NIKHEF grid meeting 1 December 2003
LCAS and LCMAPS
David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp
NIKHEF Grid meeting – LCAS and LCMAPS – n° 2
Talk Outline
Introduction on AuthN & AuthZ in EDG Why do we need VOMS, LCAS, LCMAPS … ?
Gridification architecture
LCAS Architecture, plug-ins, examples
LCMAPS Architecture, plug-ins Policy languange (PDL) examples
Job Repository
Status and Future Developments
NIKHEF Grid meeting – LCAS and LCMAPS – n° 3
AuthN & AuthZ in EDG (1)
GLOBUS Authentication: Grid Security Infrastructure (GSI)
X509 certificates (PKI), Certificate Authorities Mutual authentication Single sign-on, proxy delegation
Authorization: grid-mapfile Grid credentials (user’s Certificate) to local credentials (unix account) mapping “Boolean” authorization Information provided via VO-LDAP servers (EDG) Managed “manually” by the resource admin (via mkgridmap, EDG)
Problems No centralization No scalability Lack of flexibility
Problems addressed by VOMS, LCAS/LCMAPS
NIKHEF Grid meeting – LCAS and LCMAPS – n° 4
AuthN & AuthZ in EDG (2)
VOMS (VO Membership Service) authorization at VO level
Each VO has its own VOMS
VO affiliation assertions embedded in proxy
Support for group membership, roles, capabilities
A user can be member of many VOs
LCAS/LCMAPS Separated pure authZ (LCAS) from user
account mapping (LCMAPS)
Flexible/dynamic assignment of local credentials
Resource manager remains in full control
Query
Authentication
Request
AuthDB
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo
-cert
VOMSpseudo-cert
NIKHEF Grid meeting – LCAS and LCMAPS – n° 5
WP4 Gridification components
JobmanagerJobmanager
Resource Broker(WP1)
Resource Broker
(WP1)
LCAS
allow listallow list
wallclocktimewallclocktime
ban listban list
VOMS/GACLVOMS/GACL
-
LCMAPS
Policy
WP4 non-gridificationWP4 non-gridification
Gridification component Gridification component
Non -WP4 subsystemNon -WP4 subsystem
uid/giduid/gid
other tokensother tokens
SESE
RMSRMS
External to fabric
Internal to fabric
StorageElement (WP5)
(Configuration Mgmt)
JobRepository
Enforce credentials
Enforce credentials
-
(EDG-)Gatekeeper(EDG-)Gatekeeper
CE
Worker node
Worker node
farms
plugins
plugins
Resource request in RSLin VOMS-signed established
Security context
NIKHEF Grid meeting – LCAS and LCMAPS – n° 6
AuthN, AuthZ control flow in GK
GatekeeperLCAS
allowed
timeslot
banned
policy
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo
-cert
Job Managerfork+exec args, submit script
LCMAPS open, learn,&run:
… and return legacy uid
LCMAPS open, learn,&run:
… and return legacy uid
LCAS authZ call out
GSI AuthN
accept
GSI auth
assist_gridmap
Jobmanager-*
Ye Olde Gatekeeper
NIKHEF Grid meeting – LCAS and LCMAPS – n° 7
LCAS
Local Centre Authorization Service (LCAS)
Handles authorization requests to local fabric Authorization decisions based on proxy user certificate and job specification (RSL)
Supports grid-mapfile mechanism and/or GACL
Plug-in framework (hooks for external authorization plug-ins) Allowed users (grid-mapfile or allowed_users.db)
Banned users (ban_users.db)
Available timeslots (timeslots.db)
Plug-in for VOMS (to process Authorization data) Uses VOMS API authZ policy in GACL format (or grid-mapfile) Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl
NIKHEF Grid meeting – LCAS and LCMAPS – n° 8
LCAS - ban_user.db
# This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"
NIKHEF Grid meeting – LCAS and LCMAPS – n° 9
LCAS - timeslots.db
# This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## '*' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *
NIKHEF Grid meeting – LCAS and LCMAPS – n° 10
LCAS - lcas.gacl
<?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry>
<entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>
NIKHEF Grid meeting – LCAS and LCMAPS – n° 11
LCMAPS
Local Credential MAPping Service
Backward compatible with existing systems (grid-mapfile, AFS)
Provides local credentials needed for jobs in fabric Mapping based on user identity, VO affiliation, site-local policy Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 Pool accounts, Pool groups
Support for multiple VOs per user (and thus multiple UNIX groups)
Plug-in framework driven by comprehensive policy language: PDL Extendible Credential acquisition and enforcement plug-ins
