Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Published byClifton Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to."— Presentation transcript:

1 Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to implement it locally Longer term solutions?

2 Andrew McNab - Manchester HEP - 29/30 March 2001 Overview of the problem In Globus 1.1.3, grid identities (certificate subjects) are mapped to local Unix usernames via grid- mapfile. For testbeds, either have to create lots of local Unix accounts - lots of administrative overhead Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability

3 Andrew McNab - Manchester HEP - 29/30 March 2001 Dynamic accounts The obvious solution, but introduces many complications Account creation / management is intimately related to local policies, tools etc Need to respect local site autonomy and minimise the changes required by local sysadmins Instead of trying to produce a long term solution before M9, look at what will be sufficient for now

4 Andrew McNab - Manchester HEP - 29/30 March 2001 Use pool of accounts Sysadmin creates a pool of normal Unix accounts, with names like gpool001, gpool002, gpool003, … They can use their normal tools to do this, create quotas, Unix group(s) etc. Temporarily lease accounts when presented with a certificate whose subject is in our grid-mapfile Expire the lease “when they are finished” (defined locally)

5 Andrew McNab - Manchester HEP - 29/30 March 2001 Security and “auditability” Authentification: still have to provide a valid certificate, signed by a CA the local site trusts Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess “Auditability”: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was

6 Andrew McNab - Manchester HEP - 29/30 March 2001 Implementation of leasing Want to share files created by gatekeeper, sshd-gsi, gsiftpd "logins" - so want these to share the same database of leases Need some form of locking. Run a lease daemon? Simplest way is to use link(2) with some sort of flag files, and rely on the atomicity of the file system. (Should even work across NFS to synchronise leases between nodes of a cluster or farm)

7 Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir format “Lease database” takes the form of a directory containing empty files, with the same names as the pool usernames A lease is created by making a second link to the username using the subject name (URL-encoded.) Checking return code of link(2) and link count from stat(2) will enforce one-to-one mapping of subjects and pool usernames

8 Andrew McNab - Manchester HEP - 29/30 March 2001 Patch to Globus 1.1.3 All subject->username mapping done by functions in Security/gss-assist/gridmap.c Patch these to map subjects to pool users if their “username” in grid-mapfile is like “.” or “.subpool” Five new functions in gridmap.c implement leasing as described Subpools with privileges, quotas etc are possible: eg.cms will only be mapped to cms001, cms002,...

9 Andrew McNab - Manchester HEP - 29/30 March 2001 Lease expiration To reuse pool accounts, lease must be terminated somehow - but mechanics very site dependent Probably easiest to run a script from cron to expire leases: Either based on an expiration time (if you can guarantee the job will be finished by that time) Or by job completion flagging the lease as not needed (eg via PBS prologue / epilogue scripts)

10 Andrew McNab - Manchester HEP - 29/30 March 2001 Advantages of this patch Minimum impact on local systems Minimum changes to Globus Changes are transparent to users and other sites Allows easy local choices about account characteristics and lease expiration

11 Andrew McNab - Manchester HEP - 29/30 March 2001 Limitations of the patch Sharing of lease “database” via filesystem and NFS is a hack! Termination of leases is messy Need to block submission of cron jobs etc from pool accounts (batch nodes should be doing this already though)

12 Andrew McNab - Manchester HEP - 29/30 March 2001 Making grid-mapfile Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP. If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.

13 Andrew McNab - Manchester HEP - 29/30 March 2001 Future solutions (1) “Next Version of Globus” will have CAS framework - need to coexist with this “NVoG” will be able to get grid-mapfile info from LDAP Can already get Unix “passwd” info from LDAP on Linux and Solaris (via a PAM) Should we concentrate dynamic account creation or leasing on a “smart” local LDAP auth server?

14 Andrew McNab - Manchester HEP - 29/30 March 2001 Future solutions (2) An alternative method is to combine account creation / leasing with resource reservation This simplifies the enforcement of lease expiration, since presumably we already enforce process termination, file deletion at end of reservation But has more overhead and complexity than a smart LDAP server that just manages dynamic accounts

15 Andrew McNab - Manchester HEP - 29/30 March 2001 More information... http://www.hep.grid.ac.uk/gridmapdir/ has a copy of the patch itself, more explanation and some example scripts for managing pool accounts The gridmapdir patch is included in development versions of Globus RPM’s at http://www.hep.grid.ac.uk/download/development/

16 Andrew McNab - Manchester HEP - 29/30 March 2001 make-ca-signing-policy Simple script to rebuild ca-signing- policy.conf when CA's are installed or removed Looks for policy.*.conf files in $GLOBUS_INSTALL_PATH/share/certificates Concatenates a header and all the policy files it finds.

17 Andrew McNab - Manchester HEP - 29/30 March 2001 make-c-s-p: RPM’s When used in a CA RPM, adding or removing a CA just becomes a single rpm command: eg rpm -i ukhepca-0.1-1.rpm RPM installs files, then reruns script At uninstall, files removed and script rerun Can deal with multiple CA's in the same RPM (or tar file.)

18 Andrew McNab - Manchester HEP - 29/30 March 2001 Demonstration: ukhepca Have ukhepca RPM which everyone who needs to trust UK HEP CA can install Separate ukhepca-request RPM which only UK sites install (includes files to generate requests for certs from this CA) http://www.hep.grid.ac.uk/make-c-s-p/ has explanation and all the sources necessary to make compatible RPM or tar files for other CA’s

19 Andrew McNab - Manchester HEP - 29/30 March 2001 Summary Modular method for installing CA info now available Can easily co-exist with non EU Datagrid CA’s Works with RPM or tar file installation Doesn’t do CRL fetching - use NIKHEF proposal? Should installation of a CA define how to fetch its CRL (perhaps by installing a script?)

Download ppt "Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
4/2/2002HEP Globus Testing Request - Jae Yu x2814 1 Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
S/W meeting 18 October 2007RSD 1 Remote Software Deployment Nick West.

S/W meeting 18 October 2007RSD 1 Remote Software Deployment Nick West.
2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

Similar presentations

Ads by Google