Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security recommendations DPM Jean-Philippe Baud CERN/IT.

Published byAnnabel Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security recommendations DPM Jean-Philippe Baud CERN/IT."— Presentation transcript:

1 Security recommendations DPM Jean-Philippe Baud CERN/IT

2 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 2 Introduction Disk Pool Manager (DPM) – Manages storage on disk servers – SRM support (1.1, 2.1 and 2.2) – rfio, gridftp, http(s), xroot – NFS 4.1 interface under development Deployment status – ~200 DPMs in production – 70 VOs supported

3 EMI INFSO-RI-261611 Architecture Very important to backup ! Store physical files -- Namespace -- Authorization -- Replicas -- DPM config -- All requests (SRM, transfers…) Standard Storage Interface Can all be installed on a single machine Data Control

4 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 4 Starting/Stopping services General pattern: – service start|stop|restart|status Head node: – dpm – dpnsdaemon – srmv1, srmv2, srmv2.2 – dpm-manager-xrd, dpm-manager-cms (optional xrootd) Disk nodes: – globus-gridftp-server – rfiod – dpm-xrd, dpm-cms (optional xrootd) – dpm-httpd (optional http(s))

5 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 5 Log files (1) The services are logging to local log files – DPM server: /var/log/dpm/log – DPM Name Server: /var/log/dpns/log – SRM servers: /var/log/srmv1/log, /var/log/srmv2/log, /var/log/srmv2.2/log – RFIO server: /var/log/rfiod/log – DPM-enabled GridFTP: /var/log/dpm- gsiftp/gridftp.log, /var/log/dpm-gsiftp/dpm- gsiftp.log – Optional web server (Apache); errors also in syslog: /var/log/dpm-httpd/access, /var/log/dpm- httpd/errors – Optional xrootd: /var/log/xrootd/log, /var/log/olbd/log

6 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 6 Log files (2) Log format: – 04/13 13:24:30 29576,0 Cns_srv_lstat: NS092 - lstat request by /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=baud/CN=373165/CN=Jean-Philippe Baud (101,101) from lxbra2301.cern.ch – 04/13 13:24:30 29576,0 Cns_srv_lstat: NS098 - lstat 0 /dpm/cern.ch/home/dteam/baud – 04/13 13:24:30 29576,0 Cns_srv_lstat: returns 0 Important messages to look for: – “timeout” – “Csec”, “is banned” – “error:” and “error :” – Number of threads in use Log files are rotated daily, keeping the last 90 days.

7 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 7 Service ports dpnsdaemon (5010) - DPM name service for the hierarchical namespace and metadata dpm(5015) - storage management, proprietary protocol srmv1(8443), srmv2(8444), srmv2.2(8446) – storage management, web service protocols over httpg secure rfio(5001,20000-25000) - file access protocol gridftp(2811,20000-25000) - grid file transfer protocol http(s)(80,443) - HTTP(S) file access protocol (optional) xroot(1094,1095)- xroot file access protocol (optional) ldap (2170) - standard BDII GIP IPv6 support

8 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 8 Authentication/Authorization Authentication – X509 proxies with or without VOMS extension – Handled by 2 plugins: Csec and cgsi Authorization – Virtual ids: DNs are mapped to virtual uids when first seen FQANs are mapped to virtual gids when first seen – ACLs on: Name space entries (Posix) Disk pools Dedicated spaces – Privileged operations(pool creation, filesystem drain, …) can only be triggered by superuser on trusted hosts – Physical files are owned by ‘dpmmgr’ Files could be on centrally managed Worker Nodes

9 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 9 Configuration files Most of the configuration parameters are kept in the DB: – Disk pool attributes, filesystem statuses … sysconfig files – DPNS_HOST and DPM_HOST – ALLOW_COREDUMP – Log files location DB connect strings – /opt/lcg/etc/NSCONFIG, /opt/lcg/etc/DPMCONFIG /etc/shift.conf – Trusted hosts DPNS TRUST … DPM TRUST … RFIO TRUST – RFIO options (buffer sizes)

10 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 10 Banning Requests are rejected if any of DN, CA, VO or primary FQAN attribute is banned Requests having a proxy including a banned secondary FQAN are allowed to proceed as if that FQAN had not been present in the proxy The banning information is cached in the DPNS DB for fast access The banning can be done in 2 ways: – Sysadmin can use dpns-modifyusrmap and dpns- modifygrpmap – A cron job can query the Argus service and automatically update the DPNS DB Banning is part of DPM 1.8.0

11 EMI INFSO-RI-261611 17/09/2010 Security recommendations DPM, EGI TF, Amsterdam 11 Documentation https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm – User documentation – Admin documentation – Roadmap – Source code – Current version number https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm#Presenta tions https://svnweb.cern.ch/trac/lcgdm/wiki/Dpm#Presenta tions – Tutorials http://www.gridpp.ac.uk/wiki/Disk_Pool_Manager

Download ppt "Security recommendations DPM Jean-Philippe Baud CERN/IT."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
DPM Basics and its status and plans Wahid Bhimji University of Edinburgh GridPP Storage Workshop – Apr 2010 Apr-101Wahid Bhimji – DPM.

DPM Basics and its status and plans Wahid Bhimji University of Edinburgh GridPP Storage Workshop – Apr 2010 Apr-101Wahid Bhimji – DPM.
DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,

DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,
Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.

Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
DPM CCRC - 1 Research and developments DPM status and plans Jean-Philippe Baud.

DPM CCRC - 1 Research and developments DPM status and plans Jean-Philippe Baud.
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.
LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.

LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.
Data management in grid. Comparative analysis of storage systems in WLCG.

Data management in grid. Comparative analysis of storage systems in WLCG.
StoRM Some basics and a comparison with DPM Wahid Bhimji University of Edinburgh GridPP Storage Workshop 31-Mar-101Wahid Bhimji – StoRM.

StoRM Some basics and a comparison with DPM Wahid Bhimji University of Edinburgh GridPP Storage Workshop 31-Mar-101Wahid Bhimji – StoRM.
EGEE-III INFSO-RI- 222667 Enabling Grids for E-sciencE www.eu-egee.org The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.

The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t Storageware Flavia Donno CERN WLCG Collaboration Workshop CERN, 13-14 November 2008.

CERN IT Department CH-1211 Geneva 23 Switzerland t Storageware Flavia Donno CERN WLCG Collaboration Workshop CERN, November 2008.
Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.

Author - Title- Date - n° 1 Partner Logo EU DataGrid, Work Package 5 The Storage Element.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org DPM Administration Jean-Philippe Baud (Sophie Lemaitre)

INFSO-RI Enabling Grids for E-sciencE DPM Administration Jean-Philippe Baud (Sophie Lemaitre)
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.

Similar presentations

Ads by Google