Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem...
-
Upload
clifton-spencer -
Category
Documents
-
view
214 -
download
1
Transcript of Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem...
Andrew McNab - Manchester HEP - 29/30 March 2001
gridmapdir patch
• Overview of the problem
• Constraints from local systems
• Outline of how it works
• How to implement it locally
• Longer term solutions?
Andrew McNab - Manchester HEP - 29/30 March 2001
Overview of the problem• In Globus 1.1.3, grid identities (certificate subjects)
are mapped to local Unix usernames via grid-mapfile.
• For testbeds, either have to create lots of local Unix accounts - lots of administrative overhead
• Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability
Andrew McNab - Manchester HEP - 29/30 March 2001
Dynamic accounts• The obvious solution, but introduces many
complications• Account creation / management is intimately related
to local policies, tools etc• Need to respect local site autonomy and minimise
the changes required by local sysadmins• Instead of trying to produce a long term solution
before M9, look at what will be sufficient for now
Andrew McNab - Manchester HEP - 29/30 March 2001
Use pool of accounts• Sysadmin creates a pool of normal Unix accounts,
with names like gpool001, gpool002, gpool003, …• They can use their normal tools to do this, create
quotas, Unix group(s) etc.• Temporarily lease accounts when presented with a
certificate whose subject is in our grid-mapfile• Expire the lease “when they are finished” (defined
locally)
Andrew McNab - Manchester HEP - 29/30 March 2001
Security and “auditability”
• Authentification: still have to provide a valid certificate, signed by a CA the local site trusts
• Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess
• “Auditability”: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was
Andrew McNab - Manchester HEP - 29/30 March 2001
Implementation of leasing• Want to share files created by gatekeeper, sshd-gsi,
gsiftpd "logins" - so want these to share the same database of leases
• Need some form of locking. Run a lease daemon? Simplest way is to use link(2) with some sort of flag files, and rely on the atomicity of the file system.
• (Should even work across NFS to synchronise leases between nodes of a cluster or farm)
Andrew McNab - Manchester HEP - 29/30 March 2001
gridmapdir format• “Lease database” takes the form of a directory
containing empty files, with the same names as the pool usernames
• A lease is created by making a second link to the username using the subject name (URL-encoded.)
• Checking return code of link(2) and link count from stat(2) will enforce one-to-one mapping of subjects and pool usernames
Andrew McNab - Manchester HEP - 29/30 March 2001
Patch to Globus 1.1.3• All subject->username mapping done by functions
in Security/gss-assist/gridmap.c• Patch these to map subjects to pool users if their
“username” in grid-mapfile is like “.” or “.subpool” • Five new functions in gridmap.c implement leasing
as described• Subpools with privileges, quotas etc are possible: eg
.cms will only be mapped to cms001, cms002, ...
Andrew McNab - Manchester HEP - 29/30 March 2001
Lease expiration• To reuse pool accounts, lease must be terminated
somehow - but mechanics very site dependent• Probably easiest to run a script from cron to expire
leases:• Either based on an expiration time (if you can
guarantee the job will be finished by that time)• Or by job completion flagging the lease as not
needed (eg via PBS prologue / epilogue scripts)
Andrew McNab - Manchester HEP - 29/30 March 2001
Advantages of this patch
• Minimum impact on local systems
• Minimum changes to Globus
• Changes are transparent to users and other sites
• Allows easy local choices about account characteristics and lease expiration
Andrew McNab - Manchester HEP - 29/30 March 2001
Limitations of the patch
• Sharing of lease “database” via filesystem and NFS is a hack!
• Termination of leases is messy
• Need to block submission of cron jobs etc from pool accounts (batch nodes should be doing this already though)
Andrew McNab - Manchester HEP - 29/30 March 2001
Making grid-mapfile
• Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP.
• If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.
Andrew McNab - Manchester HEP - 29/30 March 2001
Future solutions (1)• “Next Version of Globus” will have CAS
framework - need to coexist with this• “NVoG” will be able to get grid-mapfile info from
LDAP• Can already get Unix “passwd” info from LDAP on
Linux and Solaris (via a PAM)• Should we concentrate dynamic account creation or
leasing on a “smart” local LDAP auth server?
Andrew McNab - Manchester HEP - 29/30 March 2001
Future solutions (2)
• An alternative method is to combine account creation / leasing with resource reservation
• This simplifies the enforcement of lease expiration, since presumably we already enforce process termination, file deletion at end of reservation
• But has more overhead and complexity than a smart LDAP server that just manages dynamic accounts
Andrew McNab - Manchester HEP - 29/30 March 2001
More information ...• http://www.hep.grid.ac.uk/gridmapdir/ has a
copy of the patch itself, more explanation and some example scripts for managing pool accounts
• The gridmapdir patch is included in development versions of Globus RPM’s at http://www.hep.grid.ac.uk/download/development/
Andrew McNab - Manchester HEP - 29/30 March 2001
make-ca-signing-policy• Simple script to rebuild ca-signing-
policy.conf when CA's are installed or removed
• Looks for policy.*.conf files in $GLOBUS_INSTALL_PATH/share/certificates
• Concatenates a header and all the policy files it finds.
Andrew McNab - Manchester HEP - 29/30 March 2001
make-c-s-p: RPM’s• When used in a CA RPM, adding or removing
a CA just becomes a single rpm command: eg rpm -i ukhepca-0.1-1.rpm
• RPM installs files, then reruns script
• At uninstall, files removed and script rerun
• Can deal with multiple CA's in the same RPM (or tar file.)
Andrew McNab - Manchester HEP - 29/30 March 2001
Demonstration: ukhepca• Have ukhepca RPM which everyone who needs to
trust UK HEP CA can install
• Separate ukhepca-request RPM which only UK sites install (includes files to generate requests for certs from this CA)
• http://www.hep.grid.ac.uk/make-c-s-p/ has explanation and all the sources necessary to make compatible RPM or tar files for other CA’s
Andrew McNab - Manchester HEP - 29/30 March 2001
Summary• Modular method for installing CA info now
available
• Can easily co-exist with non EU Datagrid CA’s
• Works with RPM or tar file installation
• Doesn’t do CRL fetching - use NIKHEF proposal? Should installation of a CA define how to fetch its CRL (perhaps by installing a script?)