Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to implement it locally Longer term solutions?

Andrew McNab - Manchester HEP - 29/30 March 2001 Overview of the problem In Globus 1.1.3, grid identities (certificate subjects) are mapped to local Unix usernames via grid- mapfile. For testbeds, either have to create lots of local Unix accounts - lots of administrative overhead Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability

Andrew McNab - Manchester HEP - 29/30 March 2001 Dynamic accounts The obvious solution, but introduces many complications Account creation / management is intimately related to local policies, tools etc Need to respect local site autonomy and minimise the changes required by local sysadmins Instead of trying to produce a long term solution before M9, look at what will be sufficient for now

Andrew McNab - Manchester HEP - 29/30 March 2001 Use pool of accounts Sysadmin creates a pool of normal Unix accounts, with names like gpool001, gpool002, gpool003, … They can use their normal tools to do this, create quotas, Unix group(s) etc. Temporarily lease accounts when presented with a certificate whose subject is in our grid-mapfile Expire the lease “when they are finished” (defined locally)

Andrew McNab - Manchester HEP - 29/30 March 2001 Security and “auditability” Authentification: still have to provide a valid certificate, signed by a CA the local site trusts Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess “Auditability”: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was

Andrew McNab - Manchester HEP - 29/30 March 2001 Implementation of leasing Want to share files created by gatekeeper, sshd-gsi, gsiftpd "logins" - so want these to share the same database of leases Need some form of locking. Run a lease daemon? Simplest way is to use link(2) with some sort of flag files, and rely on the atomicity of the file system. (Should even work across NFS to synchronise leases between nodes of a cluster or farm)

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir format “Lease database” takes the form of a directory containing empty files, with the same names as the pool usernames A lease is created by making a second link to the username using the subject name (URL-encoded.) Checking return code of link(2) and link count from stat(2) will enforce one-to-one mapping of subjects and pool usernames

Andrew McNab - Manchester HEP - 29/30 March 2001 Patch to Globus All subject->username mapping done by functions in Security/gss-assist/gridmap.c Patch these to map subjects to pool users if their “username” in grid-mapfile is like “.” or “.subpool” Five new functions in gridmap.c implement leasing as described Subpools with privileges, quotas etc are possible: eg.cms will only be mapped to cms001, cms002,...

Andrew McNab - Manchester HEP - 29/30 March 2001 Lease expiration To reuse pool accounts, lease must be terminated somehow - but mechanics very site dependent Probably easiest to run a script from cron to expire leases: Either based on an expiration time (if you can guarantee the job will be finished by that time) Or by job completion flagging the lease as not needed (eg via PBS prologue / epilogue scripts)

Andrew McNab - Manchester HEP - 29/30 March 2001 Advantages of this patch Minimum impact on local systems Minimum changes to Globus Changes are transparent to users and other sites Allows easy local choices about account characteristics and lease expiration

Andrew McNab - Manchester HEP - 29/30 March 2001 Limitations of the patch Sharing of lease “database” via filesystem and NFS is a hack! Termination of leases is messy Need to block submission of cron jobs etc from pool accounts (batch nodes should be doing this already though)

Andrew McNab - Manchester HEP - 29/30 March 2001 Making grid-mapfile Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP. If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.

Andrew McNab - Manchester HEP - 29/30 March 2001 Future solutions (1) “Next Version of Globus” will have CAS framework - need to coexist with this “NVoG” will be able to get grid-mapfile info from LDAP Can already get Unix “passwd” info from LDAP on Linux and Solaris (via a PAM) Should we concentrate dynamic account creation or leasing on a “smart” local LDAP auth server?

Andrew McNab - Manchester HEP - 29/30 March 2001 Future solutions (2) An alternative method is to combine account creation / leasing with resource reservation This simplifies the enforcement of lease expiration, since presumably we already enforce process termination, file deletion at end of reservation But has more overhead and complexity than a smart LDAP server that just manages dynamic accounts

Andrew McNab - Manchester HEP - 29/30 March 2001 More information... has a copy of the patch itself, more explanation and some example scripts for managing pool accounts The gridmapdir patch is included in development versions of Globus RPM’s at

Andrew McNab - Manchester HEP - 29/30 March 2001 make-ca-signing-policy Simple script to rebuild ca-signing- policy.conf when CA's are installed or removed Looks for policy.*.conf files in $GLOBUS_INSTALL_PATH/share/certificates Concatenates a header and all the policy files it finds.

Andrew McNab - Manchester HEP - 29/30 March 2001 make-c-s-p: RPM’s When used in a CA RPM, adding or removing a CA just becomes a single rpm command: eg rpm -i ukhepca rpm RPM installs files, then reruns script At uninstall, files removed and script rerun Can deal with multiple CA's in the same RPM (or tar file.)

Andrew McNab - Manchester HEP - 29/30 March 2001 Demonstration: ukhepca Have ukhepca RPM which everyone who needs to trust UK HEP CA can install Separate ukhepca-request RPM which only UK sites install (includes files to generate requests for certs from this CA) has explanation and all the sources necessary to make compatible RPM or tar files for other CA’s

Andrew McNab - Manchester HEP - 29/30 March 2001 Summary Modular method for installing CA info now available Can easily co-exist with non EU Datagrid CA’s Works with RPM or tar file installation Doesn’t do CRL fetching - use NIKHEF proposal? Should installation of a CA define how to fetch its CRL (perhaps by installing a script?)