OSG AuthZ components - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

OSG AuthZ components

Description:

Dane Skow. Gabriele Carcassi. Full privilege scenario. User. voms-proxy-init ... VOMS Proxy format (PRIMA) AuthZ request: SAML obligations (everything) ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 21
Provided by: gabriele3
Category:
Tags: authz | osg | components | proxy

less

Transcript and Presenter's Notes

Title: OSG AuthZ components


1
OSG AuthZ components
  • Dane Skow
  • Gabriele Carcassi

2
Full privilege scenario

voms-proxy-init
Submission site
User
VOs
Execution site
site GUMSServer
Gatekeeper
PRIMA
grid3-usertxt
gums-host
ü centralized mapping ü account pool ü/û dynamic
mappings (broken by accounting) ü role/group
based mappings
3
Compatibility scenario

grid-proxy-init
Submission site
User
VOs
Execution site
gums-host
site GUMSServer
Gatekeeper
both maps
grid-mapfile
gums-host
grid3-usertxt
gums-host
gums-host
ü centralized mapping ü account pool û dynamic
mappings û role/group based mappings
4
Ye olde Grid3 setup

grid-proxy-init
Submission site
User
Execution site
edg-mkgridmap
Gatekeeper
grid-mapfile
VOs
grid3-usertxt
û centralized mapping û account pool û dynamic
mappings û role/group based mappings
5
PRIMA module
  • Its a C library that implement the gatekeeper
    callout
  • Gets the credentials
  • Validates certificate and attributes
  • Formats a SAML message and sends it to GUMS
  • Parses the response
  • Returns the uid to the gatekeeper
  • Distributed as part of VDT

6
Details
  • PRIMA sends only the first VOMS FQAN, not the
    whole list encoded in the certificate. GUMS makes
    decisions only on one FQAN.

7
Attribute verification
  • PRIMA can verify the VOMS attributes, but
    typically we do not do that
  • In OSG we lack a mechanism to easily distribute
    the certificates of the VO servers
  • GUMS verifies the presence in the VO
  • periodically downloads the full list of users
    from the VO server (has to do that for maps
    generation)
  • prevents forging a fake VO
  • foresee to disable in case attribute verification
    is done at the gatekeeper end, and no maps are
    needed
  • Should attribute verification be delegated to the
    server?

8
PRIMA Complaints
  • Mainly about the log
  • Not clear error information (the actual GUMS
    errors are not passed through the protocol)
  • Lacks a one liner entry with all information when
    successful (there is one, but, for example, lacks
    the FQAN)

9
What is GUMS?
  • GUMS purpose is to manage the mapping between
    Grid Credentials to Site credentials
  • Centralized one GUMS per site, one configuration
    file for all gatekeepers/services
  • PDP enforcement is done at the
    gatekeeper/service (through grid-mapfiles or
    callouts)
  • Customizable designed to be integrated with
    other site systems with little effort

10
Centralized management
  • Designed by and for a site with a number of
    heterogeneous gatekeepers
  • For example, BNL GUMS has more than 10
    gatekeepers (4 from STAR, 1 PHENIX, 6 ATLAS)
    other ATLAS services (dCache, DIAL, )
  • Some of these are OSG, some are test machines,
    some needs special test maps,
  • One place of configuration allows control and
    consistency
  • (For a small site, with one gatekeeper and 20
    nodes, that is fine with a single account per VO,
    we currently recommend mapfiles and
    edg-mkgridmap.)

