Lcas and lcmaps
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

LCAS and LCMAPS PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

LCAS and LCMAPS. David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp. Talk Outline. Introduction on AuthN & AuthZ in EDG Why do we need VOMS, LCAS, LCMAPS … ? Gridification architecture LCAS Architecture, plug-ins, examples LCMAPS Architecture, plug-ins

Download Presentation

LCAS and LCMAPS

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lcas and lcmaps

LCAS and LCMAPS

David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp


Talk outline

Talk Outline

  • Introduction on AuthN & AuthZ in EDG

    • Why do we need VOMS, LCAS, LCMAPS … ?

  • Gridification architecture

  • LCAS

    • Architecture, plug-ins, examples

  • LCMAPS

    • Architecture, plug-ins

    • Policy languange (PDL)

    • examples

  • Job Repository

  • Status and Future Developments


Authn authz in edg 1

AuthN & AuthZ in EDG (1)

  • GLOBUS

    • Authentication: Grid Security Infrastructure (GSI)

      • X509 certificates (PKI), Certificate Authorities

      • Mutual authentication

      • Single sign-on, proxy delegation

    • Authorization: grid-mapfile

      • Grid credentials (user’s Certificate) to local credentials (unix account) mapping

      • “Boolean” authorization

      • Information provided via VO-LDAP servers (EDG)

      • Managed “manually” by the resource admin (via mkgridmap, EDG)

  • Problems

    • No centralization

    • No scalability

    • Lack of flexibility

  • Problems addressed by VOMS, LCAS/LCMAPS


Authn authz in edg 2

Authentication

Request

OK

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

Query

AuthDB

VOMSpseudo-cert

VOMSpseudo-cert

VOMS

user

AuthN & AuthZ in EDG (2)

  • VOMS (VO Membership Service)

    • authorization at VO level

    • Each VO has its own VOMS

    • VO affiliation assertions embedded in proxy

    • Support for group membership, roles, capabilities

    • A user can be member of many VOs

  • LCAS/LCMAPS

    • Separated pure authZ (LCAS) from user account mapping (LCMAPS)

    • Flexible/dynamic assignment of local credentials

    • Resource manager remains in full control


Wp4 gridification components

WP4 Gridification components

Resource

Broker

Resource

(WP1)

Broker

WP4 non

-

gridification

WP4 non

-

gridification

(WP1)

Gridification component

Gridification component

Resource request in RSL

in VOMS-signed established

Security context

Non

-

WP4 subsystem

Non

-

WP4 subsystem

External to fabric

Internal to fabric

CE

plugins

LCAS

-

SE

(EDG

-

)Gatekeeper

SE

(EDG

-

)Gatekeeper

allow list

allow list

wallclocktime

wallclocktime

StorageElement

(WP5)

ban list

ban list

Jobmanager

VOMS/GACL

Jobmanager

VOMS/GACL

RMS

RMS

plugins

LCMAPS

-

Worker

Policy

farms

Worker

JobRepository

uid/gid

uid/gid

node

node

(Configuration Mgmt)

other tokens

other tokens

Enforce

Enforce

credentials

credentials


Authn authz control flow in gk

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

Ye Olde Gatekeeper

GSI auth

VOMSpseudo-cert

assist_gridmap

Jobmanager-*

AuthN, AuthZ control flow in GK

Gatekeeper

LCAS

accept

policy

allowed

GSI AuthN

timeslot

LCAS authZ call out

banned

  • LCMAPS open, learn,&run:

  • … and return legacy uid

Job Manager

fork+exec args, submit script


Lcas and lcmaps

LCAS

  • Local Centre Authorization Service (LCAS)

  • Handles authorization requests to local fabric

    • Authorization decisions based on proxy user certificate and job specification (RSL)

    • Supports grid-mapfile mechanism and/or GACL

  • Plug-in framework (hooks for external authorization plug-ins)

    • Allowed users (grid-mapfile or allowed_users.db)

    • Banned users (ban_users.db)

    • Available timeslots (timeslots.db)

    • Plug-in for VOMS (to process Authorization data)

      • Uses VOMS API

      • authZ policy in GACL format (or grid-mapfile)

      • Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl


Lcas ban user db

LCAS - ban_user.db

# This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"


Lcas timeslots db

LCAS - timeslots.db

# This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## '*' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *


Lcas lcas gacl

LCAS - lcas.gacl

<?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry>

<entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>


Lcmaps

LCMAPS

  • Local Credential MAPping Service

  • Backward compatible with existing systems (grid-mapfile, AFS)

