Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 26, 20041 AFS file space administration with ARC version 2 HEPiX Edinburgh, May 2004 Wolfgang Friebel.

Published byDylan Kirby Modified over 10 years ago

Similar presentations

Presentation on theme: "May 26, 20041 AFS file space administration with ARC version 2 HEPiX Edinburgh, May 2004 Wolfgang Friebel."— Presentation transcript:

1 May 26, 20041 AFS file space administration with ARC version 2 HEPiX Edinburgh, May 2004 Wolfgang Friebel

2 May 26, 20042 Overview Focus of this talk is on ARC v2 – Authentication using SASL and perl – Design of the new ARC (object oriented perl) – Sample usage Replacement of acron (also an arc application) AFS file space administration as a use case Much of the work reported here has been carried out by Patrick Boettcher (TFH Wildau)

3 May 26, 20043 Replacement of arc arc (authenticated remote control) by R. Toebbicke in wide spead use at DESY arc has a number of deficiencies: – Kerberos 4 authentication only – No or no complete response under heavy load – Server plugins site specific, not freely available Two projects started at DESY to replace arc – k5cron as a standalone acron successor (diploma thesis by Christian Huettig) – ARC v2 (arcx) as a generic client/server solution (work by Patrick Boettcher)

4 May 26, 20044 k5cron Primary goal was the replacement of acron mainly for two reasons: – needed support for Kerberos 5 – small fraction of acron tasks were failing randomly k5cron is a client server solution with the following features: – written in C, modeled after ssh (3.7.1p1) – uses Kerberos5 for authentication – uses encryption for transfer of data – sophisticated mechanisms to ensure scalability

5 May 26, 20045 k5cron availability k5cron was extensively tested at DESY ongoing migration of acron to k5cron Excellent documentation (in english) Both the documentation and the source code are available from the project page http://www.desy.de/~chuettig/k5cron/ This work cannot be covered here in more detail, it would deserve a separate talk

6 May 26, 20046 ARC version 2 (arcx) Project aimed at complete replacement of arc Different requirements: – Authentication support at least for Kerberos V4 (backward compatibility) and Kerberos V5 – Portability across a wide range of platforms – Generic server, extended by plugins – Writing and testing of plugins should be easy – Robustness and security of server mandantory – Functionality should resemble old arc

7 May 26, 20047 arcx design decisions authentication to be implemented by SASL – supports K4, GSSAPI (K5, PKI, GSI), MD5,... perl is to be used for the plugins (same as arc) Server will be modeled after spamd (spamassassin) which is written in perl – therefore all parts will be in perl (portability) Encryption of the network traffic using the methods offered by SASL We discovered only later that SASL support in perl was very limited (no server side SASL support)

8 May 26, 20048 SASL Simple Authentication and Security Layer Provides a generic API for use on the client and server sides Authentication mechanisms are provided as plugins and must provide the functions defined in the API Broad range of SASL plugins does exist Main advantage for programmers: – No need to know details of the authentication mechanisms, a fairly generic code is valid for all auth mechanisms supported by SASL

9 May 26, 20049 SASL implementations Cyrus SASL (C library, many plugins) GNU SASL (C library, not mature enough) Authen::SASL::Perl (perl, few mechs, client only) Authen::SASL::Cyrus (perl, interface to Cyrus lib) SASL interface used in cyrus-imapd, sendmail, openldap and other applications SASL is a full replacement for a native implementation of an authentication protocol – A perl based SASL client can e.g. authenticate against the K5 capable UW-imapd

10 May 26, 200410 Authen::SASL::Cyrus Perl module Authen::SASL (Graham Barr) – provides a framework for SASL – For server side support use version 2.07 or higher Authen::SASL::Cyrus does the real work – Patrick Boettcher extended the module and added server functionality (XS interface to Cyrus C library) – Available on CPAN, version 0.11 or higher needed) – Sample code contained in the module docs

11 May 26, 200411 arcx internals Client authenticates using one of the SASL mechs Two connections are opened to the server – Protocol connection (e.g. for auth protocol) – Command connection (e.g. for command output) If authorized, the server runs the given command – A separate child is forked for each command – STDIN/STDOUT for that child are duped to pipes – Parent process handles that pipes and does the communication with the client Arbitrary tasks can be performed on the server on behalf of the client, no AFS or K5 dependency

12 May 26, 200412 The arcx client Command line interface similar to arc Sample commands: – arcx whoami – arcx get /etc/passwd > passwd_from_srv Client comes with cmd history and cmd line editor – arcx Instead of using arcx, the perl API can be used to integrate the client into an application (see docs): – use Arc::Connection::Client; – my $arc=new Arc::...