11
GUMS overview
Tomcat server
SAML obligations over SOAP/HTTPS
Glite trustmanager
PRIMA
GUMS DB
Business logic
Persistence (hibernate,ldap)
AuthZWS
Cmd line
AdminWS (Axis)
SOAP/HTTPS
Web UI (JSP)
Webbrowser
HTTPS
WS Web Service UI User Interface
filesystem
XML configuration
12
GUMS Policy example

className'gov.bnl.gums.hibernate.HIbernatePersist
anceFactory' /
name'usatlasPool' className'gov.bnl.gums.LDAPGroup'
server'grid-vo.nikhef.nl' query'ouusatlas,oatl
as,dceu-datagrid,dcorg
persistanceFactory'mysql' name'usatlas' /

untMapper' persistanceFactory'mysql'
name'bnlMapping' / className'gov.bnl.gums.AccountPoolMapper'
persistanceFactory'mysql' name'bnlPool' /
countMapper' groupName'usatlas1' /

className'gov.bnl.gums.VOMSGroup'
url'https//vo.racf.bnl.gov8443/edg-voms-admin/s
tar/services/VOMSAdmin
persistanceFactory'mysql' name'star'
sslCertfile'/etc/grid-security/hostcert.pem'
sslKey'/etc/grid-security/hostkey.pem'/
className'gov.bnl.gums.ManualAccountMapper'
persistanceFactory'mysql' name'bnlMapping' /
ccountMapper' jndiNisUrl'nis//nis2.somewhere.com
/rhic.bnl.gov' /

s.CertificateHostGroup" cn'star.somewhere.gov'
groups'star' / className"gov.bnl.gums.CertificateHostGroup"
cn'gums.somewhere.gov' groups'star,phenix,usatla
sPool' /
13
GUMS Authorization
  • GUMS admin can perform any operation through web
    service and web ui door
  • Host can only perform read operations (map
    generation and mapping requests) for itself
  • Configuration can be changed through filesystem
    only (automatically reloaded when changed)

14
GUMS performance
  • BNL production server gives 30 req/sec
  • Not that good
  • Is not the bottleneck right now, as the
    production gatekeeper can only give 5 req/sec
  • Performance test show that
  • Overall delay (client-server-client) is 220ms
  • The GUMS logic is responsible for up to 20ms
  • The rest is plain AXIS SOAP SSL
  • Its not glite trustmanagers fault either

15
GUMS performance
  • JClarens group confirmed this while comparing
    SOAP with XML-RPC
  • XML-RPC without SSL 373 req/sec with SSL 274
  • SOAP without SSL 218 req/sec with SSL 23
  • 10 times slower!
  • Is it SOAP? Is it Axis implementation?
  • At least, GUMS can run on a cluster
  • All state resides in the database, transactions
    are used, no session transfer needed, no cluster
    cache needed
  • Almost all the configuration file is on
    filesystem, an needs to be updated on all
    machines (at the same time)

16
GUMS Complaints
  • The configuration file is difficult
  • It usually takes people a few tries
  • We should simplify it
  • We should probably have ways to share parts of
    it (contact a location to get standard OSG groups
    definitions?)

17
Storage AuthZ (not in prod)
Execution site
Gatekeeper GRAMgridFTP
site GUMSServer
PRIMA
SAML obligations over SOAP/HTTPS
SRM/dCache
StorageAuthorizationService
gPLAZMA
Adds AuthZ params that are dCache specific. XACML
policy.
18
Storage AuthZ
  • gPlazma is dCache authorization infrastructure,
    which can be set to contact the Storage
    Authorization Service
  • Distributed as part of dCache, Beta quality
  • The Storage AuthZ Service speaks the same SAML
    GUMS does, and is configured with a XACML policy
  • Contact GUMS to retrieve the mapping
  • Adds other AuthZ parameters (i.e. gid, user home
    path, )
  • Prototype level

19
Other issues maps
  • GUMS is able to generate grid-mapfiles and also
    an inverse accounting map used by OSG accounting
  • Want to move away from them creating a map means
    exploring all the policy, which breaks dynamic
    account mapping (i.e. for a pool, we have to
    assigns accounts to everybody)
  • Assumption we believe that inverse maps (uid-
    DN) are not needed
  • For example, in accounting what you really need
    is a history of what uid was assigned to what DN.
    That changes with time. Its better handled by
    looking at log files.

20
Conclusions
  • GUMS and PRIMA are deployed in production on a
    number of OSG sites
  • Privilege project depends on the following
    formats
  • VOMS Proxy format (PRIMA)
  • AuthZ request SAML obligations (everything)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "OSG AuthZ components" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!