Download presentation
Presentation is loading. Please wait.
1
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF
2
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 2 Contents What is glexec? Why do we need glexec (and gsexec)? How does glexec fit in the gLite architecture? How can glexec be invoked? Glexec on the worker node Status
3
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 3 What is glexec? glexec a thin layer to change unix credentials based on grid identity and attribute information you can think of it as: ‘a replacement for the gatekeeper’ ‘a griddy version of Apache’s suexec(8) ’ ‘a program wrapper around LCAS, LCMAPS or GUMS’
4
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 4 What glexec does Input 1.a certificate chain, possibly with VOMS extensions 2.a user program name & arguments to run Action 1.check authorization (LCAS, GUMS) user credentials, proper VOMS attributes, executable name 2.acquire local credentials –local (uid, gid) pair, possibly across a cluster 3.enforce the local credential on the process Result 1.user program is run with the mapped credentials
5
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 5 Isolation (sandboxing) Roadmap –virtualization of resources (VM) or assigning of local credentials –should be transparent for the user EGEE-I Architecture –only based on credential mapping (although VM solution is coming close!) –do as little as possible with ‘root’ privileges: “suexec” wrapper functionality is needed. –minimizing local management: poolaccounts & poolgroups –credential mapping and manipulation: LCMAPS –management capabilities on these accounts: WorkSpace Service (WSS)
6
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 6 Condor schedd lcmaps.db groupmapfile grid-mapfile lcmaps.db groupmapfile grid-mapfile WMS WorkSpace Service GK Gridmapdir poolindices Plug-ins %2fo%3ddutchgrid%2fo%3dusers%2 fo%3dnikhef%2fcn%3dmartijn%20s teenbakkers%3atlas atlas001 […] Voms poolaccount poolaccount Setuid, setgid LCMAPS Workspace Service quarantine and terminate LCMAPS and the WSS in gLite-1
7
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 7 Why was glexec devised? gatekeeper and other schedulers are complex, and need not be run with root privileges all the time –take an example from Apache httpd, where user cgi scripts can be run under their own identity, but without the web server itself having to run as root –to accomplish this, a small, program is needed with setuid(2) power: ‘suexec(8)’ variety in grid job submission systems is increasing –need a common way of obtaining and enforcing site policy and credential mapping –without the need to modify each and every system –as such, glexec in this deployment mode is an alternative to having authorization and mapping call-outs in each system
8
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 8 ‘suexec’ requirements Do as little as possible with ‘root’ privileges Allow VO-services to use (pool)accounts for each user job In- and outgoing pipes, file descriptors should be preserved as much as possible. Should be usable by C/C++ and java services: program executable. Sites should still be able to control the access to their resources Apache’s suEXEC fulfills many of these requirements –Safe code, has proven itself –Works with apache –2 clones from apache’s suEXEC: gsexec (part of gridsite) and glexec (part of gLite)
9
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 9 suexec wrapper Thin layer with root privileges will replace gatekeeper Intended for identity-switching services: –condor, gridsite, globus gram, cream. Internal –Uses LCMAPS/Workspace service as credential mapping mechanism –Executes the requested command with local credentials External interface –Should be usable by C, java (, perl?) services: program executable. –A (user) credential should be passed to suexec. –In- and outgoing pipes, file descriptors should be preserved as much as possible.
