1 / 9

EGEE Authorization H&N

EGEE Authorization H&N. David Groep et al. EGEE JRA3. Authorization. AuthZ Architecture Authorization framework for Java and C With policy providers orchestrated by a master PDP For today: Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world)

aine
Télécharger la présentation

EGEE Authorization H&N

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EGEE Authorization H&N David Groep et al. EGEE JRA3

  2. Authorization • AuthZ Architecture • Authorization framework for Java and C • With policy providers orchestrated by a master PDP For today: • Authorization Framework (Java) and Local Centre Authorization Service LCAS (C/C++ world) • both provide set of PDP implementations (should be the same set, or a callout from one to the other) • Fine-grained AuthZ implemented as part of service • e.g. for Data Management LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  3. Context cache PEPService ormessageinterceptor decision PDP PIP PIP PDP User inblacklist? RetrieveVO info Retrievelocal info evaluate Chain 1 ... OR Chain 2 ... = PAP accessible interface Authorization Framework • Implemented in Java only • Module interfaces subtly different from the GT4 ones, but no show-stopper LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  4. LCAS and Java PDPs My best status info as of last week, with bias towards the CE: * in a non-standard (gacl) format that will change  2007 + interface is partly proprietary, change planned RSN™ LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  5. Gatekeeper LCAS User accept VOMS Authentication Context+ JobInfo banlist LCAS authZ call out exectbl LCMAPS open, learn,&run: … and return legacy uid Job Manager fork+exec args or submit C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy VOMSpseudo-cert LCMAPS and Job Submission • LCMAPS : mapping attributes to the Unix domain • based on fine-grained VOMS roles/groups • must bepart of the job runtime chain • setuid(2) needs to actually enforce • source modifications needed to legacy services • Supported in Gatekeeper, GridFTP, glexec, DPM/LFC* LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  6. The new gLite CE • In the EGEE gLite CE Architecture LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  7. LCMAPS functionality • Unix mapping based on VOMS groups, roles • Granularity set by the site administrator • Several VOMS-level grp/roles can be mapped on a single GID • Supports pool groups as well as pool accounts • Primary Unix group set to first VOMS group • for accounting purposes • for use by schedulers in setting priority LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  8. LCMAPS deployment constraints • More than one VO/group per grid user allowed [but…] • Each VOMS unique FQAN listed can translate into 1 Unix group id • Each user-unix group combination translates into 1 Unix user id • When job starts on a worker node, identity is re-instated outside of LCMAPS control by the batch system: • For sites that do not support a modifiable central user database:need a set of poolaccounts for each site-local unix group • Unix domain is just not flexible enough. Sorry. • There are (of course) ideas to circumvent these issues • Central user directory support (nss_LDAP, pam-ldap) • Acceptance may stay far away • Data Management systems preferably use native, fine-grained system LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

  9. Fresh fruit? • Virtualisation is here now … • Xen, VMware Player/Server, … • Needs modification of job managers and batch system pre/postrun scripts • Great fresh low-hanging fruit? • WSS is part of the chain now • Batch system modifications are quite doable • Will help greatly in addressing the translation problem ‘how to defend yourselves against anyone who attacks youarmed with a piece of fresh fruit ‘ LCAS and LCMAPS and Unix-domain limitations, GGF16, February 2006

More Related