lcas and lcmaps

NIKHEF grid meeting 1 December 2003

LCAS and LCMAPS

David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp

NIKHEF Grid meeting – LCAS and LCMAPS – n° 2

Talk Outline

Introduction on AuthN & AuthZ in EDG Why do we need VOMS, LCAS, LCMAPS … ?

Gridification architecture

LCAS Architecture, plug-ins, examples

LCMAPS Architecture, plug-ins Policy languange (PDL) examples

Job Repository

Status and Future Developments


AuthN & AuthZ in EDG (1)

GLOBUS Authentication: Grid Security Infrastructure (GSI)

X509 certificates (PKI), Certificate Authorities Mutual authentication Single sign-on, proxy delegation

Authorization: grid-mapfile Grid credentials (user’s Certificate) to local credentials (unix account) mapping “Boolean” authorization Information provided via VO-LDAP servers (EDG) Managed “manually” by the resource admin (via mkgridmap, EDG)

Problems No centralization No scalability Lack of flexibility

Problems addressed by VOMS, LCAS/LCMAPS


AuthN & AuthZ in EDG (2)

VOMS (VO Membership Service) authorization at VO level

Each VO has its own VOMS

VO affiliation assertions embedded in proxy

Support for group membership, roles, capabilities

A user can be member of many VOs

LCAS/LCMAPS Separated pure authZ (LCAS) from user

account mapping (LCMAPS)

Flexible/dynamic assignment of local credentials

Resource manager remains in full control

Query

Authentication

Request

AuthDB

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo

-cert

VOMSpseudo-cert


WP4 Gridification components

JobmanagerJobmanager

Resource Broker(WP1)

Resource Broker

(WP1)

LCAS

allow listallow list

wallclocktimewallclocktime

ban listban list

VOMS/GACLVOMS/GACL

-

LCMAPS

Policy

WP4 non-gridificationWP4 non-gridification

Gridification component Gridification component

Non -WP4 subsystemNon -WP4 subsystem

uid/giduid/gid

other tokensother tokens

SESE

RMSRMS

External to fabric

Internal to fabric

StorageElement (WP5)

(Configuration Mgmt)

JobRepository

Enforce credentials

Enforce credentials

-

(EDG-)Gatekeeper(EDG-)Gatekeeper

CE

Worker node

Worker node

farms

plugins

plugins

Resource request in RSLin VOMS-signed established

Security context


AuthN, AuthZ control flow in GK

GatekeeperLCAS

allowed

timeslot

banned

policy

C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy

VOMSpseudo

-cert

Job Managerfork+exec args, submit script

LCMAPS open, learn,&run:

… and return legacy uid

LCMAPS open, learn,&run:

… and return legacy uid

LCAS authZ call out

GSI AuthN

accept

GSI auth

assist_gridmap

Jobmanager-*

Ye Olde Gatekeeper


LCAS

Local Centre Authorization Service (LCAS)

Handles authorization requests to local fabric Authorization decisions based on proxy user certificate and job specification (RSL)

Supports grid-mapfile mechanism and/or GACL

Plug-in framework (hooks for external authorization plug-ins) Allowed users (grid-mapfile or allowed_users.db)

Banned users (ban_users.db)

Available timeslots (timeslots.db)

Plug-in for VOMS (to process Authorization data) Uses VOMS API authZ policy in GACL format (or grid-mapfile) Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl


LCAS - ban_user.db

# This file contains the globus user ids that are BANNED from this fabric"/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"


LCAS - timeslots.db

# This file contains the time slots for which the fabric# is available for Grid jobs# Format:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2# max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6]## wday:# 0-6 = Sunday-Saturday# 5-3 = Friday-Wednesday## '*' means the maximum range# <val>- means from <val> to maximum value## The wall clock time should match at least one time slot for authorization# The wall clock time matches if:# (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2)# AND (wday1) <= (wday) <= (wday2)## If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003# the following line should be added:# 30-0 8-18 1-15 7-1 2002-2003 1-5# If the fabric is open from 18:00-7:00 h, two time slots should be used:# 18:00-24:00 and 0:00-7:00# # 0-0 18-24 * * * *# 0-0 0-7 * * * *# If the fabric is always open the following line should be uncommented:# minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2* * * * * *0-0 23-24 * * * *


LCAS - lcas.gacl

<?xml version="1.0"?><gacl version="0.0.1"><entry><person><dn>/O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen</dn></person><allow><read/><write/></allow><deny><admin/></deny></entry>

<entry><voms-cred><vo>iteam</vo><group>/iteam</group></voms-cred><allow><read/><write/></allow><deny><list/><admin/></deny></entry></gacl>


LCMAPS

Local Credential MAPping Service

Backward compatible with existing systems (grid-mapfile, AFS)

