INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

INFSO-RI Enabling Grids for E-sciencE Glexec overview Gerben Venekamp NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

PDC Enabling Science Grid Security Research Olle Mulmo.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

INFSO-RI Enabling Grids for E-sciencE gLExec, SCAS and the paths forward Introduction to pilot jobs and gLExec and SCAS framework.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

EDG Security European DataGrid Project Security Coordination Group

INFSO-RI Enabling Grids for E-sciencE Site access control issues (a sneak preview of DJRA3.2) Martijn Steenbakkers for JRA3 Universiteit.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.

OSG AuthZ components Dane Skow Gabriele Carcassi.

INFSO-RI Enabling Grids for E-sciencE glexec deployment models local credentials and grid identity mapping in the presence of complex.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

INFSO-RI Enabling Grids for E-sciencE glexec deployment models local credentials and grid identity mapping in the presence of complex.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

INFSO-RI Enabling Grids for E-sciencE Glexec Gerben Venekamp NIKHEF.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

Security and VO management enhancements in Panda Workload Management System Jose Caballero Maxim Potekhin Torre Wenaus Presented by Maxim Potekhin at HPDC08.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SE Security Rémi Mollon, Ákos Frohner EGEE'08,

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Glexec deployment models local credentials and grid identity mapping in the presence of complex schedulers David Groep NIKHEF.

A gLite Authorization Framework

Update on EDG Security (VOMS)

Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Outline Local authorization LCAS: making authorization decisions LCMAPS: integrating with UNIX accounts

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Authorization context Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Local Authorization EGEE Architecture –Policy providers orchestrated by a master PDP (not shown) –Authorization Framework (Java) and LCAS (C/C++ world) –both provide set of PDPs (should be the same set, or a callout from one to the other) –PDPs foreseen:  user white/blacklist  VOMS-ACL  Proxy-lifetime constraints  Certificate/proxy policy OID checks  peer-system name validation (compare with subject or subjectAlternativeNames)

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Local Authorization Today Current Implementation –Only a limited set of PDPs:  ban/allow and VOMS-ACL –Authorization interface is non-standard (at least for C/C++) –All evaluation is in-line:  source modifications needed to old services (GT gatekeeper, GridFTP server)  recent versions of the framework for Java needed (i.e. GT4+) –No separate authorization service (no site-central checking) –Policy format is not XACML everywhere (i.e. GACL)

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, What’s within reach? Standard white list, blacklist service for all services Some additional PDPs –Policy OID checking –Proxy certificate lifetime constraints –Limit to specific executable programs Better integration between Java and C worlds

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS Once authorisation has been obtained acquire local (Unix) credentials to run legacy jobs enforce those credentials on –the job being run or –FTP session started LCMAPS is the back-end service used by –GT2-style edg-gatekeeper (LCG2) –edg-GridFTP (LCG2) –glexec/grid-sudo wrapper –WorkSpace Service

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – requirements Backward compatible with existing systems –should read a grid-mapfile –legacy API transparent replacement –pluggable into other systems (gatekeeper, gridFTP, …) Support for multiple VOs per user –VOMS groups, roles and capabilities map into UNIX groups –granularity can be configured per site (from 1 group/VO to 1 per unique triplet) – but should it? Mimimum system administration intervention –pool accounts, and pool ‘groups’ –understandable configuration Extendible and configurable Boundary conditions –has to run in privileged mode –has to run in process space of incoming connection (for fork jobs)

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – control flow User authenticates using (VOMS) proxy LCMAPS library invoked –Acquire all relevant credentials –Enforce “external” credentials –Enforce credentials on current process tree at the end Run job manager –Fork will be OK by default –Batch systems may need primary group explicitly –Batch clusters will need updated (distributed) UNIX account info Order and function: policy-based CREDs LCMAPS Credential Acquisition & Enforcement Job Mngr GK

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – modules Modules (representing atomic functionality) Acquisition VOMS extract VOMS credentials from the proxy PoolAccounts from username assign unique uid PoolGroups from (VOMS) groupname assign unique gid LocalAccount from username assign local existing uid LocalGroups from (VOMS) groupname assign existing gid VOMS PoolAccounts from username+primary VOMS assign unique uid AFS/Krb5 get token based on user DN info via gssklogd Enforcement POSIX process setuid() and setgid() POSIX LDAP update distributed user database …

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS – functionality view Local UNIX groups based on VOMS group membership, roles, capabilities More than one VO/group per grid user allowed [but…] Primary group set to first VOMS group – accounting New mechanisms could mitigate issues: –groups-on-demand, support granularity at any level –Central user directory support (nss_LDAP, pam-ldap) Not ready – and priorities have not been assigned to this yet. # groupmapfile "/VO=iteam/GROUP=/iteam*" iteam "/VO=WP6/GROUP=/WP6*" wpsix "/VO=wilma/GROUP=/wilma" wilma "/VO=wilma/GROUP=/wilma/*".pool "/VO=fred/GROUP=/fred*".pool example

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Work Space Service On the road towards virtualized resources: Work Space Service Managed accounts –enable life cycle management –controlled account management (VO can request/release) –“special” QoS requests WS-RF style GT4 service –uses LCMAPS as a back-end

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS & WSS via legacy mode

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, LCMAPS usage in the job chain

Enabling Grids for E-sciencE INFSO-RI Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, Summary Control over running jobs is via site mechanisms Mapping of credentials required for legacy programs –limited to Unix domain account mechanisms –Needs to remain manageable for site administrators –Scheduling/priorities based on Unix user and group names –Accounting based on uid, gid pairs –Unix domain is not very flexible. Sorry. Virtualisation is coming, but too far down the road?