Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

Published byJuliet Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester."— Presentation transcript:

1 Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2 Andrew McNab - Dynamic Accounts - 2 July 2002 Outline u What we do in TB 1.2 u Dynamic Accounts details u SlashGrid u UID to DN map in SlashGrid u DN-based home directories u What we could do in TB1.3 u Benefits of using ACL’s u Grid ACL vs VoMS/CAS u Get rid of “UID domains”? u Certfs as native “container” hosting environment

3 Andrew McNab - Dynamic Accounts - 2 July 2002 What we do in TB1.2 u VO authorisation provided by LDAP VO services u mkgridmap used to periodically constructs grid-mapfile n entries have “.” as local user to invoke Dynamic Accounts patch u When a job or gsiftp session comes in, patched gridmap.c associates user’s DN with one of the pool of Dynamic Accounts. u Dynamic Accounts have Unix group membership, quotas etc set by local admin in normal way. u For jobs, Globus passes job to PBS etc. and the job is executed on a worker node as the pool user, using normal Unix permissions. u Home directories and grid-map files are NFS-shared n the delegated user proxy is accessible through this.

4 Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts details u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings are shared across a farm by sharing gridmapdir of lock files with NFS. u Existing system works ok for CPU+tmpfile only jobs. u But, all files owned by Unix UID of the Dynamic Account. u This means we cannot trivially recycle Dynamic Accounts n need to make sure all files they own are deleted when recycled n current Testbed sites only recycle accounts when they reinstall u Lack of recycling ok while Testbed is small, but want to be able to scale this all up, and leave it running for months/years on end n so will need recycling at some point

5 Andrew McNab - Dynamic Accounts - 2 July 2002 SlashGrid (“/grid”) u A framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: http://www.gridpp.ac.uk/slashgrid/ n RPM’s in datagrid.in2p3.fr repository work on RedHat 6.2, 7.x and can cope with you doing a Linux kernel build on a SlashGrid filesystem. u certfs.so plugin provides local storage governed by Access Control Lists based on DN’s, stored in a cache: /var/spool/slashgrid/grid u Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by dynamic accounts. n if dynamic accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected.

6 Andrew McNab - Dynamic Accounts - 2 July 2002 UID to DN map in SlashGrid u This is done using gridmap mechanism if possible. n Uses standard Globus call / shared library, so local choice of Dynamic Accounts is used. n Since Testbed sites share grid-mapfile/gridmapdir via NFS, can access this on worker nodes. n Doesn’t rely on a credential a user process could fake (eg nominating someone else’s proxy in their home directory.) u If this fails, then a proxy /tmp/x509up_uNNN created by grid-proxy-init is looked for. n This allows interactive use of SlashGrid filesystems.

7 Andrew McNab - Dynamic Accounts - 2 July 2002 DN-based home directories u gmapfs plugin provides a virtual directory apparently populated with symbolic links. u gridmap mechanism used to derive mappings. u The links map usernames to url-encoded directory names n /grid/gmap/gpool023 -> /grid/home/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u This means Unix passwd file can list fixed home directories for Dynamic Accounts. u But the symbolic links will change in step with DN to UID mapping. u SlashGrid can work on top of NFS, so can use NFS-shared root- owned /var/spool/slashgrid/grid u SlashGrid daemon on the node maps this onto /grid, subject to ACL’s.

8 Andrew McNab - Dynamic Accounts - 2 July 2002 What we could do in TB1.3 u LDAP VO services / mkgridmap still used to construct grid-mapfile u When a job or gsiftp session comes in, patched gridmap.c still associates user’s DN with one of the pool of Dynamic Accounts. n gridmap.c creates home directory for user’s DN if doesn’t already exist. u Dynamic Accounts have no particular Unix group membership etc. u Job files etc created in home directory like /grid/home/O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew%20McNab u Globus passes job to PBS etc. and the job is executed on a worker node as the pool user. u User can read home directory, since SlashGrid can see the mapping in gridmap via NFS, and can access the underlying cache via NFS. u All files created are owned by the DN not the UID.

9 Andrew McNab - Dynamic Accounts - 2 July 2002 Benefits of using ACL’s u SlashGrid/certfs means we can replace UID ownership with DN ownership, but get other benefits too. u GACL library used to manipulate XML ACL’s. u This ACL format let’s you specify permissions individually: read, list, write, admin (= modify ACL) u … and different credentials such as VO groups or VoMS attributes in addition to user DN’s. u This means you can give read or write permission to groups of people, at the directory level. n (Intend to support file specific ACL’s in the future.)

10 Andrew McNab - Dynamic Accounts - 2 July 2002 Grid ACL vs VoMS/CAS u CAS provides ACL-like feature of specifying what action (eg write) is permissible on an object (eg tau-wg-montecarlo). u (If using lots of subgroups within a VO, could achieve much the same thing: eg define a group of people in tau-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to setup a new entry on the central CAS machine to control this. u The two systems should be seen as complementary n when you create some tau Monte Carlo, put it somewhere the ACL gives write access for people with “tau-wg-montecarlo write.”) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

11 Andrew McNab - Dynamic Accounts - 2 July 2002 Future: get rid of “UID domains”? u Each testbed site currently constitutes a “UID domain” in which DN=>UID mappings must be consistent on all machines. n Currently achieved by sharing grid-mapfile or gridmapdir by NFS (or replicating with LCFG) u This arises from two major components: n NFS sharing of disks. n Local batch (usually PBS) by default assumes same UID on front and backend machines. u Would simplify recycling of pool accounts on gatekeeper if didn’t need to maintain this consistency: n gatekeeper would just allocate a pool UID which had no processes already running n if use “gsiftpfs” instead of NFS, then DN=>UID mappings done dynamically on SE etc too - getting rid of NFS is a worthy goal in its own right. n but, would need to configure / modify PBS etc to dynamically allocate a UID on backend node and copy proxy?

12 Andrew McNab - Dynamic Accounts - 2 July 2002 Certfs as container hosting environment u Some of the OGSA discussions make distinction between simple (eg native Linux) and container (eg Java or.NET) hosting environments. u The original motivation for “in a box” environments is security. u OGSA interest is in creating new services dynamically: this is easier if services are “in a box” to start with. u Certfs is motivated by desire to keep users from making long lived UID-owned files. u However, it is also a step towards the kind of dynamic environments OGSA talks about. u Is the answer to our concerns about security and our desire for flexible, dynamic services, to make Unix UID’s as transitory as Process Group ID’s?

13 Andrew McNab - Dynamic Accounts - 2 July 2002 Summary u Most of the concerns of admins are being addressed to some extent. u Current VO system is probably sufficient, but CAS would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs intended to provide solution to this. u Defining a Grid ACL format deals with other issues too. u Do this in XML: what format? u GACL library provides API for handling whatever is decided. u How far can we go towards make UID’s purely transitory?

Download ppt "Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Similar presentations

Ads by Google