Presentation is loading. Please wait.

Presentation is loading. Please wait.

Storage Element Security Jens G Jensen, WP5 Barcelona, 12-16 May 2003.

Published byEmory Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Storage Element Security Jens G Jensen, WP5 Barcelona, 12-16 May 2003."— Presentation transcript:

1 Storage Element Security Jens G Jensen, j.jensen@rl.ac.ukj.jensen@rl.ac.uk WP5 Barcelona, 12-16 May 2003

2 Contents Current Implementation File level access control User id in Mass Storage

3 Current implementation Apache path Uses standard Apache with mod_ssl …except for a GSI patch… …which doesn’t work with all proxies Web service path Uses Tomcat/Axis with Trustmanager plugin

4 The Copy problem (SRM)Copy copies a file from one SE to another: Copy('se.rl.ac.uk/moob/bazoink', 'se.cern.ch/fazop') –3 rd party copying –Creates the file in the target SE –Copies ACLs and other relevant metadata This does not (yet) exist! Requires delegation Of course we can steal the user’s proxy. But…

5 The Apache proxy problem If the root CA certificate is version 3 and has all the “right” extensions, then mod_ssl never sees the proxy-user-root certificate chain This is a problem with OpenSSL rather than something that can be fixed in mod_ssl Solutions… Application (SE core) Apache mod_ssl OpenSSL

6 Proxy problem, solutions… Use Globus GSI libraries? –Tricky, must be done in Apache where the socket is handled…? Rewrite the SSL verify callback? An “SSL-agent” which, similar to ssh-agent, stores the SSL context in a daemon that runs as the user + Can be used with any normal SSL server Secure, but need to modify clients (obviously) +/- Cannot be forwarded -Cannot be used from scripts

7 File level access control Need to authorise based on individual files: –permission(USER, SFN, operation)  {yes,no} Currently we use GACL –Permissions are {list, read, write, admin} We have an implementation but it is not yet integrated into the TB2.0 SE (it was written some time ago)

8 Multiple VOs Each VO has a separate namespace Everybody talks to the same port/endpoint Each user belongs to exactly one VO (pre- VOMS) The VO membership information is stored in a user profile (not a scalable solution) This information is usually generated from the gridmap file

9 A word about VOMS Bad news: VOMS may take some effort to support Good news: we expect others to do (most of) this work for us! If Trustmanager validates the VOMS proxy, the AUZ mgr must parse it and make the information avaliable to the core so the core can perform the authorisation If GACL handles the remaining tasks then it should be easy…? TRUST AUZ mgr (parse only) SE CORE GACL

10 Access and replication “Proper” model: –RM “owns” replicas, delegates permission to users Current model: –RM runs using the user’s credentails, so replicas are owned by that user… –What are ACLs on replicas? Presumably, Either RM must replicate ACLs along with the data (OK because users have admin permissions on the files they create) Or must use Copy() which automatically copies ACL However, Copy() doesn’t yet exist – needs delegation

11 User id in mass storage “Unfortunately”, users must be able to access files in MSS via non-SE (and non-Grid) paths This means: –MSS specific solutions (StFN, anyone?) –SE must run individual handlers as different local user ids (so need setuid root) –Local user id is picked from the gridmap pool –Group id is default group for the user

12 setuid root? A specific setuid wrapper wraps the handler that needs to run as a non-SE local user/group Wrapper is very small and does not depend on external libs (uses McNab’s gridmap code) DN is picked from environment! But… The wrapper refuses to run unless: –It is installed in the SE handler directory –It is installed using specific names (SE handler naming scheme) –It is run by the SE user only –SE user has no login shell [can be swicthed off at compile time] –It is run by a daemon [also compile time switch]

13 setuid root? When user uploads file to SE’s disk cache they typically write the file as a mapped local user (because the GridFTP server is not integrated into the SE, i.e. it runs as a separate application on the SE host) So we may need a setuid handler to chown to “se” How do we protect the SE’s disk cache? Non- integrated tools can write into cache, or modify files in cache Filenames in the cache are generally not human readable (guessable); files are generally world readable.

14 setuid root? Example from integration with WP2 software: Web service runs as user ‘tomcat4’ SE runs as user ‘se’ This is an integration problem – ideally everything should run as the same user Quick and dirty fix: Set permissions on edg_se_rmanman (common entry point into the core) to 4755: if run with effective uid root it immediately drops root privs by switching all user ids to ‘se’

15 VO production (subgroup) problem Some people in a VO must have write access to a directory, everybody else in the VO has read-only access. Gridmap file /PROD1/cmsprod1 /PROD2/cmsprod2 /USER1/cms001 /USER2/cms002 /USER3/cms003 /etc/passwd cmsprod1  w cmsprod2  w cms001  r cms002  r cms003  r Users with a “production DN” get mapped to a “VO” which in turn maps to a local user who has write permission in the MSS. The “normal” VO members get mapped to local read-only users.

Download ppt "Storage Element Security Jens G Jensen, WP5 Barcelona, 12-16 May 2003."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
1 WP2: Data Management Paul Millar eScience All Hands Meeting September 2-4 2003.

1 WP2: Data Management Paul Millar eScience All Hands Meeting September
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
HEPiX Storage, Edinburgh 27-28 May 2004 SE Experiences Supporting Multiple Interfaces to Mass Storage J Jensen

HEPiX Storage, Edinburgh May 2004 SE Experiences Supporting Multiple Interfaces to Mass Storage J Jensen
J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.

J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

Similar presentations

Ads by Google