Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF

2 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 2 Contents What is glexec? Why do we need glexec (and gsexec)? How does glexec fit in the gLite architecture? How can glexec be invoked? Glexec on the worker node Status

3 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 3 What is glexec? glexec a thin layer to change unix credentials based on grid identity and attribute information you can think of it as: ‘a replacement for the gatekeeper’ ‘a griddy version of Apache’s suexec(8) ’ ‘a program wrapper around LCAS, LCMAPS or GUMS’

4 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 4 What glexec does Input 1.a certificate chain, possibly with VOMS extensions 2.a user program name & arguments to run Action 1.check authorization (LCAS, GUMS) user credentials, proper VOMS attributes, executable name 2.acquire local credentials –local (uid, gid) pair, possibly across a cluster 3.enforce the local credential on the process Result 1.user program is run with the mapped credentials

5 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 5 Isolation (sandboxing) Roadmap –virtualization of resources (VM) or assigning of local credentials –should be transparent for the user EGEE-I Architecture –only based on credential mapping (although VM solution is coming close!) –do as little as possible with ‘root’ privileges: “suexec” wrapper functionality is needed. –minimizing local management: poolaccounts & poolgroups –credential mapping and manipulation: LCMAPS –management capabilities on these accounts: WorkSpace Service (WSS)

6 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 6 Condor schedd lcmaps.db groupmapfile grid-mapfile lcmaps.db groupmapfile grid-mapfile WMS WorkSpace Service GK Gridmapdir poolindices Plug-ins %2fo%3ddutchgrid%2fo%3dusers%2 fo%3dnikhef%2fcn%3dmartijn%20s teenbakkers%3atlas atlas001 […] Voms poolaccount poolaccount Setuid, setgid LCMAPS       Workspace Service  quarantine and terminate LCMAPS and the WSS in gLite-1

7 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 7 Why was glexec devised? gatekeeper and other schedulers are complex, and need not be run with root privileges all the time –take an example from Apache httpd, where user cgi scripts can be run under their own identity, but without the web server itself having to run as root –to accomplish this, a small, program is needed with setuid(2) power: ‘suexec(8)’ variety in grid job submission systems is increasing –need a common way of obtaining and enforcing site policy and credential mapping –without the need to modify each and every system –as such, glexec in this deployment mode is an alternative to having authorization and mapping call-outs in each system

8 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 8 ‘suexec’ requirements Do as little as possible with ‘root’ privileges Allow VO-services to use (pool)accounts for each user job In- and outgoing pipes, file descriptors should be preserved as much as possible. Should be usable by C/C++ and java services: program executable. Sites should still be able to control the access to their resources Apache’s suEXEC fulfills many of these requirements –Safe code, has proven itself –Works with apache –2 clones from apache’s suEXEC: gsexec (part of gridsite) and glexec (part of gLite)

9 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 9 suexec wrapper Thin layer with root privileges will replace gatekeeper Intended for identity-switching services: –condor, gridsite, globus gram, cream. Internal –Uses LCMAPS/Workspace service as credential mapping mechanism –Executes the requested command with local credentials External interface –Should be usable by C, java (, perl?) services: program executable. –A (user) credential should be passed to suexec. –In- and outgoing pipes, file descriptors should be preserved as much as possible.

10 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 10 Scenario I: Apache

11 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 11 Scenario II: Cream

12 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 12 Scenario III: Condor/WSS

13 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 13 Glexec Can be used by VO services Input: user proxy, executable + args Optional input in “verify” mode: uid, gid Uses LCAS to –check the user ban/white list –verify the user proxy (validity, lifetime, full/limited, CRL) –Hold the executable against a whitelist. Uses LCMAPS to do the account mapping –Dry-run is used in “verify” mode Copies and chowns the delegated user proxy Code in org.glite.security.glexec gsexec ‘versus’ glexec Glexec (cont’d) More configuration options Includes fork() wrapper library –returns the pid to the calling application –C api Gsexec Only for site-controlled services Input: user DN, executable + args Uses traditional (non-VOMS, DN- based) poolaccount mapping Code resides in org.gridsite.core Not very configurable (on purpose)

14 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 14 Usage of glexec (1) Two run-modes depending on setuid bit settings: 1.glexec is setuid-root: setuid()/setgid() to local user in glexec code and execute the program -r-s--x--- 1 root apache /usr/sbin/glexec In the next release: 1.glexec runs as special user: glexec uses sudo for identity switching and program execution: -r-s--x--- 1 glexec glexec /opt/glite/sbin/glexec  sudo preserves only stdin, stdout, stderr  sudo can be configured to allow the user “ glexec” to run a predefined set of programs ( blahp, qsub )

