Download presentation
Presentation is loading. Please wait.
Published byJulian Atkinson Modified over 9 years ago
1
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF
2
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 2 Outline Local authorization Local authorization decisions Integrating with the Unix domain Managing the work space
3
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 3 Authorization context Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders
4
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 4 Local Authorization EGEE Architecture –Policy providers orchestrated by a master PDP (not shown) –Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world) –both provide set of PDP implementations (should be the same set, or a callout from one to the other) –PDPs foreseen: user white/blacklist VOMS-ACL Proxy-lifetime constraints Certificate/proxy policy OID checks peer-system name validation (compare with subject or subjectAlternativeNames)
5
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 5 Local Authorization Today Current Implementation –Only a limited set of PDPs: ban/allow and VOMS-ACL –Authorization interface is proprietary (at least for C/C++) change foreseen soon to a ‘v2’ standard interface –Policy Enforcement Point (PEP) part of the (container) runtime (i.e. all evaluation is in-line) source modifications needed to legacy (C-based) services (GT gatekeeper, GridFTP server) AuthZ framework for Java as loadable classes –No separate authorization service (no site-central checking) –Policy format is not XACML everywhere (i.e. GACL)
6
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 6 Black List Services BL-PDPs return Deny or Not-Applicable –Master-DPD treats “Permit” as Not-Applicable Only interested whether the black-list services deny access to the subject –They are not to be used for rendering of general purpose policy decisions Query the configured black-list services before the general purpose PDPs –Pushing of black-list assertions or EPRs not allowed “Deny-Override” rules for the black-list services …pragmatic way to address deny-requirements… –note that you are still allowed to shoot yourself in the foot with deny-policies “behind” the PDP interface…
7
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 7 What’s within reach? Some additional PDPs –Policy OID checking –Proxy certificate lifetime constraints –Limit to specific executable programs –… Standard white list, blacklist service for all services Better integration between Java and C worlds & the upcoming standards
8
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 8 LCMAPS Once authorisation has been obtained acquire local (Unix) credentials to run legacy jobs enforce those credentials on –the job being run or –FTP session started LCMAPS is the back-end service used by –GT2-style edg-gatekeeper (LCG2) –edg-GridFTP (LCG2) –glexec/grid-sudo wrapper –WorkSpace Service
9
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 9 LCMAPS – control flow User authenticates using (VOMS) proxy … do local authorization … LCMAPS invoked –Acquire all relevant credentials –Enforce “external” credentials –Enforce credentials on current process tree at the end –Order and function policy-based Run task (e.g. job manager) CREDs LCMAPS Credential Acquisition & Enforcement Task Service
10
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 10 LCMAPS – functionality view Unix mapping based on VOMS groups, roles, and capabilities Possibly pool groups as well as pool accounts Granularity set by the site administrator (see example following) Primary group set to first VOMS group – accounting More than one VO/group per grid user allowed [but…] Each VOMS unique FQAN listed translates into 1 Unix group id Each user-FQAN combination translates into 1 Unix user id New mechanisms could mitigate issues: –groups-on-demand, support granularity at any level –Central user directory support (nss_LDAP, pam-ldap) Not ready – and priorities have not been assigned to this yet.
11
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 11 VOMS to Unix domain mapping # groupmapfile "/EGEE/picard/*“ iteam "/EGEE/picard/Role=Manager" iteamsgm “/Wilma/Role=prod” wilmgr "/Wilma/*".wilma "/EGEE/riker/grp1" rikerhg “/EGEE/riker/grp2” rikermed “/EGEE/riker/grp3” rikerlow example
12
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 12 Work Space Service On the road towards virtualized resources: Work Space Service Managed accounts –enable life cycle management –controlled account management (VO can request/release) –“special” QoS requests Use to request credentials (groups) with specific prios? WS-RF style GT4 service –uses LCMAPS as a back-end http://www.mcs.anl.gov/workspace/
13
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 13 LCMAPS usage in the job chain
14
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 14 Summary Control over running jobs is via site mechanisms Authorization to (Java) services part of container –Fine-grained control is left as a service specific issue –Standard hooks for this are about to appear Mapping of credentials required for legacy programs –limited to Unix domain account mechanisms –Needs to remain manageable for site administrators –Scheduling/priorities based on Unix user and group names –Accounting based on uid, gid pairs –Unix domain is not very flexible. Sorry. Virtualisation is coming, but how far down the road?
15
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 15
16
Enabling Grids for E-sciencE INFSO-RI-508833 Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 16 EDG Gatekeeper (current) Gatekeeper LCAS GACL timeslot banned policy C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo -cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept TLS auth assist_gridmap Jobmanager-* Ye Olde Gatekeeper GSS context + RSL
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.