1 / 16

Status update on suexec , WSS, LCMAPS

This article discusses the isolation and management of accounts in the Workspace Service (WSS) and LCMAPS in the gLite Computing Element (CE). It covers the implementation status, policy decision points, and issues/todo related to local authorization. The integration with Condor and the use of suexec.wrapper are also mentioned.

tkendra
Download Presentation

Status update on suexec , WSS, LCMAPS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Status update onsuexec, WSS, LCMAPS Martijn Steenbakkers for JRA3 University of Amsterdam, NIKHEF

  2. Outline • Isolation (sandboxing) • WorkSpace Service (WSS) and LCMAPS • suexec wrapper program • How does this fit in the gLite CE? • Implementation status • Issues/todo • (Local) authorization • Policy Decision Points (PDPs) • Timeline • Next talk by Oscar: Job Repository (auditing) All hands meeting, Brno, 20-22 June 2005

  3. Isolation (sandboxing) • Roadmap • virtualization of resources (VM) or assigning of local credentials • should be indistinguishable from ‘outside’ • EGEE Architecture • only based on credential mapping • do as little as possible with ‘root’ privileges: suexec • minimizing local management: poolaccounts & poolgroups • credential mapping and manipulation: LCMAPS • management capabilities on these accounts: WorkSpace Service (WSS) All hands meeting, Brno, 20-22 June 2005

  4. Workspace Service and LCMAPS Workspace Service (WSS) is part of GT4-core and in gLite-1 (preview) • Account creation and account management • Provides lifetime managementand will provide quota management • Account clean-up mechanism: • Possibility to put account in quarantine first • Example clean-up script provided • Access control to Workspace Service based on DN and VOMS attr. • Access control to account • Currently based on DN • Will provide ACLs on VOMS attributes (?) • Support of poolaccounts • Clean-up of poolaccounts • Uses LCMAPS as a back-end to manage gridmapdir (poolindex) All hands meeting, Brno, 20-22 June 2005

  5. LCMAPS and the WSS in gLite-1 Workspace Service j WMS n WorkSpace Service m o quarantine and terminate p k GK LCMAPS Gridmapdir poolindices poolaccount lq Vomspoolaccount %2fo%3ddutchgrid%2fo%3dusers%2fo%3dnikhef%2fcn%3dmartijn%20steenbakkers%3atlas atlas001 […] Plug-ins lcmaps.db groupmapfile grid-mapfile Setuid, setgid r Condor schedd All hands meeting, Brno, 20-22 June 2005

  6. suexec wrapper Thin layer with root privileges will replace gatekeeper • Intended for identity-switching services: • condor, gridsite, globus gram, cream. • Internal • Uses LCMAPS/Workspace service as credential mapping mechanism • Executes the requested command with local credentials • External interface • Should be usable by C, java (, perl?) services: program executable. • A (user) credential should be passed to suexec. • In- and outgoing pipes, file descriptors should be preserved as much as possible. All hands meeting, Brno, 20-22 June 2005

  7. fork? = controlled by site LCMAPS suexec = controlled by VO CE in gLite-2 (hybrid scenario) 1. Start VO scheduler@CE 2. Submit job to CE 3. Run job/program Start service (gram?) User cred. VO CE (Condor-C) WMS (broker) Workspace Service User cred. Map user cred to account User program (Blahp) All hands meeting, Brno, 20-22 June 2005

  8. WSS bind service? Workspace Service WMS (broker) fork? = controlled by site LCMAPS suexec = controlled by VO CE in gLite-2 (full scenario) 1. Start VO scheduler@CE 2. Submit job to CE 3. Run job/program Start service (gram?) User cred. VO CE (Condor-C) Verify token token User program (Blahp) All hands meeting, Brno, 20-22 June 2005

  9. suexec implementation (1) • Started from apache suEXEC • Safe code, has proven itself • Works with apache (gridsite) • Input parameters: • Hybrid scenario: Environment variable with location of proxy (PEM-encoded) • Full scenario: Attribute certificate from WSS bind service. • Environment variable with mapcounter (to support multiple mappings per set of credentials) • Optional: the uid and gid to run the executable. All hands meeting, Brno, 20-22 June 2005

  10. suexec implementation (2) • Two run-modes depending on setuid bit settings: • suexec is setuid-root: setuid()/setgid() to local user in suexec code and execute the program -r-s--x--- 1 root apache /usr/sbin/gsuexec • suexec runs as special user: suexec uses sudo for identity switching and program execution: -r-s--x--- 1 gsuexec gsuexec /opt/glite/sbin/gsuexec • sudo preserves only stdin, stdout, stderr • sudo can be configured to allow the user “gsuexec” to run a predefined set of programs (blahpd, qsub) All hands meeting, Brno, 20-22 June 2005

  11. Todo/issues (1) Suexec • callout to lcmaps (almost ready, Hybrid scenario) • Allow suexec only to run programs from a list: /usr/bin/sudo, …? • Where should the fork() go? • Can create (small) C client wrapper lib that does the fork. • Needed for Java as well? • Need to chdir() to home directory? Need to chown() files (user proxy)? • Integration on the gLite prototype with Condor, (Cream?) • callout to the WSS (Full scenario). • Use as a backend for gt4 GRAM? All hands meeting, Brno, 20-22 June 2005

  12. Todo/issues (2) • Workspace service • Multiple account mapping support (ready, released today?) • Ban list (soon) • WSS bind service (NIKHEF can help) • ‘Proves’ that the caller of suexec is entitled to use the account • Callout to authZ service (SAML) • LCMAPS • Working on PEM interface (almost ready) • Verify proxy (including full/limited proxy check) • Not directly related to suexec (see DM security model): • dual certificate support • Plug into new globus gridftp server using standard GSI authZ callouts. All hands meeting, Brno, 20-22 June 2005

  13. Local Authorization • Roadmap • all assertions carried as SAML statements • all local (and global) policies expressed in XACML • separate authorization service using standard protocols • site policy, AND-ed with user and VO policy, evaluated together • policy evaluation never requires special local privs (‘root’) • EGEE Architecture • Authorization Framework (Java) and LCAS (C/C++ world) • both provide set of PDPs • Authorization Service via OGSA-AuthZ-WG spec (EGEE-2) • PDPs: user white/blacklist, VOMS-ACL, Proxy-lifetime, Limited proxy (OID) checks, peer-system name validation, central CRL checking All hands meeting, Brno, 20-22 June 2005

  14. Local Authorization - PDPs • Policy Decision Points (PDPs): • VOMS-ACL: Java authZ framework • proxy lifetime check: C + Java • SAAARG requirement 1.4.1.1 for proxies • Limited proxy check: C + Java • Decides to accept limited proxies or not • Old (gt2) style proxies: DN contains “CN=limited proxy” • RFC3820 proxies: check proxy policy language OID (defined by globus) All hands meeting, Brno, 20-22 June 2005

  15. Coarse timeline All hands meeting, Brno, 20-22 June 2005

  16. References LCMAPS and LCAS http://www.nikhef.nl/grid/lcaslcmaps/ WorkSpace Service http://www-unix.mcs.anl.gov/workspace/ DJRA3.2 : Site Access Control Architecture https://edms.cern.ch/document/523948/ All hands meeting, Brno, 20-22 June 2005

More Related