transparencies - Indico
Download
Report
Transcript transparencies - Indico
Enabling Grids for E-sciencE
Status update on
suexec, WSS, LCMAPS
Martijn Steenbakkers for JRA3
University of Amsterdam, NIKHEF
www.eu-egee.org
INFSO-RI-508833
Outline
Enabling Grids for E-sciencE
• Isolation (sandboxing)
–
–
–
–
–
WorkSpace Service (WSS) and LCMAPS
suexec wrapper program
How does this fit in the gLite CE?
Implementation status
Issues/todo
• (Local) authorization
– Policy Decision Points (PDPs)
• Timeline
• Next talk by Oscar: Job Repository (auditing)
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
2
Isolation (sandboxing)
Enabling Grids for E-sciencE
• Roadmap
– virtualization of resources (VM) or assigning of local credentials
– should be indistinguishable from ‘outside’
• EGEE Architecture
–
–
–
–
–
only based on credential mapping
do as little as possible with ‘root’ privileges: suexec
minimizing local management: poolaccounts & poolgroups
credential mapping and manipulation: LCMAPS
management capabilities on these accounts: WorkSpace Service
(WSS)
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
5
Workspace Service and LCMAPS
Enabling Grids for E-sciencE
Workspace Service (WSS) is part of GT4-core and in gLite-1 (preview)
– Account creation and account management
• Provides lifetime management and will provide quota management
• Account clean-up mechanism:
– Possibility to put account in quarantine first
– Example clean-up script provided
• Access control to Workspace Service based on DN and VOMS attr.
• Access control to account
– Currently based on DN
– Will provide ACLs on VOMS attributes (?)
• Support of poolaccounts
– Clean-up of poolaccounts
– Uses LCMAPS as a back-end to manage gridmapdir (poolindex)
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
6
LCMAPS Workspace
and the
WSS in gLite-1
Service
Enabling Grids for E-sciencE
o
j
n
WMS
p
WorkSpace
m
Service
poolaccount
lq
quarantine
and terminate
k
GK
LCMAPS
Voms poolaccount
lcmaps.db
groupmapfile
grid-mapfile
Plug-ins
Setuid, setgid
Gridmapdir poolindices
%2fo%3ddutchgrid%2fo%3dusers%2
fo%3dnikhef%2fcn%3dmartijn%20s
teenbakkers%3atlas atlas001
[…]
r
Condor
schedd
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
7
suexec wrapper
Enabling Grids for E-sciencE
Thin layer with root privileges will replace gatekeeper
• Intended for identity-switching services:
– condor, gridsite, globus gram, cream.
• Internal
– Uses LCMAPS/Workspace service as credential mapping
mechanism
– Executes the requested command with local credentials
• External interface
– Should be usable by C, java (, perl?) services: program
executable.
– A (user) credential should be passed to suexec.
– In- and outgoing pipes, file descriptors should be preserved as
much as possible.
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
8
CE in gLite-2 (hybrid scenario)
Enabling Grids for E-sciencE
1. Start VO scheduler@CE
Start service
(gram?)
2. Submit job to CE
3. Run job/program
WMS (broker)
VO CE
(Condor-C)
User cred.
Workspace
Service
User cred.
fork?
suexec
LCMAPS
Map user cred
= controlled by site
= controlled by VO
INFSO-RI-508833
User program
(Blahp)
to account
All hands meeting, Brno, 20-22 June 2005
9
CE in gLite-2 (full scenario)
Enabling Grids for E-sciencE
1. Start VO scheduler@CE
Start service
(gram?)
2. Submit job to CE
3. Run job/program
WMS (broker)
VO CE
(Condor-C)
token
fork?
User cred.
WSS bind service?
Verify token
Workspace
Service
suexec
LCMAPS
= controlled by site
= controlled by VO
INFSO-RI-508833
User program
(Blahp)
All hands meeting, Brno, 20-22 June 2005
10
suexec implementation (1)
Enabling Grids for E-sciencE
• Started from apache suEXEC
– Safe code, has proven itself
– Works with apache (gridsite)
• Input parameters:
– Hybrid scenario: Environment variable with location of proxy
(PEM-encoded)
– Full scenario: Attribute certificate from WSS bind service.