Boundary conditions Has to run in privileged mode Has to run in process space of incoming connection (for fork jobs)
NIKHEF Grid meeting – LCAS and LCMAPS – n° 12
LCMAPS – control flow
User authenticates using (VOMS) proxy
LCMAPS library invoked Acquire all relevant credentials
Enforce “external” credentials
Enforce credentials on current process tree at the end
Run job manager Fork will be OK by default
Batch systems may need primary group explicitly
Batch systems will need updated (distributed) UNIX account info
Order and function: policy-based
CREDs
LCMAPSCredential Acquisition
& Enforcement
Job Mngr
GK
NIKHEF Grid meeting – LCAS and LCMAPS – n° 13
LCMAPS – invocation and running
LCMAPS Plugin Mngr Evaluation Mngr any Plug-in
Local init
Load policy
Load allInitialize allIntrospect for API
terminations
from GK
Evaluate policy
Run plugin and report
Initialize
Run
Terminate
NIKHEF Grid meeting – LCAS and LCMAPS – n° 14
LCMAPS - modules
Modules represent atomic functionality
VOMS acquisition modules: Voms extract: extract VOMS info from proxy Voms local group: from VOMS attributes assign GID Voms pool group: from VOMS attributes assign GID from pool Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool
Standard acquisition modules: Local account: from user DN assign local UID pool account: from user DN assign UID from pool
Enforcement modules POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process LDAP enforcement: update distributed user database
In progress Get AFS/Krb5 token based on user DN (gssklog)
NIKHEF Grid meeting – LCAS and LCMAPS – n° 15
LCMAPS – Policy Description Language# LCMAPS policy file/plugin definition
## default pathpath = /opt/edg/lib/lcmaps/modules
# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"
# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf
VOMS extract
Local Account
POSIX Enforcement
VOMS Local Group
VOMS Pool Group
LDAP Enforcement
FALSE
TRUE
State machine approach:
Start here
VOMS Pool Account
NIKHEF Grid meeting – LCAS and LCMAPS – n° 16
LCMAPS – VOMS groupmapfile
# Example groupmapfile:
# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje
# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool
# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam
# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix
NIKHEF Grid meeting – LCAS and LCMAPS – n° 17
LCMAPS – LDAP and AFS
LDAP enforcement plug-in Updates a central LDAP user directory
Secure (as opposed to NIS)
more flexible
AFS plug-in Gives local AFS access
Uses gssklog to obtain AFS token
Requires gssklog daemon to run on the AFS server
Mapping DN to AFS user maintained in gssklog mapfile
NIKHEF Grid meeting – LCAS and LCMAPS – n° 18
Job Repository – Intro.
What? JB is a Relational Database
The data consist of useruser info. with X509 X509 certs, JobJob info., VOMSVOMS info., CredentialCredential info. and the linkslinks between these types of info. for every Job
Why? Central repository, Logging, Accounting, Auditing
Where? CE – Plug-in for LCMAPS
CE - Various scripts controlled by the Job Manager
The database has to be installed close to (or on) the CE.
NIKHEF Grid meeting – LCAS and LCMAPS – n° 19
Job Repository
How? ODBC layer
Currently a MySQL backend
Multiple programs/scripts gathering information
Who? Sys-admins (only)
A new tool for LCG needs to get the local GIDs from the VOMS info
NIKHEF Grid meeting – LCAS and LCMAPS – n° 20
Job Repository – The DB Layout
UsersUser certificates
Jobs*
Job Status*
Credentials (UID/GIDs)
VOMS
VOMS Issuer
Issuer Certificates
* Update needed outside the LCMAPS Plugin To get all info.
NIKHEF Grid meeting – LCAS and LCMAPS – n° 21
Status
LCAS and LCMAPS Incorporated in EDG 2.1
Deployed on application testbed since last week
AFS plug-in almost completed
Job Repository LCMAPS plug-in nearing completion
Small changes needed to LCMAPS code for VOMS-to-GID tool
Documentation: http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/
http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16
NIKHEF Grid meeting – LCAS and LCMAPS – n° 22
Future developments
LCAS, LCMAPS (and the JobRep?) will be part of EGEE
gridFTP will be patched to use LCAS and LCMAPS
LCAS will evolve into an authorization service and take on the use of XACML to express VO access control
DAGGR (?): Authorization Decision Service
LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3