15 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 15 Usage of glexec (2) Environment variables to be set before calling glexec –GLEXEC_MODE:  “lcmaps_verify_account”: glexec  “lcmaps_get_account”: glexec –SSL_CLIENT_CERT and SSL_CLIENT_CERT_ : PEM- encoded strings containing the proxy cert and chain components. –GLEXEC_SOURCE_PROXY: location of the (delegated) proxy to be used by the user job.. –GLEXEC_TARGET_PROXY: location where the proxy should be copied to. If not specified ~/.glexec/proxy is used. –GLEXEC_ID (optional): unique job id to be used as an index for the jobrepository: All other environment variables are cleared

16 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 16 Usage of glexec (3) Configuration: At compilation time the default defines in the apache headers ( /usr/include/httpd/*.h ) are overridden by glexec.h –Contains at the moment hardcoded locations of lcas and lcmaps config files –Next version will use a configuration file instead. lcas and lcmaps use the following config files: – /opt/glite/etc/lcas/lcas-glexec.db – /opt/glite/etc/lcmaps/lcmaps-glexec.db

17 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 17 Usage of glexec (4) Fork wrapper C api: typedef struct { char *target_user; char *target_group; char *command; } glexec_args_t; pid_t glexec_fork(glexec_args_t *args); Forks off the user process and returns the process id

18 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 18 VO pilot job on the node Note: proper uid change by Gatekeeper or Condor-C/BLAHP on head node should remain default On success: the site will set the uid/gid of the new user’s job On failure: glexec will return with an error, and pilot job can terminate or obtain other job

19 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 19 Status today Status of ‘glexec’ today –implementation ready & tested, based off the Apache HTTP suexec code base –uses the LCAS and LCMAPS for enforcement and mapping in their library-based implementation –new modules have been added  LCAS: RSL (executable path) constraints  validation of cert chain and proxy lifetime –restrictions  policy should be located on local posix-accessible file systems  policy transport should be ‘trustworthy’ Needed specifically for the –on-WN model –make the credential acquisition process (LCAS/LCMAPS) work with a site-central policy engine  enforcement will have to stay local –changeover to standard callouts for both are needed –needs more site-sysadmin configuration capabilities

20 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 20 Plans Integration on prototype with CREAM and Condor Replace callouts to LCAS and LCMAPS by a callout to Workspace service (a.k.a. the full scenario). –Workspace bind service Use of sudo Use of a glexec configuration file Interoperability: use the common standardized authZ/mapping callout interface (OSG collaboration)

21 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 21 Goals Generic access control to services –Authentication –Authorization –for legacy applications & file access, networks, … Sites are always in control of their resources Flexibility, scalability Allow for central control in a site Converge to a single policy format Standardization of configuration Address requirements from NA4, SAAA-RG, and others (incorporated in MJRA3.1 “user requirements”)

22 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 22 Workspace Service and LCMAPS Workspace Service (WSS) is part of GT4-core and in gLite-1 (preview) –Account creation and account management Provides lifetime management and will provide quota management Account clean-up mechanism: –Possibility to put account in quarantine first –Example clean-up script provided Access control to Workspace Service based on DN and VOMS attr. Access control to account –Currently based on DN –Will provide ACLs on VOMS attributes (?) Support of poolaccounts –Clean-up of poolaccounts –Uses LCMAPS as a back-end to manage gridmapdir (poolindex)

23 Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 23 Condor schedd lcmaps.db groupmapfile grid-mapfile lcmaps.db groupmapfile grid-mapfile WMS WorkSpace Service GK Gridmapdir poolindices Plug-ins %2fo%3ddutchgrid%2fo%3dusers%2 fo%3dnikhef%2fcn%3dmartijn%20s teenbakkers%3atlas atlas001 […] Voms poolaccount poolaccount Setuid, setgid LCMAPS       Workspace Service  quarantine and terminate LCMAPS and the WSS in gLite-1

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF."

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Resource Management Reading: “A Resource Management Architecture for Metacomputing Systems”

Resource Management Reading: “A Resource Management Architecture for Metacomputing Systems”
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLExec, SCAS and the paths forward Introduction to pilot jobs and gLExec and SCAS framework.

INFSO-RI Enabling Grids for E-sciencE gLExec, SCAS and the paths forward Introduction to pilot jobs and gLExec and SCAS framework.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLExec and OS compatibility David Groep Nikhef.

INFSO-RI Enabling Grids for E-sciencE gLExec and OS compatibility David Groep Nikhef.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org EGEE and gLite are registered trademarks Security and Job Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Similar presentations

Ads by Google