10
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 10 Scenario I: Apache
11
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 11 Scenario II: Cream
12
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 12 Scenario III: Condor/WSS
13
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 13 Glexec Can be used by VO services Input: user proxy, executable + args Optional input in “verify” mode: uid, gid Uses LCAS to –check the user ban/white list –verify the user proxy (validity, lifetime, full/limited, CRL) –Hold the executable against a whitelist. Uses LCMAPS to do the account mapping –Dry-run is used in “verify” mode Copies and chowns the delegated user proxy Code in org.glite.security.glexec gsexec ‘versus’ glexec Glexec (cont’d) More configuration options Includes fork() wrapper library –returns the pid to the calling application –C api Gsexec Only for site-controlled services Input: user DN, executable + args Uses traditional (non-VOMS, DN- based) poolaccount mapping Code resides in org.gridsite.core Not very configurable (on purpose)
14
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 14 Usage of glexec (1) Two run-modes depending on setuid bit settings: 1.glexec is setuid-root: setuid()/setgid() to local user in glexec code and execute the program -r-s--x--- 1 root apache /usr/sbin/glexec In the next release: 1.glexec runs as special user: glexec uses sudo for identity switching and program execution: -r-s--x--- 1 glexec glexec /opt/glite/sbin/glexec sudo preserves only stdin, stdout, stderr sudo can be configured to allow the user “ glexec” to run a predefined set of programs ( blahp, qsub )
15
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 15 Usage of glexec (2) Environment variables to be set before calling glexec –GLEXEC_MODE: “lcmaps_verify_account”: glexec “lcmaps_get_account”: glexec –SSL_CLIENT_CERT and SSL_CLIENT_CERT_ : PEM- encoded strings containing the proxy cert and chain components. –GLEXEC_SOURCE_PROXY: location of the (delegated) proxy to be used by the user job.. –GLEXEC_TARGET_PROXY: location where the proxy should be copied to. If not specified ~/.glexec/proxy is used. –GLEXEC_ID (optional): unique job id to be used as an index for the jobrepository: All other environment variables are cleared
16
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 16 Usage of glexec (3) Configuration: At compilation time the default defines in the apache headers ( /usr/include/httpd/*.h ) are overridden by glexec.h –Contains at the moment hardcoded locations of lcas and lcmaps config files –Next version will use a configuration file instead. lcas and lcmaps use the following config files: – /opt/glite/etc/lcas/lcas-glexec.db – /opt/glite/etc/lcmaps/lcmaps-glexec.db
17
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 17 Usage of glexec (4) Fork wrapper C api: typedef struct { char *target_user; char *target_group; char *command; } glexec_args_t; pid_t glexec_fork(glexec_args_t *args); Forks off the user process and returns the process id
18
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 18 VO pilot job on the node Note: proper uid change by Gatekeeper or Condor-C/BLAHP on head node should remain default On success: the site will set the uid/gid of the new user’s job On failure: glexec will return with an error, and pilot job can terminate or obtain other job
19
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 19 Status today Status of ‘glexec’ today –implementation ready & tested, based off the Apache HTTP suexec code base –uses the LCAS and LCMAPS for enforcement and mapping in their library-based implementation –new modules have been added LCAS: RSL (executable path) constraints validation of cert chain and proxy lifetime –restrictions policy should be located on local posix-accessible file systems policy transport should be ‘trustworthy’ Needed specifically for the –on-WN model –make the credential acquisition process (LCAS/LCMAPS) work with a site-central policy engine enforcement will have to stay local –changeover to standard callouts for both are needed –needs more site-sysadmin configuration capabilities
20
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 20 Plans Integration on prototype with CREAM and Condor Replace callouts to LCAS and LCMAPS by a callout to Workspace service (a.k.a. the full scenario). –Workspace bind service Use of sudo Use of a glexec configuration file Interoperability: use the common standardized authZ/mapping callout interface (OSG collaboration)
21
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 21 Goals Generic access control to services –Authentication –Authorization –for legacy applications & file access, networks, … Sites are always in control of their resources Flexibility, scalability Allow for central control in a site Converge to a single policy format Standardization of configuration Address requirements from NA4, SAAA-RG, and others (incorporated in MJRA3.1 “user requirements”)
22
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 22 Workspace Service and LCMAPS Workspace Service (WSS) is part of GT4-core and in gLite-1 (preview) –Account creation and account management Provides lifetime management and will provide quota management Account clean-up mechanism: –Possibility to put account in quarantine first –Example clean-up script provided Access control to Workspace Service based on DN and VOMS attr. Access control to account –Currently based on DN –Will provide ACLs on VOMS attributes (?) Support of poolaccounts –Clean-up of poolaccounts –Uses LCMAPS as a back-end to manage gridmapdir (poolindex)
23
Enabling Grids for E-sciencE INFSO-RI-508833 European Condor week June 28th, Milano 23 Condor schedd lcmaps.db groupmapfile grid-mapfile lcmaps.db groupmapfile grid-mapfile WMS WorkSpace Service GK Gridmapdir poolindices Plug-ins %2fo%3ddutchgrid%2fo%3dusers%2 fo%3dnikhef%2fcn%3dmartijn%20s teenbakkers%3atlas atlas001 […] Voms poolaccount poolaccount Setuid, setgid LCMAPS Workspace Service quarantine and terminate LCMAPS and the WSS in gLite-1
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.