LCAS and LCMAPS - PowerPoint PPT Presentation

About This Presentation
Title:

LCAS and LCMAPS

Description:

DataGrid is a project funded by the European Union LCG VOMS/VOX meeting LCAS ... Martijn Steenbakkers martijn_at_nikhef.nl Oscar Koeroo okoeroo_at_nikhef.nl ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 15
Provided by: wp578
Category:
Tags: lcas | lcmaps | martijn

less

Transcript and Presenter's Notes

Title: LCAS and LCMAPS


1
LCAS and LCMAPS
  • EDG WP4 Fabric Gridification TeamDavid Groep
    ltdavidg_at_nikhef.nlgtMartijn Steenbakkers
    ltmartijn_at_nikhef.nlgtOscar Koeroo
    ltokoeroo_at_nikhef.nlgtGerben Venekamp
    ltvenekamp_at_nikhef.nlgtWim Som de Cerff
    ltsdecerff_at_knmi.nlgt
  • http//www.dutchgrid.nl/DataGrid/wp4/

2
Authorization
3
Local Site Authorization Services
  • Local Centre Authorization Service (LCAS)
    since 2002
  • Handles authorization requests to local fabric
  • Authorization decisions based on user grid
    credential (full context) and job specification
    (RSL)
  • backward compatible with grid map file mechanism
  • Plug-in framework (hooks for external
    authorization plug-ins), e.g.,
  • Banned users (ban_users.db)
  • VOMS AuthZ (full-fledged GACL-like processing)
  • Local Credential Mapping Service (LCMAPS) since
    sep 2003
  • Plug-in framework, driven by comprehensive policy
    language
  • Mapping based on grid identity, VO affiliation,
    and/or site-local policy
  • Supports UNIX uid/gid (static, pool accounts,
    groups), directories, AFS, Kerberos
  • JobRepository (JR) today
  • Job tracing, credential map tracing, cert chains,
    job information (RSL)
  • provides identifiers to link to existing batch
    accounting systems

4
EDG Gatekeeper (release 2.1)
Gatekeeper
LCAS
policy
accept
GACL
GSI AuthN
GSS context RSL
timeslot
LCAS authZ call out
banned
  • LCMAPS open, learn,run
  • and return legacy uid

Job Manager forkexec args, submit script
5
LCAS
  • Authorisation Decision Service, will say YES or
    NO, based on
  • client_name (subject)
  • GSS Security context (credential, extensions)
  • RSL (executable name, job information)
  • Policy list will AND result from all modules
  • Default modules shipped
  • VOMS GACL expressions (user, group, role, cap)
  • black-list users
  • white-list users
  • wallclock constraints

6
LCMAPS
  • Once authorisation has been obtained
  • acquire local (unix) credentials to run legacy
    jobs
  • enforce those credentials on
  • the job being run or
  • FTP session started

7
LCMAPS requirements
  • Backward compatible with existing systems
  • should read a grid-mapfile
  • legacy API gss_assist_gridmap() transparent
    replacement for gss_assist lib
  • support for both (edg) gatekeeper and a patched
    gsi-wuftpd
  • Support for multiple VOs per user
  • VOMS groups, roles and capabilities map into UNIX
    groups
  • granularity can be configured per site (from 1
    group/VO to 1 per unique triplet)
  • Mimimum system administration
  • poolaccounts, and pool groups
  • understandable configuration
  • Extendible and configurable
  • Boundary conditions
  • Has to run in privileged mode
  • Has to run in process space of incoming
    connection (for fork jobs)

8
LCMAPS control flow
LCMAPS
GK
  • User authenticates using (VOMS) proxy
  • LCMAPS library invoked
  • Acquire all relevant credentials
  • Enforce external credentials
  • Enforce credentials on current process tree at
    the end
  • Run job manager
  • Fork will be OK by default
  • Batch systems may need primary group explicitly
  • Batch clusters will need updated (distributed)
    UNIX account info
  • Order and function policy-based

