1 / 1

Distributed Secure Framework

Distributed Secure Framework. Configuration Service. DIRAC Security Framework All DIRAC components rely on a low level framework that provides the necessary basic functionality. This framework contains: DISET: DIRAC’s secure communication protocol for RPC and file transfer

aviva
Télécharger la présentation

Distributed Secure Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DistributedSecureFramework Configuration Service • DIRAC Security Framework • All DIRAC components rely on a low level framework that provides the necessary basic functionality. This framework contains: • DISET: DIRAC’s secure communication protocol for RPC and file transfer • Configuration System: Providing redundant distributed mechanism for configuration and service discovery. • All DIRAC connections are handled by DISET. DISET uses OpenSSL through a custom python binding (derived from pyOpenSSL). This provides grid authentication and encryption, using X509 certificates and grid proxies. Users info Groups definition Authorization rules DISET DISET DIRAC Client DISET DIRAC Component DIRAC Component Cache Cache DISET DIRAC Client User Permissions and proxies Not all users are allowed to perform all actions. DIRAC implements a authorization schema to decide if a given entity can execute an action. All actions have a set of valid properties. The requesting entities have to present at least one allowed property for that action. All users in DIRAC are assigned to a set of groups depending on their privileges, and each group has a set of properties. At any time a given user can only act using one of his/her groups. Users define under which group they want to act by embedding the group in their proxy. DIRAC provides this functionality when creating a new proxy. Thus having the group signed directly by the user, the user group cannot be changed (or added if it’s not there) after the proxy has been created. DIRAC Framework • Payload and proxies • DIRAC has to make sure the user payload runs under the user credential. DIRAC stores the user proxy and takes it to the resource where the user payload will run. All the proxy managing is done under a very strict security schema to minimize the damage that a stolen proxy may cause. The way DIRAC does it is the following: • A user uploads a proxy with the group embedded to the Proxy Manager and then submits a job to DIRAC. • In order to submit pilot jobs to the resources, the Pilot Director downloads a non-limited proxy using its own credential, and requests a proxy token. This token will have to be presented by the pilot job to be able to retrieve the real user proxy. • When the Job Agent matches a job to run in the resource, it downloads the payload proxy using its own credentials and token. Before the payload starts to run the payload environment is changed, so the payload automatically only sees the user proxy. • Pilot proxies have a special DIRAC group embedded. They can only belong to a very restricted set of users. • See [108] by R. Graciani et al. for more information about pilot jobs. Resource Job Agent User payload Output Payload proxy Proxy token 3 Pilot job Proxy Manager Proxy Proxy token Proxy tokens Pilot proxies 1 2 Pilot Director Job Job Manager Jobs DB Proxy management DIRAC has its own component for managing proxies. The Proxy Manager is a repository where users can upload their proxies. It will be used later on by all DIRAC components that require a user proxy. All proxy movements through the network are done through delegation. The Proxy Manager can use other grid middleware proxy management components to enhance its functionality. For instance it can use VOMS to add the required attributes to a proxy. DIRAC only keeps a short-lived user proxy in the system. Typically user’s proxy life time is shorter that the time a user job stays in the system, and DIRAC needs to keep the proxy alive while the job is in the system. That requires DIRAC to extend the proxies in the system that are about to expire. The DIRAC Proxy Management system talks to the MyProxy service and request new proxies for those about to expire when needed. DIRAC Service Long-lived proxy MyProxy VOMS User DENY NO Extended proxy VOMS extensions User proxy Group has a valid property? NO DIRAC Group DN valid? User YES Proxy Manager Users info Groups definition Authorization rules Short-lived proxy NO Configuration Service Proxy repository User proxy User in group? EXECUTE YES YES DIRAC Component A.Casajus and R.Graciani (Universitat de Barcelona) onbehalf of theLHCb DIRAC team

More Related