lcas and lcmaps
Download
Skip this Video
Download Presentation
LCAS and LCMAPS

Loading in 2 Seconds...

play fullscreen
1 / 22

LCAS and LCMAPS - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

LCAS and LCMAPS. David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp. Talk Outline. Introduction on AuthN & AuthZ in EDG Why do we need VOMS, LCAS, LCMAPS … ? Gridification architecture LCAS Architecture, plug-ins, examples LCMAPS Architecture, plug-ins

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' LCAS and LCMAPS' - hyman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lcas and lcmaps

LCAS and LCMAPS

David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp

talk outline
Talk Outline
  • Introduction on AuthN & AuthZ in EDG
    • Why do we need VOMS, LCAS, LCMAPS … ?
  • Gridification architecture
  • LCAS
    • Architecture, plug-ins, examples
  • LCMAPS
    • Architecture, plug-ins
    • Policy languange (PDL)
    • examples
  • Job Repository
  • Status and Future Developments
authn authz in edg 1
AuthN & AuthZ in EDG (1)
  • GLOBUS
    • Authentication: Grid Security Infrastructure (GSI)
      • X509 certificates (PKI), Certificate Authorities
      • Mutual authentication
      • Single sign-on, proxy delegation
    • Authorization: grid-mapfile
      • Grid credentials (user’s Certificate) to local credentials (unix account) mapping
      • “Boolean” authorization
      • Information provided via VO-LDAP servers (EDG)
      • Managed “manually” by the resource admin (via mkgridmap, EDG)
  • Problems
    • No centralization
    • No scalability
    • Lack of flexibility
  • Problems addressed by VOMS, LCAS/LCMAPS
authn authz in edg 2

Authentication

Request

OK

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

Query

AuthDB

VOMSpseudo-cert

VOMSpseudo-cert

VOMS

user

AuthN & AuthZ in EDG (2)
  • VOMS (VO Membership Service)
    • authorization at VO level
    • Each VO has its own VOMS
    • VO affiliation assertions embedded in proxy
    • Support for group membership, roles, capabilities
    • A user can be member of many VOs
  • LCAS/LCMAPS
    • Separated pure authZ (LCAS) from user account mapping (LCMAPS)
    • Flexible/dynamic assignment of local credentials
    • Resource manager remains in full control
wp4 gridification components
WP4 Gridification components

Resource

Broker

Resource

(WP1)

Broker

WP4 non

-

gridification

WP4 non

-

gridification

(WP1)

Gridification component

Gridification component

Resource request in RSL

in VOMS-signed established

Security context

Non

-

WP4 subsystem

Non

-

WP4 subsystem

External to fabric

Internal to fabric

CE

plugins

LCAS

-

SE

(EDG

-

)Gatekeeper

SE

(EDG

-

)Gatekeeper

allow list

allow list

wallclocktime

wallclocktime

StorageElement

(WP5)

ban list

ban list

Jobmanager

VOMS/GACL

Jobmanager

VOMS/GACL

RMS

RMS

plugins

LCMAPS

-

Worker

Policy

farms

Worker

JobRepository

uid/gid

uid/gid

node

node

(Configuration Mgmt)

other tokens

other tokens

Enforce

Enforce

credentials

credentials

authn authz control flow in gk

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

Ye Olde Gatekeeper

GSI auth

VOMSpseudo-cert

assist_gridmap

Jobmanager-*

AuthN, AuthZ control flow in GK

Gatekeeper

LCAS

accept

policy

allowed

GSI AuthN

timeslot

LCAS authZ call out

banned

  • LCMAPS open, learn,&run:
  • … and return legacy uid

Job Manager

fork+exec args, submit script

slide7
LCAS
  • Local Centre Authorization Service (LCAS)
  • Handles authorization requests to local fabric
    • Authorization decisions based on proxy user certificate and job specification (RSL)
    • Supports grid-mapfile mechanism and/or GACL
  • Plug-in framework (hooks for external authorization plug-ins)
    • Allowed users (grid-mapfile or allowed_users.db)
    • Banned users (ban_users.db)
    • Available timeslots (timeslots.db)
    • Plug-in for VOMS (to process Authorization data)
      • Uses VOMS API
      • authZ policy in GACL format (or grid-mapfile)
      • Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl
lcas ban user db
LCAS - ban_user.db