– Environment variable with mapcounter (to support multiple
mappings per set of credentials)
– Optional: the uid and gid to run the executable.
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
11
suexec implementation (2)
Enabling Grids for E-sciencE
• Two run-modes depending on setuid bit settings:
– suexec is setuid-root: setuid()/setgid() to local user in suexec
code and execute the program
-r-s--x--- 1 root apache /usr/sbin/gsuexec
– suexec runs as special user: suexec uses sudo for identity
switching and program execution:
-r-s--x--- 1 gsuexec gsuexec /opt/glite/sbin/gsuexec
sudo preserves only stdin, stdout, stderr
sudo can be configured to allow the user “gsuexec” to run a
predefined set of programs (blahpd, qsub)
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
12
Todo/issues (1)
Enabling Grids for E-sciencE
Suexec
•
callout to lcmaps (almost ready, Hybrid scenario)
•
•
Allow suexec only to run programs from a list: /usr/bin/sudo, …?
Where should the fork() go?
– Can create (small) C client wrapper lib that does the fork.
– Needed for Java as well?
•
Need to chdir() to home directory? Need to chown() files (user
proxy)?
•
Integration on the gLite prototype with Condor, (Cream?)
•
•
callout to the WSS (Full scenario).
Use as a backend for gt4 GRAM?
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
13
Todo/issues (2)
Enabling Grids for E-sciencE
• Workspace service
– Multiple account mapping support (ready, released today?)
– Ban list (soon)
– WSS bind service (NIKHEF can help)
‘Proves’ that the caller of suexec is entitled to use the account
– Callout to authZ service (SAML)
• LCMAPS
– Working on PEM interface (almost ready)
– Verify proxy (including full/limited proxy check)
– Not directly related to suexec (see DM security model):
dual certificate support
Plug into new globus gridftp server using standard GSI authZ
callouts.
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
14
Local Authorization
Enabling Grids for E-sciencE
• Roadmap
–
–
–
–
–
all assertions carried as SAML statements
all local (and global) policies expressed in XACML
separate authorization service using standard protocols
site policy, AND-ed with user and VO policy, evaluated together
policy evaluation never requires special local privs (‘root’)
• EGEE Architecture
–
–
–
–
Authorization Framework (Java) and LCAS (C/C++ world)
both provide set of PDPs
Authorization Service via OGSA-AuthZ-WG spec (EGEE-2)
PDPs:
user white/blacklist, VOMS-ACL, Proxy-lifetime, Limited proxy
(OID) checks, peer-system name validation, central CRL
checking
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
15
Local Authorization - PDPs
Enabling Grids for E-sciencE
• Policy Decision Points (PDPs):
– VOMS-ACL: Java authZ framework
– proxy lifetime check: C + Java
SAAARG requirement 1.4.1.1 for proxies
– Limited proxy check: C + Java
Decides to accept limited proxies or not
Old (gt2) style proxies: DN contains “CN=limited proxy”
RFC3820 proxies: check proxy policy language OID (defined by
globus)
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
16
Coarse timeline
Enabling Grids for E-sciencE
suexec
Prototype hybrid scenario
July
Full scenario
October
LCMAPS
Dual certificate support
October (?)
Hooked into new gridftp server
August
PDPs
VOMS ACL (java)
September
Proxy lifetime check (C+Java)
September
Limited proxy check (C+Java)
September
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
17
References
Enabling Grids for E-sciencE
LCMAPS and LCAS
http://www.nikhef.nl/grid/lcaslcmaps/
WorkSpace Service
http://www-unix.mcs.anl.gov/workspace/
DJRA3.2 : Site Access Control Architecture
https://edms.cern.ch/document/523948/
INFSO-RI-508833
All hands meeting, Brno, 20-22 June 2005
18