Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security aspects of the CREAM-CE

Published byKathryn Robbins Modified over 5 years ago

Similar presentations

Presentation on theme: "Security aspects of the CREAM-CE"— Presentation transcript:

1 Security aspects of the CREAM-CE
Cristina Aiftimiei On behalf of the gLite job management product team

2 CREAM CREAM service: Computing Resource Execution And Management service Service for job management operations at the Computing Element (CE) level Allows to submit, cancel, monitor, … jobs Web service interface Possibility to interact directly with the CE or via a higher level service (WMS, Condor) Implemented and maintained so far in the context of the EGEE projects Work is continuing now under the EMI hat 2

3 CREAM security mechanisms (now)
Authentication managed by trustmanager Authorization to the service managed by a “custom” gJAF (Grid Java Authorization Framework) Possibility to grant authorization based on VOMS attributes or DNs When authorized, glexec used to get the local user id mapped to that Grid user glexec uses LCAS and LCMAPS Sudo (using the local user id) is then used to perform the needed operations on behalf of that user (CREAM sandbox dir creation, submission to the batch system, etc.) Gridftpd also used in the CREAM CE It also uses LCAS and LCMAPS, but specific configuration files are needed (i.e. not the same conf files used for glexec) 3

4 CREAM security mechanisms (future)
CREAM CE is being integrated with Argus Integration foreseen in CREAM CE 1.7 and ARGUS 1.2 Scenario in CREAM-CE integrated with Argus: Authentication still managed by trustmanager Authorization to the service managed by ARGUS Argus, besides telling if the operation for that user is authorized, will also return the local user mapped to that Grid user Sudo (using the local user id) still used to perform the needed operations (CREAM sandbox dir creation, submission to the batch system, etc.) Gridftpd also integrated with Argus At configuration time, admin will have the possibility to choose between Argus based authorization and the old mechanisms The following slides refer to the implementation now in production (i.e. not to the CREAM CE integrated with Argus) 4

5 Installation and Configuration
Supported installation method is yum As all the other gLite services Supported configuration method is yaim Something different being adopted in EMI ? Some sites are using quattor for installation and/or configuration Once the CREAM-CE is installed and configured You can check some relevant part of the configuration running a script Script updated whenever needed (i.e. typical configuration problems are checked by this script) You can also perform the tests suggested at 5

6 Configuration files Configured by yaim, but afterwards they can be manually further modified if needed (but these changes will be reset if case of reconfiguration) CREAM configuration file /opt/glite/etc/glite-ce-cream/cream-config.xml BLAH configuration file /opt/glite/etc/blah.config BLparser configuration file (only for the old blparser) /opt/glite/etc/blparser.conf glexec configuration file /opt/glite/etc/glexec.conf sudo configuration file /etc/sudoers LCAS and LCMAPS configuration files used by glexec /opt/glite/etc/lcas/lcas-glexec.db and /opt/glite/etc/lcmaps/lcmaps-glexec.db LCAS and LCMAPS configuration files used by gridftpd /opt/glite/etc/lcas/lcas.db and /opt/glite/etc/lcmaps/lcmaps.db All details in: 6

7 Log files CREAM log file /opt/glite/var/log/glite-ce-cream.log
Tomcat and trustmanager log files /usr/share/tomcat5/logs/* Glexec logs on syslog by default, but possibility to configure it to log on specific files Sudo by default logs via syslog, but possibility to configure it to log on specific file BLparser log files For the old parser: /opt/glite/var/log/glite-[lrms]parser.log For the new parser: /opt/glite/var/log/glite-ce-bupdater.log and /opt/glite/var/log/glite-ce- bnotifier.log Gridftpd log files: /var/log/globus-gridftp.log and /var/log/gridftp-session.log All details in: 7

8 User mapping For pool accounts, mapping between Grid users and local users can be found in /etc/grid-security/gridmapdir It contains a file per each pool account The file for an unused account has a hard link count of 1 # cd /etc/grid-security/gridmapdir # ls -li ops034 rw-r--r-- 1 root root 0 Dec ops034 The file for a used account has a hard link count of 2 # ls -li ops022 rw-r--r-- 2 root root 0 Sep 14 03:57 ops022 The other link’s name encodes the DN and VOMS UNIX groups # ls -li | grep ^ rw-r--r-- 2 root root 0 Sep 14 03:57 %2fdc%3dch%2fdc%3dcern%2fcn%3darthur%20dent:ops 8

9 User mapping (cont.ed) If glexec and gridftpd maps you to different local accounts, there is a bug or misconfiguration ! This is one of the issue addressed with the integration with Argus lcg-expiregridmapdir cron job recycles pool accounts as needed When usage exceeds a threshould (80 %) The oldest accounts are recycled until the usage falls again below the thresholds An account can only be recycled if idle for a certain period (default: 48 hours) Recycling of pool accounts should happen rarely Check the status in /var/log/lcg-expiregridmapdir.log 9

10 Network usage From node From port To node To port Variable CREAM service {UI, WMS} C CREAM-CE 8443 Gridftp control {UI, WMS, WN} 2811 Gridftp data Notifications {WN, BLParser host} 9091 LRMS_EVENT_LISTENER_PORT LB locallogger WN 9002 LB server 9001 mysql * Mysql server 3306 bdii BDII 2170 Old BLParser listening port Blparser host 33333 BLP_PORT Old blparser CREAM listening port 56565 CREAM_PORT 10

