FermiGrid PRIMA, VOMS, GUMS

1
FermiGrid - PRIMA, VOMS, GUMS SAZ

• Keith Chadwick
• Fermilab
• chadwick_at_fnal.gov

2
FermiGrid - Infrastructure Components

• Site Globus Gateway
• Job forwarding gateway using CEMon.
• Makes use of accept limited globus gatekeeper
  option.
• VOMS VOMRS
• VO Membership Service VO Management
  Registration Service .
• Allows user to select roles (FQANs).
• GUMS
• Grid User Mapping Service.
• maps FQAN in x509 proxy to site specific UID/GID.
• SAZ
• Site AuthoriZation Service.
• Allows site to to make fine grained job
  authorization decisions.
• MyProxy
• Service to security store and retrieve signed
  x509 proxies.

3
FermiGrid - Current Architecture
VOMS Server
Periodic Synchronization
GUMS Server
Site Wide Gateway
SAZ Server
BlueArc
CMS WC1
CDF OSG1
CDF OSG2
D0 CAB2
SDSS TAM
GP Farm
LQCD
4
Globus gatekeeper - GUMS SAZ interface

• GUMS and SAZ are interfaced to the globus
  gatekeeper through the gsi_authz callout
• /etc/grid-security/gsi_authz.conf
• PRIMA
• globus_mapping /usr/local/vdt/prima/lib/libprima_a
  uthz_module_gcc32dbg globus_gridmap_callout
• SAZ
• globus_authorization /usr/local/vdt/saz/client/lib
  /libSAZ-gt3.2_gcc32dbg globus_saz_access_control_c
  allout

5
SAZ - Site AuthoriZation Service

• We deployed the Fermilab Site AuthoriZation (SAZ)
  service on the Fermilab Site Globus Gatekeeper
  (fermigrid1) on Monday October 2, 2006.
• SAZ allows us (Fermilab) to make Grid job
  authorization decisions for the Fermilab site
  based using the DN, VO, Role and CA information
  contained in the proxy certificate provided by
  the user.
• We have currently configured SAZ to operate in a
  default accept mode for user grid proxy
  credentials that are associated with VOs (the
  user uses voms-proxy-init to generate their grid
  proxy credentials).
• Users that continue to use grid-proxy-init to
  generate their grid proxy credentials may no
  longer be able execute on Fermilab SAZ enabled
  Compute Elements.

6
SAZ Database Table Structure

• DN
• user_name, enabled, trusted, changedAt
• VO
• vo_name, enabled, trusted, changedAt
• Role
• role_name, enabled, trusted, changedAt
• CA
• ca_name, enabled, trusted, changedAt

7
SAZ - Site AuthoriZation Pseudo-Code

• Site authorization callout on globus gateway
  sends SAZ authorization request (example)
• user /DCorg/DCdoegrids/OUPeople/CNKeith
  Chadwick 800325
• VO fermilab
• Role /fermilab/RoleNULL/CapabilityNULL
• CA /DCorg/DCDOEGrids/OUCertificate
  Authorities/CNDOEGrids CA 1
• SAZ server on fermigrid4 receives SAZ
  authorization request, and
• 1. Verifies certificate and trust chain.
• 2. If the certificate does not verify or the
  trust chain is invalid then
• SAZ returns "Not-Authorized"
• fi
• 3. Issues select on "user" against the SAZDB
  user table
• 4. if the select on "user" fails then
• a record corresponding to the "user" is
  inserted into the SAZDB user table with
  (user.enabled Y, user.trustedF)
• fi
• 5. Issues select on "VO" against the local SAZDB
  vo table
• 6. if the select on "VO" fails then

8
SAZ - Animation
DN
VO
Role
Gatekeeper
CA
9
SAZ - A Couple of Caveats

• What about grid-proxy-init or voms-proxy-init
  without a VO?
• The NULL VO is specifically disabled
  (vo.enabledF, vo.trustedF).
• If a user has user.trustedY in their user
  record then
• gtgtgt we allow them to execute jobs without VO
  sponsorship ltltlt.
• This granting of user.trustedY is not
  automatic.
• The number of users with this privilege should be
  (will be) VERY limited.
• What about pilot jobs / glide-in operation?
• We have at least three options
• We can just allow all DNs and Roles to be
  potential pilots.
• We can anoint the specific role used by the DN
  of the pilot
• glexec would call SAZ with the DN and role of the
  pilot first
• Then subsequently process the users DN and role.
• We can use two SAZ instances
• The first is used by the gatekeeper and only has
  the pilot DN enabled.
• The second is used by glexec calls from the
  worker nodes and has all DNs enabled.
• More thinking may give us more options to choose
  from

10
SAZ - Open Issues

• Extra /CNltrandom numbergt in DN.
• Examples
• /DCorg/DCdoegrids/OUPeople/CNLeigh
  Grundhoefer (GridCat) 693100/CN1173547087
• /DCorg/DCdoegrids/OUPeople/CNLeigh
  Grundhoefer (GridCat) 693100/CN1642479879
• /DCorg/DCdoegrids/OUPeople/CNLeigh
  Grundhoefer (GridCat) 693100/CN1769868279
• Result of user issuing grid-proxy-init.
• Does not occur in voms-proxy-init.
• Looking at code changes to handle extra CN
  problem.
• Condor fails to properly delegate the full voms
  proxy attributes.
• This can be worked around in condor_config by
  setting
• DELEGATE_JOB_GSI_CREDENTIALSFALSE
• A ticket on this issue has been opened with the
  Condor developers.
• Testing by Chris Green and John Weigand show that
  Reliable File Transfer (RFT) with WS-Gram is also
  failing to properly delegate the full voms
  attributes
• RFT is using the full voms proxy for the first
  transaction, but uses a cached copy without the
  role information for the second transaction.
• A ticket on this issue has been opened with the
  Globus developers.
• We are also looking at what can be done inside
  SAZ.

11
SAZ - Extensions

• We are about to deploy a new SAZ client which can
  call multiple SAZ servers
• Site wide SAZ instance
• Optional cluster specific SAZ instance.
• Job must pass all SAZ servers to be allowed to
  execute.
• We also are about to deploy a new SAZ server
  which ignores the extra /CNltrandom numbergt which
  is added to the DN by grid-proxy-init.
• We are discussing the needs and options for a
  richer SAZ decision matrix and how to apply SAZ
  to storage access.
• We thinking about updates to the SAZ server in
  order to allow external configuration for default
  accept or default deny on each of DN, VO, Role
  and CA.

12
SAZ - Hourly Service Monitor
13
SAZ - Daily Metrics
14
SAZ - IP Connections per Day
15
SAZ - Unique DN, VO, Role, CA per Day
16
fin

• Any questions?