Credential Acquisition
Enforcement
CREDs
Job Mngr
9
LCMAPS plugin introspect
  • Framework is resistent to new module
    functionality and v.v.
  • Invocation and arguments list for modules
    discovered via the introspection API
  • Information in (VOMS) proxy cert access by
    symbolic names
  • Argument description by name, type, range,
    modifiability
  • Credential acquisition in named and typed lists
  • Various modules can support different interfaces
  • Modules from multiple generation can be mixed
  • An old framework will work with bleeding-edge
    modules

10
LCMAPS modules
  • Modules represent atomic functionality
  • VOMS extract VOMS credentials from the proxy (A)
  • PoolAccounts from username assign unique uid (A)
  • PoolGroups from (VOMS) groupname assign unique
    gid (A)
  • LocalAccount from username assign local existing
    unique uid (A)
  • LocalGroups from (VOMS) groupname assign local
    existing gid (A)
  • VOMS PoolAccounts from usernameprimary VOMS
    assign unique uid (A)
  • AFS/Krb5 get token based on user DN info via
    gssklogd (A)
  • POSIX process setuid() and setgid() (E)
  • POSIX LDAP update distributed user database (E)

11
LCMAPS policy evaluation
  • State machine approach (superset of boolean
    expressions)
  • Policy description file

FALSE
LocalAccount
VOMS-group
POSIX
LDAP
PoolAccount
TRUE
/opt/edg/etc/lcmaps/lcmaps.db
path /opt/edg/lib/lcmaps/modules localaccount
"lcmaps_localaccount.mod \
-gridmapfile /etc/grid-security/grid-mapfile" pool
account "lcmaps_poolaccount.mod -gridmapfile
/etc/grid-security/grid-mapfile" posix_enf
"lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid
32" voms "lcmaps_voms.mod -vomsdir
/etc/grid-security/certificates \
-certdir /etc/grid-security/certificates" stand
ard voms -gt poolaccount localaccount localaccou
nt -gt posix_enf poolaccount -gt ldapldap -gt
posix_enf
12
LCMAPS enabling new functionality
  • Local UNIX groups based on VOMS group membership,
    roles, caps
  • More than one VO/group per grid user
  • Primary group set to first VOMS group important
    for accouting!
  • New mechanisms
  • groups-on-demand, support granularity at any
    level
  • Central user directory support (nss_LDAP,
    pam-ldap)

example
groupmapfile "/VOiteam/GROUP/iteam"
iteam "/VOWP6/GROUP/WP6" wpsix "/VOwilma/GROU
P/wilma" wilma "/VOwilma/GROUP/wilma/"
.pool "/VOfred/GROUP/fred" .pool
13
JR Job Repository
  • Database will store information about every job
    run attempt
  • user credential (full chain)
  • RSL used to run the job
  • Detailed VOMS information (triplets)
  • unix userid and groupid(s) acquired
  • Possible questions includeWhat jobs were run by
    someone called Templon primarily as a member
    of LHCb but also claiming Dzero membership with
    an executable named rereco in the RSL?and
    what is the userid under which any such files
    have been stored?

14
JR information sources
  • A special information provider as an LCMAPS
    module
  • additional hooks in the job manager scripts
  • Retrieval
  • a unique identifier in the job environment
  • command-line scripts API to retrieve this info
    during execution
  • a link in the JR database to the batch job ID
    (for accounting)

15
More Information
  • EDG Security Coordination Group
  • Web site http//hep-project-grid-scg.web.cern.ch/
  • LCAS, LCMAPS, JR
  • Web site http//www.dutchgrid.nl/DataGrid/wp4/
  • CVS site http//datagrid.in2p3.fr/cgi-bin/cvsweb.c
    gi/fabric_mgt/gridification/lcas/
  • http//datagrid.in2p3.fr/cgi-bin/cvsweb
    .cgi/fabric_mgt/gridification/lcmaps/
  • Maillist hep-proj-grid-fabric-gridify_at_cern.ch
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "LCAS and LCMAPS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!