OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Pilot Jobs John Gordon Management Board 23/10/2007.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center February.

Creating and running an application.

GLIDEINWMS - PARAG MHASHILKAR Department Meeting, August 07, 2013.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

SCSC 455 Computer Security Chapter 3 User Security.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

LCG Pilot Jobs and glexec John Gordon.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Security aspects of the WLCG infrastructure: clients and services Maarten Litmaath CERN.

INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 December 2007.

Security and VO management enhancements in Panda Workload Management System Jose Caballero Maxim Potekhin Torre Wenaus Presented by Maxim Potekhin at HPDC08.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.

Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of.

Running User Jobs In the Grid without End User Certificates - Assessing Traceability Anand Padmanabhan CyberGIS Center for Advanced Digital and Spatial.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.

Nov 05, 2008, PragueSA3 Workshop1 A short presentation from Owen Synge SA3 and dCache.

Honolulu - Oct 31st, 2007 Using Glideins to Maximize Scientific Output 1 IEEE NSS 2007 Making Science in the Grid World - Using Glideins to Maximize Scientific.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Argus EMI Authorization Integration

Multi User Pilot Jobs update

Workload Management System

f f FermiGrid – Site AuthoriZation (SAZ) Service

Global Banning List and Authorization Service

From Prototype to Production Grid

Argus The EMI Authorization Service

Presentation transcript:

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain Roy and Igor Sfiligoi

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security2 Outline Why do we need gLExec How does gLExec work Conclusions

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security3 Traditional Grid Jobs User jobs come through the Gatekeeper Gatekeeper Batch Worker node Job Resource Broker GUMS

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security4 Pilot Grid Jobs User jobs don't come through the Gatekeeper  Only pilots do Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security5 Pilot Grid Jobs (2) User jobs don't come through the Gatekeeper  Only pilots do Gatekeeper Batch Worker node VO Queue GUMS Pilot Factory User never explicitly authorized Different identities share UID Job

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security6 Pilot jobs in use today Several VOs are actively using Pilot jobs  CDF  ATLAS Others are about to start using them  CMS  MINOS Pilot jobs are here to stay

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security7 Pilot Grid Jobs with gLExec User jobs started using gLExec Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security8 Pilot Grid Jobs with gLExec (2) User jobs started using gLExec Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec Users explicitly authorized UID separation

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security9 What is gLExec A Grid-aware suExec derivative  Allows execution of commands as a different user  Authorization and mapping based on x509 proxy A privileged executable  Needed to switch identities Pluggable architecture  PRIMA/GUMS plugin used by default in OSG

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security10 gLExec IS a privileged executable gLExec is NOT a privileged service  Not listening on any network port gLExec is a privileged executable  Will run as root at least part of the time  A bug can potentially give an attacher root privileges gLExec has been audited by EGEE for potential security problems  None have been found

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security11 gLExec and accounting gLExec keeps detailed logs of each invocation, including  user DN and FQAN  start and stop times  process id A gLExec GRATIA probe exists for automatic accounting extraction  but logs are also human readable

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security12 gLExec and Pilots Pilots need to be gLExec-aware  Pilots cannot be forced to use gLExec Using gLExec is in the best interest of pilots  Protects them from malicious users (UID switching) But if gLExec is installed, site can require its use by policy

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security13 gLExec installation gLExec supported by OSG  distributed via VDT Needs to be installed on all the worker nodes Requires host certificate or service proxy to talk to GUMS For more details, see talk in the “Configuring OSG” session

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security14 Conclusions Pilot jobs are gaining momentum  Most big VOs (do or will) use them gLExec helps restore security for pilot jobs It is a privileged executable  But security benefits overweight risks Supported by OSG  Distributed in VDT