lcas/lcmaps and wss site access control boundary conditions
DESCRIPTION
LCAS/LCMAPS and WSS Site Access Control boundary conditions. David Groep et al. NIKHEF. Outline. Local authorization Local authorization decisions Integrating with the Unix domain Managing the work space. Authorization context. Policy comes from many stakeholders. Graphics from - PowerPoint PPT PresentationTRANSCRIPT
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
LCAS/LCMAPS and WSS Site Access Controlboundary conditions
David Groep et al.
NIKHEF
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 2
Enabling Grids for E-sciencE
INFSO-RI-508833
Outline
• Local authorization• Local authorization decisions• Integrating with the Unix domain• Managing the work space
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 3
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorization context
Key Material
Group of unique names Organizational role
Server
UserAttributesVO
Policy
ResourceAttributesSite
Policy
Policy
Authorization PolicyArchitecture
Local SiteKerberosIdentity
PolicyEnforcement
Point
VOOther
Stakeholders
Site/Resource
OwnerAuthorization
Service/PDP
Policy andattributes.
Allow orDeny
Resource
Standardize
Delegation
User
Process actingon user’s behalf
PKI/KerberosIdentity
TranslationService
PKIIdentity
Delegation Policy
Graphics fromGlobus Alliance& GGF OGSA-WG
Policy comes from many stakeholders
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 4
Enabling Grids for E-sciencE
INFSO-RI-508833
Local Authorization
• EGEE Architecture– Policy providers orchestrated by a master PDP (not shown)
– Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world)
– both provide set of PDP implementations (should be the same set, or a callout from one to the other)
– PDPs foreseen: user white/blacklist VOMS-ACL Proxy-lifetime constraints Certificate/proxy policy OID checks peer-system name validation
(compare with subject or subjectAlternativeNames)
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 5
Enabling Grids for E-sciencE
INFSO-RI-508833
Local Authorization Today
• Current Implementation– Only a limited set of PDPs:
ban/allow and VOMS-ACL
– Authorization interface is proprietary (at least for C/C++) change foreseen soon to a ‘v2’ standard interface
– Policy Enforcement Point (PEP) part of the (container) runtime(i.e. all evaluation is in-line) source modifications needed to legacy (C-based) services
(GT gatekeeper, GridFTP server) AuthZ framework for Java as loadable classes
– No separate authorization service (no site-central checking)– Policy format is not XACML everywhere (i.e. GACL)
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 6
Enabling Grids for E-sciencE
INFSO-RI-508833
Black List Services
• BL-PDPs return Deny or Not-Applicable– Master-DPD treats “Permit” as Not-Applicable
• Only interested whether the black-list services deny access to the subject– They are not to be used for rendering of general purpose policy
decisions
• Query the configured black-list services before the general purpose PDPs– Pushing of black-list assertions or EPRs not allowed
• “Deny-Override” rules for the black-list services
• …pragmatic way to address deny-requirements…– note that you are still allowed to shoot yourself in the foot with deny-policies
“behind” the PDP interface…
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 7
Enabling Grids for E-sciencE
INFSO-RI-508833
What’s within reach?
• Some additional PDPs– Policy OID checking– Proxy certificate lifetime constraints– Limit to specific executable programs– …
• Standard white list, blacklist service for all services• Better integration between Java and C worlds & the
upcoming standards
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 8
Enabling Grids for E-sciencE
INFSO-RI-508833
LCMAPS
Once authorisation has been obtained
• acquire local (Unix) credentials to run legacy jobs• enforce those credentials on
– the job being run or – FTP session started
• LCMAPS is the back-end service used by– GT2-style edg-gatekeeper (LCG2)– edg-GridFTP (LCG2)– glexec/grid-sudo wrapper– WorkSpace Service
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 9
Enabling Grids for E-sciencE
INFSO-RI-508833
LCMAPS – control flow
• User authenticates using (VOMS) proxy
• … do local authorization …
• LCMAPS invoked– Acquire all relevant credentials– Enforce “external” credentials – Enforce credentials on
current process tree at the end– Order and function policy-based
• Run task (e.g. job manager)
CREDs
LCMAPSCredential Acquisition
& Enforcement
Task
Service
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 10
Enabling Grids for E-sciencE
INFSO-RI-508833
LCMAPS – functionality view
• Unix mapping based on VOMS groups, roles, and capabilities• Possibly pool groups as well as pool accounts• Granularity set by the site administrator (see example following)• Primary group set to first VOMS group – accounting
• More than one VO/group per grid user allowed [but…]• Each VOMS unique FQAN listed translates into 1 Unix group id• Each user-FQAN combination translates into 1 Unix user id
• New mechanisms could mitigate issues:– groups-on-demand, support granularity at any level– Central user directory support (nss_LDAP, pam-ldap)
Not ready – and priorities have not been assigned to this yet.
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 11
Enabling Grids for E-sciencE
INFSO-RI-508833
VOMS to Unix domain mapping
# groupmapfile
"/EGEE/picard/*“ iteam"/EGEE/picard/Role=Manager" iteamsgm
“/Wilma/Role=prod” wilmgr
"/Wilma/*" .wilma
"/EGEE/riker/grp1" rikerhg
“/EGEE/riker/grp2” rikermed
“/EGEE/riker/grp3” rikerlow
example
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 12
Enabling Grids for E-sciencE
INFSO-RI-508833
Work Space Service
On the road towards virtualized resources:
Work Space Service
• Managed accounts– enable life cycle management– controlled account management (VO can request/release)– “special” QoS requests
• Use to request credentials (groups) with specific prios?• WS-RF style GT4 service
– uses LCMAPS as a back-end
http://www.mcs.anl.gov/workspace/
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 13
Enabling Grids for E-sciencE
INFSO-RI-508833
LCMAPS usage in the job chain
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 14
Enabling Grids for E-sciencE
INFSO-RI-508833
Summary
• Control over running jobs is via site mechanisms
• Authorization to (Java) services part of container– Fine-grained control is left as a service specific issue– Standard hooks for this are about to appear
• Mapping of credentials required for legacy programs– limited to Unix domain account mechanisms– Needs to remain manageable for site administrators– Scheduling/priorities based on Unix user and group names– Accounting based on uid, gid pairs– Unix domain is not very flexible. Sorry.
• Virtualisation is coming, but how far down the road?
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 15
Enabling Grids for E-sciencE
INFSO-RI-508833
Site Access Control LCAS/LCMAPS and Unix-domain limitations, September 12, 2005 16
Enabling Grids for E-sciencE
INFSO-RI-508833
EDG Gatekeeper (current)
GatekeeperLCAS
GACL
timeslot
banned
policy
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo-cert
Job Managerfork+exec args, submit script
LCMAPS open, learn,&run:
… and return legacy uid
LCMAPS open, learn,&run:
… and return legacy uid
LCAS authZ call out
GSI AuthN
accept
TLS auth
assist_gridmap
Jobmanager-*
Ye Olde Gatekeeper
GSS context+ RSL