Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit.

Published byWilliam Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit van Amsterdam and NIKHEF

2 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 2 Outline Goals of the “Site access control architecture” What do (or should) we use today? What we would like to see next Status and future of LCAS Status and future of LCMAPS –Integration with Dynamic Account Service (DAS) Timeline

3 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 3 Goals Generic access control to services at site level –Authentication –Authorization –Sandboxing & legacy applications Sites are in control of their resources Flexibility, scalability Centralized control Converge to one policy format Requirements from site AAA RG (incorporated in MJRA3.1 “user requirements” Requires input from MWSG, JSPG and ROC managers

4 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 4 What should/could we use today? Authentication: acquire ID + assertions –X.509 and attribute certificates (VOMS), GSI, myproxy Local Authorization –For C (gatekeeper, gridftpd): LCAS –For Java: Authorization framework (org.glite.security.authz- framework-java) Sandboxing –LCMAPS  Provides local credentials (unix uid, gid, AFS) needed for jobs in fabric  Identity switching Auditing –Job repository  Central repository for Logging, Accounting, Auditing

5 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 5 What we would like to see next(1) Authentication –Any SAML assertions, either in-line or retrieved on demand –Use generic authN interface for myproxy?? –Basic authN validation based on TLS handshake –But more complex validation pushed to authZ stage:  CRL checking  Check on authN strength (policy-OID extension)??

6 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 6 What we would like to see next(2) Local Authorization –Common authZ framework –Policy evaluation engine (using XACML) –‘Stackable’: recursive invocation –Policy interpretation by plug-ins  Proxy lifetime validation (req. saaa-rg 1.4.1.1) –Fit grid authZ in existing systems  A grid-PAM module interoperating with the authZ framework Generating audit trails –Site/resource-central service correlates authN/authZ data and local credential mapping

7 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 7 What we would like to see next(3) Sandboxing/isolation for applications –Hosting environment (Java) –Host virtualization: Zen, VMWare, UML  Probably wishful thinking for EGEE  At what level: application, VO, grid?? –Using unix accounts, groups  Transparent for higher level middleware and application  Sudo like program takes grid credentials as input  A service to dynamically create and delete (pool)accounts, time management, acces control  A grid-mapping aware NSS module?? –Site proxy (or its fancy new name!)  Dynamic connection provisioning  See Oscar’s talk

8 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 8 AuthN, AuthZ in GK (Release 1) Gatekeeper LCAS allowed timeslot banned policy C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo -cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: LCAS authZ call out GSI AuthN accept GSI auth assist_gridmap Jobmanager-* Ye Olde Gatekeeper

9 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 9 LCAS in release 1 Local Centre Authorization Service (LCAS) Handles authorization requests to local fabric –Authorization decisions based on proxy user certificate (with VOMS attributes embedded) and job specification (RSL) –Supports grid-mapfile mechanism and/or GACL (from gridsite) Plug-in framework (hooks for external authorization plug-ins) –Allowed users ( grid-mapfile or allowed_users.db ) –Banned users ( ban_users.db ) –Available timeslots ( timeslots.db ) –Plug-in for VOMS (to process Authorization data)  Uses VOMS API  authZ policy in GACL format (or grid-mapfile)  Convenience tool to convert grid-mapfile into GACL format: voms2gacl

10 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 10 LCAS - lcas.gacl /O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen iteam /iteam

11 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 11 Future of LCAS Interface to globus authorization call-out Merge LCAS and JAVA authZ framework into common authZ service –As an intermediate step LCAS can make a call-out to the authZ framework –pluggable –Re-use of LCAS plug-ins –New plug-in functionality (satisfies SAAARG requirements):  CRL checking  Proxy lifetime checking PAM module interface to the authZ framework –Grid access to cvs, ssh

12 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 12 LCMAPS Local Credential MAPping Service Backward compatible with existing systems (grid-mapfile, AFS) Provides local credentials needed for jobs in fabric –Mapping based on user identity, VO affiliation, site-local policy –Supports standard UNIX credentials (incl. pool accounts), AFS tokens –Pool accounts, Pool groups Support for multiple VOs per user (and thus multiple UNIX groups) Plug-in framework –driven by comprehensive policy language –Credential acquisition and enforcement plug-ins Boundary conditions –Has to run in privileged mode –Has to run in process space of incoming connection (for fork jobs)

13 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 13 LCMAPS – control flow User authenticates using (VOMS) proxy LCMAPS library invoked –Acquire all relevant credentials –Enforce “external” credentials –Enforce credentials on current process tree at the end Run job manager –Batch systems will need updated (distributed) UNIX account info Order and function: policy-based groupmapfile for VOMS group- mapping CREDs LCMAPS Credential Acquisition & Enforcement Job Mngr GK

14 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 14 LCMAPS – Policy Description Language # default path path = /opt/edg/lib/lcmaps/modules # Plugin definitions: localaccount = "lcmaps_localaccount.mod“ "-gridmapfile /etc/grid-security/grid-mapfile“ […] vomslocalgroup = "lcmaps_voms_localgroup.mod” "-groupmapfile /etc/grid-security/groupmapfile“ vomspoolaccount = "lcmaps_voms_poolaccount.mod“ "-gridmapfile /etc/grid-security/grid-mapfile“ "-gridmapdir /etc/grid-security/gridmapdir" […] # Policies: vomspolicy: localaccount -> posix_enf | vomsextract vomsextract -> vomslocalgroup vomslocalgroup -> vomspoolgroup vomspoolgroup -> vomspoolaccount | vomspoolaccount vomspoolaccount -> ldap_enf ldap_enf -> posix_enf VOMS extract Local Account POSIX Enforcement VOMS Local Group VOMS Pool Group LDAP Enforcement FALSE TRUE State machine approach: Start here VOMS Pool Account