# This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"

lcas timeslots db
LCAS - timeslots.db

# This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## \'*\' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *

lcas lcas gacl
LCAS - lcas.gacl

<?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry>

<entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>

lcmaps
LCMAPS
  • Local Credential MAPping Service
  • Backward compatible with existing systems (grid-mapfile, AFS)
  • Provides local credentials needed for jobs in fabric
    • Mapping based on user identity, VO affiliation, site-local policy
    • Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5
    • Pool accounts, Pool groups
  • Support for multiple VOs per user (and thus multiple UNIX groups)
  • Plug-in framework
    • driven by comprehensive policy language: PDL
    • Extendible
    • Credential acquisition and enforcement plug-ins
  • Boundary conditions
    • Has to run in privileged mode
    • Has to run in process space of incoming connection (for fork jobs)
lcmaps control flow
LCMAPS – control flow

GK

LCMAPS

  • User authenticates using (VOMS) proxy
  • LCMAPS library invoked
    • Acquire all relevant credentials
    • Enforce “external” credentials
    • Enforce credentials on current process tree at the end
  • Run job manager
    • Fork will be OK by default
    • Batch systems may need primary group explicitly
    • Batch systems will need updated (distributed) UNIX account info
  • Order and function: policy-based

Credential Acquisition

& Enforcement

CREDs

Job Mngr

lcmaps invocation and running
LCMAPS – invocation and running

LCMAPS

Plugin Mngr

Evaluation Mngr

any Plug-in

from GK

Local init

Initialize

Load policy

Load all

Initialize all

Introspect for API

Evaluate policy

Run

Run plugin and report

Terminate

terminations

lcmaps modules
LCMAPS - modules
  • Modules represent atomic functionality
  • VOMS acquisition modules:
    • Voms extract: extract VOMS info from proxy
    • Voms local group: from VOMS attributes assign GID
    • Voms pool group: from VOMS attributes assign GID from pool
    • Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool
  • Standard acquisition modules:
    • Local account: from user DN assign local UID
    • pool account: from user DN assign UID from pool
  • Enforcement modules
    • POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process
    • LDAP enforcement: update distributed user database
  • In progress
    • Get AFS/Krb5 token based on user DN (gssklog)
lcmaps policy description language
LCMAPS – Policy Description Language

State machine approach:

# LCMAPS policy file/plugin definition## default pathpath = /opt/edg/lib/lcmaps/modules# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf

FALSE

VOMS extract

Start here

Local Account

TRUE

VOMS Local Group

POSIX Enforcement

VOMS Pool Group

LDAP Enforcement

VOMS Pool Account

lcmaps voms groupmapfile
LCMAPS – VOMS groupmapfile

# Example groupmapfile:# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix

lcmaps ldap and afs
LCMAPS – LDAP and AFS
  • LDAP enforcement plug-in
    • Updates a central LDAP user directory
    • Secure (as opposed to NIS)
    • more flexible
  • AFS plug-in
    • Gives local AFS access
    • Uses gssklog to obtain AFS token
    • Requires gssklog daemon to run on the AFS server
    • Mapping DN to AFS user maintained in gssklog mapfile
job repository intro
Job Repository – Intro.
  • What?
    • JB is a Relational Database
    • The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job
  • Why?
    • Central repository, Logging, Accounting, Auditing
  • Where?
    • CE – Plug-in for LCMAPS
    • CE - Various scripts controlled by the Job Manager
    • The database has to be installed close to (or on) the CE.
job repository
Job Repository
  • How?
    • ODBC layer
    • Currently a MySQL backend
    • Multiple programs/scripts gathering information
  • Who?
    • Sys-admins (only)
    • A new tool for LCG needs to get the local GIDs from the VOMS info
job repository the db layout
Job Repository – The DB Layout

Users

User certificates

VOMS

* Update needed outside

the LCMAPS Plugin

To get all info.

Jobs*

VOMS Issuer

Job Status*

Issuer Certificates

Credentials (UID/GIDs)

status
Status
  • LCAS and LCMAPS
    • Incorporated in EDG 2.1
    • Deployed on application testbed since last week
    • AFS plug-in almost completed
  • Job Repository
    • LCMAPS plug-in nearing completion
    • Small changes needed to LCMAPS code for VOMS-to-GID tool
  • Documentation:
    • http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/
    • http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16
future developments
Future developments
  • LCAS, LCMAPS (and the JobRep?) will be part of EGEE
  • gridFTP will be patched to use LCAS and LCMAPS
  • LCAS will evolve into an authorization service and take on the use of XACML to express VO access control
  • DAGGR (?): Authorization Decision Service
  • LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3
ad