Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Published byJared Jefferson Modified over 7 years ago

Similar presentations

Presentation on theme: "Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security."— Presentation transcript:

1 Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security

2 OSG All-Hands March 3, 2008 2 Traditional Grid Jobs User jobs come through the gatekeeper  You see all jobs come in  You ensure they run as the correct user  You can do accounting Gatekeeper Batch Worker node Job Resource Broker GUMS

3 OSG All-Hands March 3, 2008 3 Pilot Grid Jobs User jobs don't come through the gatekeeper  Only pilots enter via gatekeeper  Each pilot accepts work from VO  You don’t see user jobs  No local authorization, no accounting  All user jobs share same user id Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory

4 OSG All-Hands March 3, 2008 Pilot user jobs share user ids! Hey, mind if I borrow your proxy? Oops, was that your file? gLExec will solve this problem

5 OSG All-Hands March 3, 2008 5 Pilot jobs are in use today Two VOs are actively using Pilot jobs  CDF  ATLAS Others are about to start using them  CMS  MINOS Pilot jobs are here to stay

6 OSG All-Hands March 3, 2008 6 Pilot Grid Jobs with gLExec User jobs started using gLExec  Authorized with local authorization tools (GUMS)  Correct user ID used to start job Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec

7 OSG All-Hands March 3, 2008 7 What is gLExec A Grid-aware suExec derivative  Allows execution of commands as a different user  Authorization and mapping based on X.509 proxy A privileged executable (setuid to root)  Needed to switch identities Pluggable architecture  PRIMA/GUMS plugin used by default in OSG

8 OSG All-Hands March 3, 2008 8 gLExec IS a privileged executable gLExec is NOT a privileged service  Not listening on any network port gLExec is a privileged executable  Will run as root at least part of the time  A bug can potentially give an attacher root privileges gLExec has been audited by EGEE for potential security problems  None have been found

9 OSG All-Hands March 3, 2008 9 gLExec and accounting gLExec keeps detailed logs of each invocation, including  user DN and FQAN  start and stop times  process id A gLExec GRATIA probe exists for automatic accounting extraction  but logs are also human readable

10 OSG All-Hands March 3, 2008 10 gLExec and Pilots Pilots cannot be forced to use gLExec  Pilots need to be gLExec-aware But if gLExec is installed, site can require its use by policy Using gLExec is in the best interest of pilots  Protects them from malicious users (UID switching)

11 OSG All-Hands March 3, 2008 11 gLExec installation gLExec supported by OSG  distributed via VDT Needs to be installed on all the worker nodes Requires host certificate or service proxy to talk to GUMS For more details, see talk in the “Configuring OSG” session

12 OSG All-Hands March 3, 2008 12 Conclusions Pilot jobs are gaining momentum  Most big VOs (do or will) use them gLExec helps restore security for pilot jobs It is a privileged executable  But security benefits overweight risks Supported by OSG  Distributed in VDT

Download ppt "Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
4/2/2002HEP Globus Testing Request - Jae Yu x2814 1 Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April 30 2008.

Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Similar presentations

Ads by Google