Provides local credentials needed for jobs in fabric Mapping based on user identity, VO affiliation, site-local policy Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 Pool accounts, Pool groups

Support for multiple VOs per user (and thus multiple UNIX groups)

Plug-in framework driven by comprehensive policy language: PDL Extendible Credential acquisition and enforcement plug-ins

Boundary conditions Has to run in privileged mode Has to run in process space of incoming connection (for fork jobs)


LCMAPS – control flow

User authenticates using (VOMS) proxy

LCMAPS library invoked Acquire all relevant credentials

Enforce “external” credentials

Enforce credentials on current process tree at the end

Run job manager Fork will be OK by default

Batch systems may need primary group explicitly

Batch systems will need updated (distributed) UNIX account info

Order and function: policy-based

CREDs

LCMAPSCredential Acquisition

& Enforcement

Job Mngr

GK


LCMAPS – invocation and running

LCMAPS Plugin Mngr Evaluation Mngr any Plug-in

Local init

Load policy

Load allInitialize allIntrospect for API

terminations

from GK

Evaluate policy

Run plugin and report

Initialize

Run

Terminate


LCMAPS - modules

Modules represent atomic functionality

VOMS acquisition modules: Voms extract: extract VOMS info from proxy Voms local group: from VOMS attributes assign GID Voms pool group: from VOMS attributes assign GID from pool Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool

Standard acquisition modules: Local account: from user DN assign local UID pool account: from user DN assign UID from pool

Enforcement modules POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process LDAP enforcement: update distributed user database

In progress Get AFS/Krb5 token based on user DN (gssklog)


LCMAPS – Policy Description Language# LCMAPS policy file/plugin definition

## default pathpath = /opt/edg/lib/lcmaps/modules

# Plugin definitions:localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]"posix_enf = "lcmaps_posix_enf.mod"vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]"vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1"vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]"vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]"ldap_enf = "lcmaps_ldap_enf.mod" "[...]"

# Policies:vomspolicy:localaccount -> posix_enf | vomsextractvomsextract -> vomslocalgroupvomslocalgroup -> vomspoolgroupvomspoolgroup -> vomspoolaccount | vomspoolaccountvomspoolaccount -> ldap_enfldap_enf -> posix_enf

VOMS extract

Local Account

POSIX Enforcement

VOMS Local Group

VOMS Pool Group

LDAP Enforcement

FALSE

TRUE

State machine approach:

Start here

VOMS Pool Account


LCMAPS – VOMS groupmapfile

# Example groupmapfile:

# Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband"# will be added to the local group "fredje""/VO=fred/GROUP=fred/ROLE=husband" fredje

# All users from VO wilma will be added to the allocated pool group "pool[1-9]*"#"/VO=wilma/GROUP=*" .pool

# For the ITeam VO:"/VO=iteam/GROUP=/iteam*" iteam

# For the wpsix VO:"/VO=WP6/GROUP=/WP6*" wpsix


LCMAPS – LDAP and AFS

LDAP enforcement plug-in Updates a central LDAP user directory

Secure (as opposed to NIS)

more flexible

AFS plug-in Gives local AFS access

Uses gssklog to obtain AFS token

Requires gssklog daemon to run on the AFS server

Mapping DN to AFS user maintained in gssklog mapfile


Job Repository – Intro.

What? JB is a Relational Database

The data consist of useruser info. with X509 X509 certs, JobJob info., VOMSVOMS info., CredentialCredential info. and the linkslinks between these types of info. for every Job

Why? Central repository, Logging, Accounting, Auditing

Where? CE – Plug-in for LCMAPS

CE - Various scripts controlled by the Job Manager

The database has to be installed close to (or on) the CE.


Job Repository

How? ODBC layer

Currently a MySQL backend

Multiple programs/scripts gathering information

Who? Sys-admins (only)

A new tool for LCG needs to get the local GIDs from the VOMS info


Job Repository – The DB Layout

UsersUser certificates

Jobs*

Job Status*

Credentials (UID/GIDs)

VOMS

VOMS Issuer

Issuer Certificates

* Update needed outside the LCMAPS Plugin To get all info.


Status

LCAS and LCMAPS Incorporated in EDG 2.1

Deployed on application testbed since last week

AFS plug-in almost completed

Job Repository LCMAPS plug-in nearing completion

Small changes needed to LCMAPS code for VOMS-to-GID tool

Documentation: http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/

http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16


Future developments

LCAS, LCMAPS (and the JobRep?) will be part of EGEE

gridFTP will be patched to use LCAS and LCMAPS

LCAS will evolve into an authorization service and take on the use of XACML to express VO access control

DAGGR (?): Authorization Decision Service

LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3

lcas and lcmaps

Documents