13 May 26, 200413 The arcxd server Simple script around Arc::Server to start a server Server is controlled by a config file containing – logging level, logging method – auth mechanism(s) to be used – mapping of command names to perl classes Server can be stopped by calling the Interrupt method

14 May 26, 200414 Adding commands to arcxd Commands are implemented by perl classes – have to inherit from Arc::Command – have to provide a new method (object creation) – have to implement an Execute method, this is the entry point for the server Several variables set by the parent classes, e.g: – name of authenticated user (from SASL) – actual auth mechanism used – command name (and arguments if any) Communication with client using STDIN/STDOUT

15 May 26, 200415 ARC v2 usage Main purpose: get rid of Kerberos4 apps at DESY – acron (see k5cron above) – batchauth (AFS token lifetime extension for batch) – execution of AFS commands with admin privileges (similar to sudo) – AFS file space administration using afs_admin acron solved differently kstart (was batchauth) is the first arcxd application running in production (since approx one month) arcx vos release implemented (authorization based on AFS groups and ACLs, see below)

16 May 26, 200416 AFS space management Main tool we want to use at DESY is afs_admin – tool described already earlier – designed to improve AFS space administration – requires a server with AFS admin privileges ARC v2 developed to make afs_admin Krb5 ready – we are using AFS with Kerberos5 authentication – Server parts of afs_admin (arc plugins) contained dusty not well maintainable code Porting the server part of afs_admin to ARC v2 – perl classes derived from Arc::Server – work in progress

17 May 26, 200417 afs_admin features afs_admin helps the AFS administrator to – enforce naming conventions for volumes and mount points – Enforce file server usage policies – Group collections of volumes into projects – Delegate privileges to project administrators – Maintain project space quota – Provide sensible defaults for some AFS commands – Restrict the use of potentially dangerous commands

18 May 26, 200418 Status of the software All required perl classes except of Arc on CPAN Arc and derived classes currently at ftp://ftp-zeuthen.desy.de/pub/unix/gnu/perl/modules – planned to put it on CPAN as well – do include examples and documentation Plugins for Arc will appear on our ftp as well – kstart already available – classes that implement the complete afs_admin interface expected this summer – limited set of afs_admin commands already useable

19 May 26, 200419 Experiences and outlook Enhancing arcxd with new commands is easy Use of arcx/arcxd not limited to AFS or Kerberos administration, could be used for a remote sudo Good experiences already with kstart (token renewal in batch jobs) – however still problems with a large number of simultaneous requests – need to use load limiting methods (like in k5cron) Software will be available on CPAN – Larger audience will help to improve software – New plugins might be provided by the community

Download ppt "May 26, 20041 AFS file space administration with ARC version 2 HEPiX Edinburgh, May 2004 Wolfgang Friebel."

Similar presentations

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.
Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3

Anti-SPAM experience at LAL Michel Jouvin LAL / IN2P3
17 May 20041 Multiple Sites. 17 May 20042 Multiple Sites This presentation assumes you are already familiar with Doors and all its standard commands It.

17 May Multiple Sites. 17 May Multiple Sites This presentation assumes you are already familiar with Doors and all its standard commands It.
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
Fitzkilism Production, 20041 Putting the Fun in Function By Mrs. Kiley Sandymount Elementary.

Fitzkilism Production, Putting the Fun in Function By Mrs. Kiley Sandymount Elementary.
© Pearson Education Limited, 20041 Chapter 8 Normalization Transparencies.

© Pearson Education Limited, Chapter 8 Normalization Transparencies.
COM vs. CORBA.

COM vs. CORBA.
8 April 20041 Doors TM Set System Options. 8 April 20042 Set System Options Allows you to set certain standard Doors operating parameters and enable certain.

8 April Doors TM Set System Options. 8 April Set System Options Allows you to set certain standard Doors operating parameters and enable certain.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
October 20-24. Dyalog File Server Version 2.0 Morten Kromberg CTO, Dyalog LTD Dyalog’13.

October Dyalog File Server Version 2.0 Morten Kromberg CTO, Dyalog LTD Dyalog’13.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats

Similar presentations

Ads by Google