Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos token renewal & HTCondor

Published byClaude Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "Kerberos token renewal & HTCondor"— Presentation transcript:

1

2 Kerberos token renewal & HTCondor
Ben Jones HTCondor & Kerberos

3 Why do we need token renewal?
Broadly speaking, there are two submission methods for batch compute at CERN Grid submissions (no need for kerberos) Local submissions Local submissions have always relied on AFS for shared storage – AFS means AFS tokens (and more or less means kerberos too) Kerberos / AD ticket renewal policy doesn’t match job queue + run length 24h tokens renewable for 7 days HTCondor & Kerberos

4 Wait… isn’t CERN deco’ing AFS?!
Migration away from AFS driven by concern at health of upstream project releases, mail traffic, conferences, associated companies no new features like IPv6, DES ecosystem – little beyond two companies Slow migration – goal is no critical AFS deps by LHC Run 3 (2020+) No perfect drop-in replacement EOS for most data (via FUSE + CERNBox) Perhaps for $HOME on LXPLUS HTCondor & Kerberos

5 Other uses for tokens General purpose kerberos token & imaginative users == lots of kerberos dependencies One dependency we plan for: EOS FUSE uses kerberos tokens Others include other storage services, and any other service in CERN Even self contained user groups, such as ATLAS Tier-0 don’t understand all kerberos dependencies HTCondor & Kerberos

6 Compute workflow Desktop LXPLUS LXBatch (interactive) Remote AFS
HTCondor & Kerberos

7 Compute workflow Desktop LXPLUS LXBatch (interactive) Remote AFS
EOS FUSE HTCondor & Kerberos

8 HTCondor integration The following touchpoints govern the integration with condor: SEC_CREDENTIAL_PRODUCER SEC_CREDENTIAL_MONITOR SEC_CREDENTIAL_DIRECTORY Submit node is responsible for obtaining a token and sending to schedd Schedd turns submit token into kerberos TGT Execute node needs token, maintained as kerberos TGT HTCondor & Kerberos

9 Submit node Active Directory Submit Node Credd on Schedd
SEC_CREDENTIAL_PRODUCER Submit Node AP-REQ Credd on Schedd X509 encrypted AP-REQ HTCondor & Kerberos

10 SEC_CREDENTIAL_MONITOR SEC_CREDENTIAL_DIRECTORY
Schedd SEC_CREDENTIAL_MONITOR NGAuth Server 1. Monitor for new AP-REQ (username.cred) 2. Request kerberos TGT from server with AP-REQ 3. Run (condor_)aklog 4. Monitor tokens requiring renewal SEC_CREDENTIAL_DIRECTORY HTCondor & Kerberos

11 SEC_CREDENTIAL_MONITOR SEC_CREDENTIAL_DIRECTORY
Execute node SEC_CREDENTIAL_MONITOR NGAuth Server 1. Monitor for new AP-REQ (username.cred) 2. Request kerberos TGT from server with AP-REQ 3. Run (condor_)aklog 4. Monitor tokens requiring renewal 5. Copy tokens to job sandbox & set KRB5_CCNAME SEC_CREDENTIAL_DIRECTORY Sandbox HTCondor & Kerberos

12 NGAuth Service takes AP-REQ from credmon, extracts user info
Uses privileged AD certificate to request kerberos TGT Encrypts TGT to x509 key deployed on schedds & worker nodes In principle multiple ngauth servers can be used in practice some care is needed for DNS aliased names (rdns = false in krb5.conf) HTCondor & Kerberos

13 Constrained Delegation (KCD)
Rather than general purpose token, provides token that can be used with pre-defined subset Less scary from security perspective Would require users to pre-define which services they want to use This probably means we can’t do it Extension to KCD where services register Not available HTCondor & Kerberos

14 NGAuth issues Server with privilege to acquire tickets for any user
Could improve, but only to any user who opts in to batch service AP-REQ is effectively immortal No longer tied directly to AFS as per previous LSFAuth, but code & approach similar HTCondor & Kerberos

15 Other options Certificates Longer expiry on kerberos tokens
Rather than AP-REQ, request certificate or proxy Certificate could be used to then request the TGT Easier to revoke certificates? Time limited proxy? Longer expiry on kerberos tokens Team responsible for AAA now responsible for NGAuth Conway’s Law might help improve the situation HTCondor & Kerberos

16 Experience If ngauth server is overloaded, and no TGT is produced:
schedd – submission fails as log/out/err can’t be initialised execute – random job failures as paths can’t be accessed transient failures on exectute nodes can black hole jobs till detection Deploying new versions of credmon can be painful Can’t set remote initialdir if it requires auth In general, mechanism works well HTCondor & Kerberos

17 Links NoAFS: CHEP   HEPIX   HTCondor & Kerberos

18 Questions?

Download ppt "Kerberos token renewal & HTCondor"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.
Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.

Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
S. Gadomski, ATLAS computing in Geneva, journee de reflexion, 14 Sept 20071 ATLAS computing in Geneva Szymon Gadomski description of the hardware the.

S. Gadomski, "ATLAS computing in Geneva", journee de reflexion, 14 Sept ATLAS computing in Geneva Szymon Gadomski description of the hardware the.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
Week 2 File Systems & Unix Commands. File System Hierarchy.

Week 2 File Systems & Unix Commands. File System Hierarchy.
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Experiences with a HTCondor pool: Prepare to be underwhelmed C. J. Lingwood, Lancaster University CCB (The Condor Connection Broker) – Dan Bradley

Experiences with a HTCondor pool: Prepare to be underwhelmed C. J. Lingwood, Lancaster University CCB (The Condor Connection Broker) – Dan Bradley
Interactive Job Monitor: CafMon kill CafMon tail CafMon dir CafMon log CafMon top CafMon ps LcgCAF: CDF submission portal to LCG resources Francesco Delli.

Interactive Job Monitor: CafMon kill CafMon tail CafMon dir CafMon log CafMon top CafMon ps LcgCAF: CDF submission portal to LCG resources Francesco Delli.
Grid job submission using HTCondor Andrew Lahiff.

Grid job submission using HTCondor Andrew Lahiff.
Architecture and ATLAS Western Tier 2 Wei Yang ATLAS Western Tier 2 User Forum meeting SLAC April 6-7 2009.

Architecture and ATLAS Western Tier 2 Wei Yang ATLAS Western Tier 2 User Forum meeting SLAC April
Virtual Batch Queues A Service Oriented View of “The Fabric” Rich Baker Brookhaven National Laboratory April 4, 2002.

Virtual Batch Queues A Service Oriented View of “The Fabric” Rich Baker Brookhaven National Laboratory April 4, 2002.

Similar presentations

Ads by Google