  • Provides local credentials needed for jobs in fabric

    • Mapping based on user identity, VO affiliation, site-local policy

    • Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5

    • Pool accounts, Pool groups

  • Support for multiple VOs per user (and thus multiple UNIX groups)

  • Plug-in framework

    • driven by comprehensive policy language: PDL

    • Extendible

    • Credential acquisition and enforcement plug-ins

  • Boundary conditions

    • Has to run in privileged mode

    • Has to run in process space of incoming connection (for fork jobs)


Lcmaps control flow

LCMAPS – control flow

GK

LCMAPS

  • User authenticates using (VOMS) proxy

  • LCMAPS library invoked

    • Acquire all relevant credentials

    • Enforce “external” credentials

    • Enforce credentials on current process tree at the end

  • Run job manager

    • Fork will be OK by default

    • Batch systems may need primary group explicitly

    • Batch systems will need updated (distributed) UNIX account info

  • Order and function: policy-based

Credential Acquisition

& Enforcement

CREDs

Job Mngr


Lcmaps invocation and running

LCMAPS – invocation and running

LCMAPS

Plugin Mngr

Evaluation Mngr

any Plug-in

from GK

Local init

Initialize

Load policy

Load all

Initialize all

Introspect for API

Evaluate policy

Run

Run plugin and report

Terminate

terminations


Lcmaps modules

LCMAPS - modules

  • Modules represent atomic functionality

  • VOMS acquisition modules:

    • Voms extract: extract VOMS info from proxy

    • Voms local group: from VOMS attributes assign GID

    • Voms pool group: from VOMS attributes assign GID from pool

    • Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool

  • Standard acquisition modules:

    • Local account: from user DN assign local UID

    • pool account: from user DN assign UID from pool

  • Enforcement modules

    • POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process

    • LDAP enforcement: update distributed user database

  • In progress

    • Get AFS/Krb5 token based on user DN (gssklog)


Lcmaps policy description language

LCMAPS – Policy Description Language

State machine approach:

# LCMAPS policy file/plugin definition## default pathpath = /opt/edg/lib/lcmaps/modules# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf

FALSE

VOMS extract

Start here

Local Account

TRUE

VOMS Local Group

POSIX Enforcement

VOMS Pool Group

LDAP Enforcement

VOMS Pool Account


Lcmaps voms groupmapfile

LCMAPS – VOMS groupmapfile

# Example groupmapfile:# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix


Lcmaps ldap and afs

LCMAPS – LDAP and AFS

  • LDAP enforcement plug-in

    • Updates a central LDAP user directory

    • Secure (as opposed to NIS)

    • more flexible

  • AFS plug-in

    • Gives local AFS access

    • Uses gssklog to obtain AFS token

    • Requires gssklog daemon to run on the AFS server

    • Mapping DN to AFS user maintained in gssklog mapfile


Job repository intro

Job Repository – Intro.

  • What?

    • JB is a Relational Database

    • The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job

  • Why?

    • Central repository, Logging, Accounting, Auditing

  • Where?

    • CE – Plug-in for LCMAPS

    • CE - Various scripts controlled by the Job Manager

    • The database has to be installed close to (or on) the CE.


Job repository

Job Repository

  • How?

    • ODBC layer

    • Currently a MySQL backend

    • Multiple programs/scripts gathering information

  • Who?

    • Sys-admins (only)

    • A new tool for LCG needs to get the local GIDs from the VOMS info


Job repository the db layout

Job Repository – The DB Layout

Users

User certificates

VOMS

* Update needed outside

the LCMAPS Plugin

To get all info.

Jobs*

VOMS Issuer

Job Status*

Issuer Certificates

Credentials (UID/GIDs)


Status

Status

  • LCAS and LCMAPS

    • Incorporated in EDG 2.1

    • Deployed on application testbed since last week

    • AFS plug-in almost completed

  • Job Repository

    • LCMAPS plug-in nearing completion

    • Small changes needed to LCMAPS code for VOMS-to-GID tool

  • Documentation:

    • http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/

    • http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16


Future developments

Future developments

  • LCAS, LCMAPS (and the JobRep?) will be part of EGEE

  • gridFTP will be patched to use LCAS and LCMAPS

  • LCAS will evolve into an authorization service and take on the use of XACML to express VO access control

  • DAGGR (?): Authorization Decision Service

  • LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3


  • Login