15 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 15 LCMAPS – VOMS groupmapfile # Example groupmapfile: # Users with this exact VO-group info # will be added to the local group "fredje“ "/VO=fred/GROUP=fred/ROLE=husband" fredje # All users from VO wilma will be added to the allocated poolgroup # "pool[1-9]*“ "/VO=wilma/GROUP=*".pool FQAN not supported yet, but will be (a trivial change)

16 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 16 DAS and LCMAPS Dynamic account service is part of GT4 (Kate Keahey et al.) –DAS: Account mgmt interface –DAF: Creation of accounts Provides lifetime management Access control –Currently based on DN –Will provide ACLs on VOMS attributes (based on call-out ?) Support of poolaccounts –Clean-up of poolaccounts –Use LCMAPS to manage gridmapdir (poolindex) –Interface to LCMAPS being discussed  Currently directly accessing gridmapdir, not consistent with LCMAPS –How to integrate DAS (GT4/WSRF) with gLite (GT2)?

17 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 17 integration of the DAS Job mgr lcmaps.db WMS DAS DAF GK Groupmapfile Grid-mapfile Groupmapfile Grid-mapfile Gridmapdir poolindices Plug-ins %2fo%3ddutchgrid%2fo%3dusers%2 fo%3dnikhef%2fcn%3dmartijn%20s teenbakkers%3atlas atlas001 […] CREDs Voms poolaccount poolaccount Setuid, setgid LCMAPS      

18 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 18 DAS-LCMAPS poolaccount scenarios 1.In: gss_cred_id_t or gss_ctx_id_t, out: Uid, Gids, No changes (check why LCMAPS apparently needs full credential) Work on LCMAPS code: 0.5 day 2.In: DN+FQANs, out: Uid, Gids (GSI dependencies still linked in, GSI interface is kept) Changes needed to “voms extract” plug-in Extend the interface Work on LCMAPS code: 1-2 days 3.In: DN+FQANs, out: Uid, Gids (GSI dependencies taken out at build time) Changes to buildfiles: Makefiles, configure.ac Changes to “voms extract” plug-in Changes to lcmaps-interface (#ifdefs) Small changes to lcmaps-utils (#ifdef), lcmaps_extract_cred(#ifdef) Changes to evaluation mgr so that it does not immediately load the declared modules, but only at start of policy (may be tricky, check with Gerben Venekamp) Work on LCMAPS code: 4-5 days (not as bad as I thought)

19 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 19 More issues Testing: –Unit testing of lcmaps interface (NIKHEF): 1-2 days –Testing of DAS invocation of lcmaps interface by Kate/Tim: 1-2 days? –Installation and Evaluation of DAS + poolaccount back-end at NIKHEF: 1-2 days? –Integration in the jobsubmission sequence on the prototype: 2-3 days? How will the WMS invoke the DAS on behalf of the user? Deployment scenario in which the DAS creates the account using LCMAPS and in the GRAM stage the GK/lcmaps contacts the DAS to give the uid and gids. –Disadvantage: lcmaps is used twice with different policies (cause of inconsistencies?). In addition the DAS only registers the uid and gids; acquiring AFS (Krb5?) tokens contacting JR lcmaps has to do again. Clean-up mechanism?

20 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 20 LCMAPS future Use a standard credential mapping call-out interface –Being defined in collaboration with globus Replace gatekeeper by a lightweight sudo program –Call-out to authZ FW –Use LCMAPS –CGI-bin interface to insert into apache server (gridsite) –CLI to be used for perl, java NSS module?? –Use the JobRepository to look up the grid mapping –Example: $ ls –l file_from_atlas -rw-r--r-- 1 /O=dutchgrid/O=users/O=nikhef/CN=Martijn Steenbakkers /ATLAS/user/Role=Admin 1 Nov 13 17:22 file_from_atlas

21 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 21 Job Repository What? –JR is a Relational Database userX509 JobVOMS Credentiallinks –The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job Why? –Central repository, Logging, Accounting, Auditing Where? –CE – Plug-in for LCMAPS –CE - Various scripts controlled by the Job Manager –The database has to be installed close to (or on) the CE.

22 Enabling Grids for E-sciencE INFSO-RI-508833 JRA1 All Hands meeting Padova, 15-17 November 2004 22 timeline LCAS –Globus callout: 15 December –Proxy lifetime checking: this year? –Merge with authZ framework: Summer 2005 –PAM module: ?? LCMAPS –Update installation guide + examples: 22 November  http://www.nikhef.nl/grid/lcaslcmaps http://www.nikhef.nl/grid/lcaslcmaps –DAS integration: 3 December  Depends on what we decide –Sudo function: april 2005 –NSS module: ?? Generic authN method Myproxy: ?? –contacts with myproxy developers have to be established Yah!

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF.

INFSO-RI Enabling Grids for E-sciencE Glexec overview Gerben Venekamp NIKHEF.
NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.

NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
WP4 Security Update For WP4: David Groep

WP4 Security Update For WP4: David Groep
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google