Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Published byBeverley Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain."— Presentation transcript:

1 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain Roy and Igor Sfiligoi

2 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security2 Outline Why do we need gLExec How does gLExec work Conclusions

3 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security3 Traditional Grid Jobs User jobs come through the Gatekeeper Gatekeeper Batch Worker node Job Resource Broker GUMS

4 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security4 Pilot Grid Jobs User jobs don't come through the Gatekeeper  Only pilots do Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory

5 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security5 Pilot Grid Jobs (2) User jobs don't come through the Gatekeeper  Only pilots do Gatekeeper Batch Worker node VO Queue GUMS Pilot Factory User never explicitly authorized Different identities share UID Job

6 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security6 Pilot jobs in use today Several VOs are actively using Pilot jobs  CDF  ATLAS Others are about to start using them  CMS  MINOS Pilot jobs are here to stay

7 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security7 Pilot Grid Jobs with gLExec User jobs started using gLExec Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec

8 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security8 Pilot Grid Jobs with gLExec (2) User jobs started using gLExec Gatekeeper Batch Worker node Job VO Queue GUMS Pilot Factory gLExec Users explicitly authorized UID separation

9 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security9 What is gLExec A Grid-aware suExec derivative  Allows execution of commands as a different user  Authorization and mapping based on x509 proxy A privileged executable  Needed to switch identities Pluggable architecture  PRIMA/GUMS plugin used by default in OSG

10 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security10 gLExec IS a privileged executable gLExec is NOT a privileged service  Not listening on any network port gLExec is a privileged executable  Will run as root at least part of the time  A bug can potentially give an attacher root privileges gLExec has been audited by EGEE for potential security problems  None have been found

11 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security11 gLExec and accounting gLExec keeps detailed logs of each invocation, including  user DN and FQAN  start and stop times  process id A gLExec GRATIA probe exists for automatic accounting extraction  but logs are also human readable

12 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security12 gLExec and Pilots Pilots need to be gLExec-aware  Pilots cannot be forced to use gLExec Using gLExec is in the best interest of pilots  Protects them from malicious users (UID switching) But if gLExec is installed, site can require its use by policy

13 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security13 gLExec installation gLExec supported by OSG  distributed via VDT Needs to be installed on all the worker nodes Requires host certificate or service proxy to talk to GUMS For more details, see talk in the “Configuring OSG” session

14 OSG Site Admin Workshop - Mar 2008Using gLExec to improve security14 Conclusions Pilot jobs are gaining momentum  Most big VOs (do or will) use them gLExec helps restore security for pilot jobs It is a privileged executable  But security benefits overweight risks Supported by OSG  Distributed in VDT

Download ppt "OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April 30 2008.

Use of Condor on the Open Science Grid Chris Green, OSG User Group / FNAL Condor Week, April
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Similar presentations

Ads by Google