11 Start/stop Start CREAM service is started starting the container:
/etc/init.d/tomcat start In case the new BLAH blparser is used, this will also start it (if not already running) If for some reason it is necessary to explicitly (re)start the new BLAH blparser: /opt/glite/etc/init.d/glite-ce-blahparser (re)start If instead the old BLAH blparser is used, before starting tomcat it is necessary to start it on the blparser node: /opt/glite/etc/init.d/glite-ce-blparser start Stop CREAM service is stopped stopping the container: 11

12 Banning How to ban a VO Simplest way: reconfigure without that VO
How to ban a user Insert the DN of the user to be banned in /opt/glite/etc/glite-ce- cream/banned.lst (for CREAM service) and /opt/glite/etc/lcas/ban_users.db (for glexec and gridftpd) DN must be in quotes 12

13 CREAM administrators An administrator of a CREAM CE is a user with special privileges Can manage (check status, cancel, etc.) jobs submitted to that CREAM CE by other users Can perform some special operations (e.g. disable new job submissions) How to define a CREAM administrator Insert the DN of that user (in quotes) in /etc/grid-security/admin-list 13

14 How to trace a specific job
Get the CREAM jobid of the job If the job was submitted through the WMS and you have the WMS (Grid) jobid, you can get its CREAM jobdid doing: glite-wms-job-logging-info -v 2 <gridjobdid> | grep "Dest jobid" (if the job is yours) grep <gridjobid> /opt/glite/var/log/glite-ce-cream.log* Grep the "numeric part" of the CREAMjobid in the CREAM log file E.g. → CREAM grep CREAM /opt/glite/var/log/glite-ce-cream.log* This will return all the information relevant for this job CREAM jobid, WMS jobid, batch system jobid, DN, local user, issued operations, client hostname, status changes, etc. 14

15 Some security recommendations
Close port 9091 (LRMS_EVENT_LISTENER_PORT in the CREAM conf file) to all nodes, expect the WNs and the one running the BLparser Use pool accounts instead of static accounts where possible Configure enough pool accounts so that recycling occurs rarely Releasing accounts should be an exception to the rule and should happen only rarely. However, if this happens, it should be taken care of, that really all jobs of that account are finished 10/05/2010 EMI Hot Topic, JSC, FZJ 15

16 Some security recommendations (cont.ed)
Ensure that each VO software area is only writable by the software manager for that VO (group writable only for the "sgm" accounts group, not the VO) Do not mount the VO software areas on the CREAM CE node, but only on the WNs If there are more than one computing element at a site, that access the same worker nodes, it`s recommended to set up individual, unique accounts for all CEs (such as "user001" ... "user100" on CE1 and "user101" ... "user200" on CE2 and so on) or to centrally mount gridmapdir, in order to guarantee, that no user is able to read the data of any other users. 16

17 Troubleshooting Check if the error message is documented in MToClient Page updated quite often, whenever needed Common error messages along with their meaning and possible solutions, are documented Check if something useful is reported in the CREAM log files Open a GGUS ticket Contact the developers: cream-support [at] lists [dot] infn [dot] it 17

18 Other info Check the CREAM web site http://grid.pd.infn.it
In particular the links in the “Administrator guides” section Cream control mechanisms Daemons running on a CREAM CE Configuration files Ports Cron jobs Troubleshooting ... 18

19 Thank you!

Download ppt "Security aspects of the CREAM-CE"

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org CREAM: a WebService based CE Massimo Sgaravatto INFN Padova On behalf of the JRA1 IT-CZ Padova.

INFSO-RI Enabling Grids for E-sciencE CREAM: a WebService based CE Massimo Sgaravatto INFN Padova On behalf of the JRA1 IT-CZ Padova.
INFSO-RI-508833 Enabling Grids for E-sciencE Workload Management System Mike Mineter

INFSO-RI Enabling Grids for E-sciencE Workload Management System Mike Mineter
LCG Middleware Testing in 2005 and Future Plans E.Slabospitskaya, IHEP, Russia CERN-Russia Joint Working Group on LHC Computing March, 6, 2006.

LCG Middleware Testing in 2005 and Future Plans E.Slabospitskaya, IHEP, Russia CERN-Russia Joint Working Group on LHC Computing March, 6, 2006.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Open Science Grid OSG CE 0.6.0 Quick Install Guide Siddhartha E.S University of Florida.

Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.

CERN Using the SAM framework for the CMS specific tests Andrea Sciabà System Analysis WG Meeting 15 November, 2007.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks CREAM and ICE Massimo Sgaravatto – INFN Padova.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks CREAM and ICE Massimo Sgaravatto – INFN Padova.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI-1234567 Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
1 Andrea Sciabà CERN Critical Services and Monitoring - CMS Andrea Sciabà WLCG Service Reliability Workshop 26 – 30 November, 2007.

1 Andrea Sciabà CERN Critical Services and Monitoring - CMS Andrea Sciabà WLCG Service Reliability Workshop 26 – 30 November, 2007.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
Security aspects of the lcg-CE Maarten Litmaath (CERN) EGEE’08.

Security aspects of the lcg-CE Maarten Litmaath (CERN) EGEE’08.
EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
CREAM Installation&Configuration Sara Bertocco INFN Padova 11 th International GridKa School 2013 – Big Data, Clouds and Grids.

CREAM Installation&Configuration Sara Bertocco INFN Padova 11 th International GridKa School 2013 – Big Data, Clouds and Grids.
SAM Sensors & Tests Judit Novak CERN IT/GD SAM Review I. 21. May 2007, CERN.

SAM Sensors & Tests Judit Novak CERN IT/GD SAM Review I. 21. May 2007, CERN.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Similar presentations

Ads by Google