights, User, and Group Administration.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

OSG AuthZ components Dane Skow Gabriele Carcassi.

A user-friendly approach to grid security Bruce Beckles University of Cambridge Computing Service A user-friendly approach to grid security “Grid ‘security’?

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester

Security Middleware Andrew McNab University of Manchester.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.

LHCb Grid MeetingLiverpool, UK GRID Activities Glenn Patrick Not particularly knowledgeable-just based on attending 3 meetings.  UK-HEP.

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester

GridSite status Andrew McNab University of Manchester.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Classic Storage Element

A user-friendly approach to grid security

Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures

Presentation transcript:

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester

Andrew McNab - Dynamic Accounts - 2 July 2002 Outline u What we do in TB 1.2 u Dynamic Accounts details u SlashGrid u UID to DN map in SlashGrid u DN-based home directories u What we could do in TB1.3 u Benefits of using ACL’s u Grid ACL vs VoMS/CAS u Get rid of “UID domains”? u Certfs as native “container” hosting environment

Andrew McNab - Dynamic Accounts - 2 July 2002 What we do in TB1.2 u VO authorisation provided by LDAP VO services u mkgridmap used to periodically constructs grid-mapfile n entries have “.” as local user to invoke Dynamic Accounts patch u When a job or gsiftp session comes in, patched gridmap.c associates user’s DN with one of the pool of Dynamic Accounts. u Dynamic Accounts have Unix group membership, quotas etc set by local admin in normal way. u For jobs, Globus passes job to PBS etc. and the job is executed on a worker node as the pool user, using normal Unix permissions. u Home directories and grid-map files are NFS-shared n the delegated user proxy is accessible through this.

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts details u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings are shared across a farm by sharing gridmapdir of lock files with NFS. u Existing system works ok for CPU+tmpfile only jobs. u But, all files owned by Unix UID of the Dynamic Account. u This means we cannot trivially recycle Dynamic Accounts n need to make sure all files they own are deleted when recycled n current Testbed sites only recycle accounts when they reinstall u Lack of recycling ok while Testbed is small, but want to be able to scale this all up, and leave it running for months/years on end n so will need recycling at some point

Andrew McNab - Dynamic Accounts - 2 July 2002 SlashGrid (“/grid”) u A framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: n RPM’s in datagrid.in2p3.fr repository work on RedHat 6.2, 7.x and can cope with you doing a Linux kernel build on a SlashGrid filesystem. u certfs.so plugin provides local storage governed by Access Control Lists based on DN’s, stored in a cache: /var/spool/slashgrid/grid u Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by dynamic accounts. n if dynamic accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected.

Andrew McNab - Dynamic Accounts - 2 July 2002 UID to DN map in SlashGrid u This is done using gridmap mechanism if possible. n Uses standard Globus call / shared library, so local choice of Dynamic Accounts is used. n Since Testbed sites share grid-mapfile/gridmapdir via NFS, can access this on worker nodes. n Doesn’t rely on a credential a user process could fake (eg nominating someone else’s proxy in their home directory.) u If this fails, then a proxy /tmp/x509up_uNNN created by grid-proxy-init is looked for. n This allows interactive use of SlashGrid filesystems.

Andrew McNab - Dynamic Accounts - 2 July 2002 DN-based home directories u gmapfs plugin provides a virtual directory apparently populated with symbolic links. u gridmap mechanism used to derive mappings. u The links map usernames to url-encoded directory names n /grid/gmap/gpool023 -> /grid/home/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u This means Unix passwd file can list fixed home directories for Dynamic Accounts. u But the symbolic links will change in step with DN to UID mapping. u SlashGrid can work on top of NFS, so can use NFS-shared root- owned /var/spool/slashgrid/grid u SlashGrid daemon on the node maps this onto /grid, subject to ACL’s.

Andrew McNab - Dynamic Accounts - 2 July 2002 What we could do in TB1.3 u LDAP VO services / mkgridmap still used to construct grid-mapfile u When a job or gsiftp session comes in, patched gridmap.c still associates user’s DN with one of the pool of Dynamic Accounts. n gridmap.c creates home directory for user’s DN if doesn’t already exist. u Dynamic Accounts have no particular Unix group membership etc. u Job files etc created in home directory like /grid/home/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u Globus passes job to PBS etc. and the job is executed on a worker node as the pool user. u User can read home directory, since SlashGrid can see the mapping in gridmap via NFS, and can access the underlying cache via NFS. u All files created are owned by the DN not the UID.

Andrew McNab - Dynamic Accounts - 2 July 2002 Benefits of using ACL’s u SlashGrid/certfs means we can replace UID ownership with DN ownership, but get other benefits too. u GACL library used to manipulate XML ACL’s. u This ACL format let’s you specify permissions individually: read, list, write, admin (= modify ACL) u … and different credentials such as VO groups or VoMS attributes in addition to user DN’s. u This means you can give read or write permission to groups of people, at the directory level. n (Intend to support file specific ACL’s in the future.)

Andrew McNab - Dynamic Accounts - 2 July 2002 Grid ACL vs VoMS/CAS u CAS provides ACL-like feature of specifying what action (eg write) is permissible on an object (eg tau-wg-montecarlo). u (If using lots of subgroups within a VO, could achieve much the same thing: eg define a group of people in tau-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to setup a new entry on the central CAS machine to control this. u The two systems should be seen as complementary n when you create some tau Monte Carlo, put it somewhere the ACL gives write access for people with “tau-wg-montecarlo write.”) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

Andrew McNab - Dynamic Accounts - 2 July 2002 Future: get rid of “UID domains”? u Each testbed site currently constitutes a “UID domain” in which DN=>UID mappings must be consistent on all machines. n Currently achieved by sharing grid-mapfile or gridmapdir by NFS (or replicating with LCFG) u This arises from two major components: n NFS sharing of disks. n Local batch (usually PBS) by default assumes same UID on front and backend machines. u Would simplify recycling of pool accounts on gatekeeper if didn’t need to maintain this consistency: n gatekeeper would just allocate a pool UID which had no processes already running n if use “gsiftpfs” instead of NFS, then DN=>UID mappings done dynamically on SE etc too - getting rid of NFS is a worthy goal in its own right. n but, would need to configure / modify PBS etc to dynamically allocate a UID on backend node and copy proxy?

Andrew McNab - Dynamic Accounts - 2 July 2002 Certfs as container hosting environment u Some of the OGSA discussions make distinction between simple (eg native Linux) and container (eg Java or.NET) hosting environments. u The original motivation for “in a box” environments is security. u OGSA interest is in creating new services dynamically: this is easier if services are “in a box” to start with. u Certfs is motivated by desire to keep users from making long lived UID-owned files. u However, it is also a step towards the kind of dynamic environments OGSA talks about. u Is the answer to our concerns about security and our desire for flexible, dynamic services, to make Unix UID’s as transitory as Process Group ID’s?

Andrew McNab - Dynamic Accounts - 2 July 2002 Summary u Most of the concerns of admins are being addressed to some extent. u Current VO system is probably sufficient, but CAS would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs intended to provide solution to this. u Defining a Grid ACL format deals with other issues too. u Do this in XML: what format? u GACL library provides API for handling whatever is decided. u How far can we go towards make UID’s purely transitory?