Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem...

Andrew McNab - Manchester HEP - 29/30 March 2001

gridmapdir patch

• Overview of the problem

• Constraints from local systems

• Outline of how it works

• How to implement it locally

• Longer term solutions?


Overview of the problem• In Globus 1.1.3, grid identities (certificate subjects)

are mapped to local Unix usernames via grid-mapfile.

• For testbeds, either have to create lots of local Unix accounts - lots of administrative overhead

• Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability


Dynamic accounts• The obvious solution, but introduces many

complications• Account creation / management is intimately related

to local policies, tools etc• Need to respect local site autonomy and minimise

the changes required by local sysadmins• Instead of trying to produce a long term solution

before M9, look at what will be sufficient for now


Use pool of accounts• Sysadmin creates a pool of normal Unix accounts,

with names like gpool001, gpool002, gpool003, …• They can use their normal tools to do this, create

quotas, Unix group(s) etc.• Temporarily lease accounts when presented with a

certificate whose subject is in our grid-mapfile• Expire the lease “when they are finished” (defined

locally)


Security and “auditability”

• Authentification: still have to provide a valid certificate, signed by a CA the local site trusts

• Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess

• “Auditability”: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was


Implementation of leasing• Want to share files created by gatekeeper, sshd-gsi,

gsiftpd "logins" - so want these to share the same database of leases

• Need some form of locking. Run a lease daemon? Simplest way is to use link(2) with some sort of flag files, and rely on the atomicity of the file system.

• (Should even work across NFS to synchronise leases between nodes of a cluster or farm)


gridmapdir format• “Lease database” takes the form of a directory

containing empty files, with the same names as the pool usernames

• A lease is created by making a second link to the username using the subject name (URL-encoded.)

• Checking return code of link(2) and link count from stat(2) will enforce one-to-one mapping of subjects and pool usernames


Patch to Globus 1.1.3• All subject->username mapping done by functions

in Security/gss-assist/gridmap.c• Patch these to map subjects to pool users if their

“username” in grid-mapfile is like “.” or “.subpool” • Five new functions in gridmap.c implement leasing

as described• Subpools with privileges, quotas etc are possible: eg

.cms will only be mapped to cms001, cms002, ...


Lease expiration• To reuse pool accounts, lease must be terminated

somehow - but mechanics very site dependent• Probably easiest to run a script from cron to expire

leases:• Either based on an expiration time (if you can

guarantee the job will be finished by that time)• Or by job completion flagging the lease as not

needed (eg via PBS prologue / epilogue scripts)


Advantages of this patch

• Minimum impact on local systems

• Minimum changes to Globus

• Changes are transparent to users and other sites

• Allows easy local choices about account characteristics and lease expiration


Limitations of the patch

• Sharing of lease “database” via filesystem and NFS is a hack!

• Termination of leases is messy

• Need to block submission of cron jobs etc from pool accounts (batch nodes should be doing this already though)


Making grid-mapfile

• Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP.

• If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.


Future solutions (1)• “Next Version of Globus” will have CAS

framework - need to coexist with this• “NVoG” will be able to get grid-mapfile info from

LDAP• Can already get Unix “passwd” info from LDAP on

Linux and Solaris (via a PAM)• Should we concentrate dynamic account creation or

leasing on a “smart” local LDAP auth server?


Future solutions (2)

• An alternative method is to combine account creation / leasing with resource reservation

• This simplifies the enforcement of lease expiration, since presumably we already enforce process termination, file deletion at end of reservation

• But has more overhead and complexity than a smart LDAP server that just manages dynamic accounts


More information ...• http://www.hep.grid.ac.uk/gridmapdir/ has a

copy of the patch itself, more explanation and some example scripts for managing pool accounts

• The gridmapdir patch is included in development versions of Globus RPM’s at http://www.hep.grid.ac.uk/download/development/


make-ca-signing-policy• Simple script to rebuild ca-signing-

policy.conf when CA's are installed or removed

• Looks for policy.*.conf files in $GLOBUS_INSTALL_PATH/share/certificates

• Concatenates a header and all the policy files it finds.


make-c-s-p: RPM’s• When used in a CA RPM, adding or removing

a CA just becomes a single rpm command: eg rpm -i ukhepca-0.1-1.rpm

• RPM installs files, then reruns script

• At uninstall, files removed and script rerun

• Can deal with multiple CA's in the same RPM (or tar file.)


Demonstration: ukhepca• Have ukhepca RPM which everyone who needs to

trust UK HEP CA can install

• Separate ukhepca-request RPM which only UK sites install (includes files to generate requests for certs from this CA)

• http://www.hep.grid.ac.uk/make-c-s-p/ has explanation and all the sources necessary to make compatible RPM or tar files for other CA’s


Summary• Modular method for installing CA info now

available

• Can easily co-exist with non EU Datagrid CA’s

• Works with RPM or tar file installation

• Doesn’t do CRL fetching - use NIKHEF proposal? Should installation of a CA define how to fetch its CRL (perhaps by installing a script?)

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem...

Documents

Transcript of Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem...