Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credential Management in HTCondor

Published byMatti Korhonen Modified over 5 years ago

Similar presentations

Presentation on theme: "Credential Management in HTCondor"— Presentation transcript:

1 Credential Management in HTCondor
Zach Miller

2 Overview Jobs often need to access data or services while they are running These services often require authorization Authorization often requires proving identity Examples: x509 Certificate/proxy Username/password Tokens/capabilities

3 Overview Jobs may also want to store their output on a server somewhere instead of bringing it back to the submit machine Servers typically require some kind of authorization to write data to them. Examples: box.com AFS home directory

4 Existing Support HTCondor has long supported GSI
These are x509 certificates and proxies The proxy travels along with the job Any other credentials can be moved using HTCondor’s file transfer mechanism MAKE SURE THE TRANSFER IS SECURE! encrypt_input_files

5 Generalizing Credentials should not be treated as regular files
Need to be moved securely May need to be refreshed during the job May wish to limit their abilities (make them shorter lived, limited in capability, etc.) Might need to use them to retrieve actual input data Which means they need to be handled first

6 The Components condor_credd Runs alongside the condor_schedd
Manages credentials on the submit machine Has a “private” (root-owned and protected) directory on submit machine SEC_CREDENTIAL_DIRECTORY

7 The Components condor_credd Views credentials as opaque objects
Other than creating and destroying, is not able to manipulate the credentials

8 The Components Credential Monitor
Supplied by the site administrator (not the HTCondor developers) Aware of how to manipulate and refresh credentials Monitors and transforms files in the SEC_CREDENTIAL_DIRECTORY

9 The Components SEC_CREDENTIAL_PRODUCER
Script or executable provided by site administrator Runs on behalf of user to generate a credential that is given to the condor_credd Storing credential must succeed before job submission will continue

10 Submit Process condor submit SEC_CREDENTIAL_ PRODUCER condor credd
1 2 condor credd 3 credential monitor 5 4 condor schedd 6

11 Credential Monitor Two types of credentials
“Top” level “Use” level The SEC_CREDENTIAL_PRODUCER supplies the “top” level The Credential Monitor converts the “top” into a “use” credential

12 Example At CERN they use krb5 tickets and want jobs to run with a ticket Tickets are used to access services Tickets are also needed to generate AFS tokens (aklog) However….

13 Example Jobs may be in the HTCondor queue longer than the normal ticket lifetime Jobs need some way to generate a fresh TGT The credential that allows this is the “top” level credential (.cred in the directory) The Credential Monitor uses that to generate a credential cache for the user (.cc in the directory) and obtain AFS tokens

14 Submit Process condor submit SEC_CREDENTIAL_ PRODUCER condor credd
1 2 condor credd 3 credential monitor 5 4 condor schedd 6

15 Job Execution When a job is matched, a daemon called the condor_starter is launched on the execute machine Before transferring regular files, the starter contacts the condor_shadow on the submit machine to fetch the credentials into its own SEC_CREDENTIAL_DIRECTORY A Credential Monitor can also be run on the execute machine to keep creds fresh.

16 Job Execution The condor_starter places the credential cache (use-level) into the job’s sandbox Also sets $KRB5CCNAME to point to it Now the job can access krb5 services AFS tokens are also obtained and stored in the kernel keyring The job can now read/write the user’s home directory in AFS

17 Job Execution When a user has no jobs left running on a machine, their creds are marked for removal A timer periodically causes all marked credentials to be removed Likewise, when a user has no jobs left in the job queue, their creds are marked and periodically removed.

18 A Different Model OAuth has slightly different model
The “top” credential is a refresh credential. This is presented to a token server to get “use” credentials which are access tokens Only the access tokens are shipped to the execute machine Periodically refreshed by pulling from the submit machine

19 OAuth Here, the user needs to obtain their “top” (refresh) tokens before the job can be submitted condor_submit returns a URL to the user if they lack necessary tokens. The OAuth Credential Monitor hosts a web interface at this URL to assist the user in this, receives the refresh tokens, and uses them to keep copies of fresh access tokens

20 OAuth The job can then use its tokens to get/put data, such as contacting a server (box.com, Google Drive, XRootD, stashcache) Again, only the access tokens are sent with the job No need for a Credential Monitor on the execute side. This keeps users’ identity credentials off all the execute machines

21 SciTokens

22 SciTokens This is already getting used in the OSG
Bioinformatics group at Clemson is using SciTokens to send data to an XRootD server This in turn writes the data into the “Stash” storage at the University of Chicago

23 Summary You heard about SciTokens in the previous talk
The same general HTCondor components and architecture supports that, more general OAuth support, as well as Kerberos support as you’ll see in a moment Site-specific pieces can be provided by the local admin

24 Summary Using customizable pieces allows for flexibility and also expansion of the credential management system New types of credential support can be added without HTCondor code changes

25 Summary Still a work in progress…
For v8.8 things will be documented Reference versions of the Credential Monitor for OAuth and Kerberos will be supplied with the HTCondor release Many thanks to the folks at CERN and DESY for working through this initial implementations

26 Next Up… Details on the implementation used at DESY
Before that…. Quick questions? Thank you!

Download ppt "Credential Management in HTCondor"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.

Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © 2009. Chapter 1, pp 19-28. For educational use only.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Basic Grid Job Submission Alessandra Forti 28 March 2006.

Basic Grid Job Submission Alessandra Forti 28 March 2006.
Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.

Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.
Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.

Chapter 11 ASP.NET JavaScript, Third Edition. 2 Objectives Learn about client/server architecture Study server-side scripting Create ASP.NET applications.
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Flexible Data Placement Mechanisms in Condor.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.

Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
GRAPPA Part of Active Notebook Science Portal project A “notebook” like GRAPPA consists of –Set of ordinary web pages, viewable from any browser –Editable.

GRAPPA Part of Active Notebook Science Portal project A “notebook” like GRAPPA consists of –Set of ordinary web pages, viewable from any browser –Editable.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Campus Grids Report OSG Area Coordinator’s Meeting Dec 15, 2010 Dan Fraser (Derek Weitzel, Brian Bockelman)

Campus Grids Report OSG Area Coordinator’s Meeting Dec 15, 2010 Dan Fraser (Derek Weitzel, Brian Bockelman)
Grid Computing I CONDOR.

Grid Computing I CONDOR.
Introduction to AFS IMSA Intersession 2003 AFS Servers and Clients Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these.

Introduction to AFS IMSA Intersession 2003 AFS Servers and Clients Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these.

Similar presentations

Ads by Google