Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Grid User Management System Gabriele Carcassi HEPIX October 2004.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Pilot Jobs John Gordon Management Board 23/10/2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Direct gLExec integration with PanDA Fernando H. Barreiro Megino CERN IT-ES-VOS.
Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center February.
Creating and running an application.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
SCSC 455 Computer Security Chapter 3 User Security.
Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
LCG Support for Pilot Jobs John Gordon, STFC GDB December 2 nd 2009.
LCG Pilot Jobs and glexec John Gordon.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
OSG Area Coordinator’s Report: Workload Management Maxim Potekhin BNL May 8 th, 2008.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Security aspects of the WLCG infrastructure: clients and services Maarten Litmaath CERN.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.
Security and VO management enhancements in Panda Workload Management System Jose Caballero Maxim Potekhin Torre Wenaus Presented by Maxim Potekhin at HPDC08.
A closer look at the VDT RPMs Alain Roy OSG Software Coordinator.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of.
Running User Jobs In the Grid without End User Certificates - Assessing Traceability Anand Padmanabhan CyberGIS Center for Advanced Digital and Spatial.
Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.
Nov 05, 2008, PragueSA3 Workshop1 A short presentation from Owen Synge SA3 and dCache.
Honolulu - Oct 31st, 2007 Using Glideins to Maximize Scientific Output 1 IEEE NSS 2007 Making Science in the Grid World - Using Glideins to Maximize Scientific.
Multi User Pilot Jobs update
Workload Management System
f f FermiGrid – Site AuthoriZation (SAZ) Service
Global Banning List and Authorization Service
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Argus The EMI Authorization Service
Presentation transcript:

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security

OSG All-Hands March 3, Traditional Grid Jobs User jobs come through the gatekeeper  You see all jobs come in  You ensure they run as the correct user  You can do accounting Gatekeeper Batch Worker node Job Resource Broker GUMS

OSG All-Hands March 3, Pilot Grid Jobs User jobs don't come through the gatekeeper  Only pilots enter via gatekeeper  Each pilot accepts work from VO  You don’t see user jobs  No local authorization, no accounting  All user jobs share same user id Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory

OSG All-Hands March 3, 2008 Pilot user jobs share user ids! Hey, mind if I borrow your proxy? Oops, was that your file? gLExec will solve this problem

OSG All-Hands March 3, Pilot jobs are in use today Two VOs are actively using Pilot jobs  CDF  ATLAS Others are about to start using them  CMS  MINOS Pilot jobs are here to stay

OSG All-Hands March 3, Pilot Grid Jobs with gLExec User jobs started using gLExec  Authorized with local authorization tools (GUMS)  Correct user ID used to start job Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec

OSG All-Hands March 3, What is gLExec A Grid-aware suExec derivative  Allows execution of commands as a different user  Authorization and mapping based on X.509 proxy A privileged executable (setuid to root)  Needed to switch identities Pluggable architecture  PRIMA/GUMS plugin used by default in OSG

OSG All-Hands March 3, gLExec IS a privileged executable gLExec is NOT a privileged service  Not listening on any network port gLExec is a privileged executable  Will run as root at least part of the time  A bug can potentially give an attacher root privileges gLExec has been audited by EGEE for potential security problems  None have been found

OSG All-Hands March 3, gLExec and accounting gLExec keeps detailed logs of each invocation, including  user DN and FQAN  start and stop times  process id A gLExec GRATIA probe exists for automatic accounting extraction  but logs are also human readable

OSG All-Hands March 3, gLExec and Pilots Pilots cannot be forced to use gLExec  Pilots need to be gLExec-aware But if gLExec is installed, site can require its use by policy Using gLExec is in the best interest of pilots  Protects them from malicious users (UID switching)

OSG All-Hands March 3, gLExec installation gLExec supported by OSG  distributed via VDT Needs to be installed on all the worker nodes Requires host certificate or service proxy to talk to GUMS For more details, see talk in the “Configuring OSG” session

OSG All-Hands March 3, Conclusions Pilot jobs are gaining momentum  Most big VOs (do or will) use them gLExec helps restore security for pilot jobs It is a privileged executable  But security benefits overweight risks Supported by OSG  Distributed in VDT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.