Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Published byDoreen Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University."— Presentation transcript:

1 Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2 Andrew McNab - Security issues - 17 May 2002 Outline u Sysadmin hitlist u Existing VO vs CAS u Pool accounts u SlashGrid u “UID domains”: NFS, PBS etc. u Need for Grid ACLs u XML Grid ACL’s u GACL library u Certfs as native “container” hosting environment

3 Andrew McNab - Security issues - 17 May 2002 Sysadmin hitlist u Subjective list of things to eliminate, from my experience and admins I’ve talked to: n Administrative work creating / maintaining user accounts. n Files/processes left over/created in unwanted places by jobs - bad enough when local “students” do this: don’t want Student X from University of Z doing this to our kit via the Grid. n NFS - “No File Security” - difficult/impossible to secure unless physical components of the LAN are secure (ie in a locked room) - makes it easier to compromise more machines once have root on one. u I think we now either have foreseeable solutions to all of these...

4 Andrew McNab - Security issues - 17 May 2002 Existing VO vs CAS u Have already about VO authorisation servers in use: centrally provided authorisation listings. u Provides a list of DN ’s for a given group: eg an experiment, or a group within an experiment. u Groups have to be defined by an admin of the VO n so an experiment can define the Tau Working Group n but I can ’t define “my friends in the Tau Working Group” myself u However, current system gives the functionality running experiments like BaBar cope with, so ok. u Globus CAS would allow finer grained authorisation. n Do we also need a way for users to define new resources and associate authorisation groups with them? In CAS or locally?

5 Andrew McNab - Security issues - 17 May 2002 Pool accounts u The other half of removing account creation burden from admins u Widely used by TB1 sites. u Auditing possible since all DN=>UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing gridmapdir with NFS (file ops are suitably atomic - but NFS still!) u Existing system works ok for CPU+tmpfile only jobs. u But not really appropriate if users creating long lived files at the site in question. u Limitations are because files are still owned by Unix UID: can’t recycle UID until all files created have been removed.

6 Andrew McNab - Security issues - 17 May 2002 SlashGrid / certfs u Framework for creating “Grid-aware” filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. n Source, binaries and API notes: http://www.gridpp.ac.uk/slashgrid/ u certfs.so plugin provides local storage governed by Access Control Lists based on DN’s. u Since most ACL’s would have just one entry, this is equivalent to file ownership by DN rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u (Also, a GridFTP plugin could provide secure replacement for NFS.)

7 Andrew McNab - Security issues - 17 May 2002 “UID domains” u Each testbed site currently constitutes a “UID domain” in which DN=>UID mappings must be consistent on all machines. n Currently achieved by sharing grid-mapfile or gridmapdir by NFS (or replicating with LCFG) u This arises from two major components: n NFS sharing of disks. n Local batch (usually PBS) by default assumes same UID on front and backend machines. u Would simplify recycling of pool accounts on gatekeeper if didn’t need to maintain this consistency: n gatekeeper would just allocate a pool UID which had no processes already running n if use “gsiftpfs” instead of NFS, then DN=>UID mappings done dynamically on SE etc too n but, would need to configure / modify PBS etc to dynamically allocate a UID on backend node and copy proxy?

8 Andrew McNab - Security issues - 17 May 2002 Need for “Grid ACL’s” u Initial idea of SlashGrid/certfs was to replace ownership by UID to ownership by DN via an ACL. u For simplicity, would want to use same ACL format for gsiftpfs etc. u Current prototype is plain text, per-directory ACL in.grid-acl u As a file, this can be stored in directories, copied via unmodified http, gsiftp channels and easily manipulated by scripts and applications. u Implementing ACL’s could also solve some other issues to emerge with TB1: n eg per-UID tape storage: could store all tape files with one UID but associate ACL with the file and use that. u Sysadmins want disk filesystem ACL’s on same physical disk as files if possible.

9 Andrew McNab - Security issues - 17 May 2002 Grid ACL vs CAS (or fine-grained VO) u CAS provides ACL-like feature of specifying what action (eg write) is permissible on an object (eg tau-wg-montecarlo). u (If using lots of subgroups within a VO, could achieve much the same thing: eg define a group of people in tau-wg-montecarlo-write) u In some cases, this could be used to provide ACL functionality. u However, it is too coarse grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I don’t want to setup a new entry on the central CAS machine to control this. u The two systems should be seen as complementary n when you create some tau Monte Carlo, put it somewhere the ACL gives write access for people with “tau-wg-montecarlo write.”) n when you just create a temporary directory, the ACL defaults to just the creator having admin access.

10 Andrew McNab - Security issues - 17 May 2002 XML Grid ACL? u Several variations of XML Grid Access Control Lists have been suggested. u XML-based format an obvious choice, since: n (a) have XML parsers around already for other things n (b) many protocols and metadata formats going to XML so could easily include a Grid ACL n (c) XML is extensible so we don’t need to predict the future so much. u For files, most seem to be based on about 4 levels: read, list, write and admin (cf AFS.) u Then associate these with combinations of personal DN’s, CAS objects and LDAP VO groups.

11 Andrew McNab - Security issues - 17 May 2002 Just one example XML Grid ACL format... ldap://ldap.abc.ac.uk/ ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcCAS Can-read-http://www.abc.ac.uk/bigfiles/ /O=Grid/DN=Andrew

12 Andrew McNab - Security issues - 17 May 2002 GACL library u XML ACL format not decided but want to write code that needs it now (GridSite in production for GridPP; SlashGrid to be in EDG 1.3.) u ACL may change again in the future; may need to understand different (ugh!) ACL’s from other Grid projects. u Insulate G-S and S-G from this by moving existing ACL handling functions into a standalone library, and make this understand XML. u Handles ACL’s in a reasonably general way, packs C structs with their contents and provides access functions to manipulate the structs as new types: n GACLlevel - read, list, write, admin... n GACLcred - a DN, VO group or CAS object. n GACLentry - several credentials, plus Allow and Deny for Levels. n GACLacl - several entries.

13 Andrew McNab - Security issues - 17 May 2002 GACL library (2) u Currently uses libxml to do basic XML parsing n can read from files or from strings in memory. u Functions like GACLnewCred(int type, char *issuer, char *name) provided to build up new ACL’s in memory, and manipulate or evaluate existing ones. u Working version of GridSite using GACL exists; SlashGrid next. u Intend to provide file and directory utility functions: n “read in the ACL for file /dir1/dir2/xyz” looks in /dir1/dir2/.gacl-xyz for a file ACL, then /dir1/dir2/.gacl, /dir1/.gacl … n but don’t limit functionality to files (ACL’s on metadata? queues? RB’s?) u Currently, implements XML format from earlier slide. u See http://www.gridpp.ac.uk/gacl/ for source and API description of 0.0.1 version.

14 Andrew McNab - Security issues - 17 May 2002 Certfs as container hosting environment u Some of the OGSA discussions make distinction between simple (eg native Linux) and container (eg Java or.NET) hosting environments. u The original motivation for “in a box” environments is security. u OGSA interest is in creating new services dynamically: this is easier if services are “in a box” to start with. u Certfs is motivated by desire to keep users from making long lived UID-owned files. u However, it is also a step towards the kind of dynamic environments OGSA talks about. u Is the answer to our concerns about security and our desire for flexible, dynamic services, to make Unix UID’s as transitory as Process Group ID’s?

15 Andrew McNab - Security issues - 17 May 2002 Summary u Most of the concerns of admins are being addressed to some extent. u Current VO system is probably sufficient, but CAS would be more flexible. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs intended to provide solution to this. u Defining a Grid ACL format deals with other issues too. u Do this in XML: what format? u GACL library provides API for handling whatever is decided. u How far can we go towards make UID’s purely transitory?

Download ppt "Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Similar presentations

Ads by Google