Status update on suexec, WSS, LCMAPS

1
Status update onsuexec, WSS, LCMAPS

• Martijn Steenbakkers for JRA3
• University of Amsterdam, NIKHEF

2
Outline

• Isolation (sandboxing)
• WorkSpace Service (WSS) and LCMAPS
• suexec wrapper program
• How does this fit in the gLite CE?
• Implementation status
• Issues/todo
• (Local) authorization
• Policy Decision Points (PDPs)
• Timeline
• Next talk by Oscar Job Repository (auditing)

3
Position of Site Access Control
global issues
User policies VO policies
Establishing Trusted Third Parties
Key storage MyProxy
site access control
AuthN
Local AuthZ
Auditing
Network
Isolation
validating certificates
Site policiesVOMS-ACLs, blackls
virtualisationaccount mapping
connectivityprovisioning
loggingauditing
service business logic
Access control to individual files
System account creation workernode to headnode
communications
Router port filtering DDoS protection
4
Goals

• Generic access control to services
• Authentication
• Authorization
• for legacy applications file access, networks,
  
• Sites are always in control of their resources
• Flexibility, scalability
• Allow for central control in a site
• Converge to a single policy format
• Standardization of configuration
• Address requirements from NA4, SAAA-RG, and
  others (incorporated in MJRA3.1 user
  requirements)

5
Isolation (sandboxing)

• Roadmap
• virtualization of resources (VM) or assigning of
  local credentials
• should be indistinguishable from outside
• EGEE Architecture
• only based on credential mapping
• do as little as possible with root privileges
  suexec
• minimizing local management poolaccounts
  poolgroups
• credential mapping and manipulation LCMAPS
• management capabilities on these accounts
  WorkSpace Service (WSS)

6
Workspace Service and LCMAPS

• Workspace Service (WSS) is part of GT4-core and
  in gLite-1 (preview)
• Account creation and account management
• Provides lifetime management and will provide
  quota management
• Account clean-up mechanism
• Possibility to put account in quarantine first
• Example clean-up script provided
• Access control to Workspace Service based on DN
  and VOMS attr.
• Access control to account
• Currently based on DN
• Will provide ACLs on VOMS attributes (?)
• Support of poolaccounts
• Clean-up of poolaccounts
• Uses LCMAPS as a back-end to manage gridmapdir
  (poolindex)

7
LCMAPS and the WSS in gLite-1
Workspace Service
WMS
j
n
WorkSpace Service
m
o
quarantine and terminate
p
k
GK
LCMAPS
Gridmapdir poolindices
poolaccount
lq
Voms poolaccount
2fo3ddutchgrid2fo3dusers2fo3dnikhef2fcn3dm
artijn20steenbakkers3atlas atlas001
Plug-ins
lcmaps.db groupmapfile grid-mapfile
Setuid, setgid
r
Condor schedd
8
suexec wrapper

• Thin layer with root privileges will replace
  gatekeeper
• Intended for identity-switching services
• condor, gridsite, globus gram, cream.
• Internal
• Uses LCMAPS/Workspace service as credential
  mapping mechanism
• Executes the requested command with local
  credentials
• External interface
• Should be usable by C, java (, perl?) services
  program executable.
• A (user) credential should be passed to suexec.
• In- and outgoing pipes, file descriptors should
  be preserved as much as possible.

9
CE in gLite-2 (hybrid scenario)
1. Start VO scheduler_at_CE 2. Submit job to CE 3.
Run job/program
Start service (gram?)
VO CE (Condor-C)
User cred.
WMS (broker)
Workspace Service
User cred.
Map user cred to account
User program (Blahp)
10
CE in gLite-2 (full scenario)
1. Start VO scheduler_at_CE 2. Submit job to CE 3.
Run job/program
Start service (gram?)
VO CE (Condor-C)
User cred.
Verify token
token
User program (Blahp)
11
suexec implementation (1)

• Started from apache suEXEC
• Safe code, has proven itself
• Works with apache (gridsite)
• Input parameters
• Hybrid scenario Environment variable with
  location of proxy (PEM-encoded)
• Full scenario Attribute certificate from WSS
  bind service.
• Environment variable with mapcounter (to support
  multiple mappings per set of credentials)
• Optional the uid and gid to run the executable.

12
suexec implementation (2)

• Two run-modes depending on setuid bit settings
• suexec is setuid-root setuid()/setgid() to local
  user in suexec code and execute the program
• -r-s--x--- 1 root apache /usr/sbin/gsuexec
• suexec runs as special user suexec uses sudo for
  identity switching and program execution
• -r-s--x--- 1 gsuexec gsuexec /opt/glite/sbin/gsuex
  ec
• sudo preserves only stdin, stdout, stderr
• sudo can be configured to allow the user
  gsuexec to run a predefined set of programs
  (blahpd, qsub)

13
Todo/issues (1)

• Suexec
• callout to lcmaps (almost ready, Hybrid scenario)
• Allow suexec only to run programs from a list
  /usr/bin/sudo, ?
• Where should the fork() go?
• Can create (small) C client wrapper lib that does
  the fork.
• Needed for Java as well?
• Need to chdir() to home directory? Need to
  chown() files (user proxy)?
• Integration on the gLite prototype with Condor,
  (Cream?)
• callout to the WSS (Full scenario).
• Use as a backend for gt4 GRAM?

14
Todo/issues (2)

• Workspace service
• Multiple account mapping support (ready, released
  today?)
• Ban list (soon)
• WSS bind service (NIKHEF can help)
• Proves that the caller of suexec is entitled to
  use the account
• Callout to authZ service (SAML)
• LCMAPS
• Working on PEM interface (almost ready)
• Verify proxy (including full/limited proxy check)
• Not directly related to suexec (see DM security
  model)
• dual certificate support
• Plug into new globus gridftp server using
  standard GSI authZ callouts.

15
Local Authorization

• Roadmap
• all assertions carried as SAML statements
• all local (and global) policies expressed in
  XACML
• separate authorization service using standard
  protocols
• site policy, AND-ed with user and VO policy,
  evaluated together
• policy evaluation never requires special local
  privs (root)
• EGEE Architecture
• Authorization Framework (Java) and LCAS (C/C
  world)
• both provide set of PDPs
• Authorization Service via OGSA-AuthZ-WG spec
  (EGEE-2)
• PDPs user white/blacklist, VOMS-ACL,
  Proxy-lifetime, Limited proxy (OID) checks,
  peer-system name validation, central CRL checking

16
Local Authorization - PDPs

• Policy Decision Points (PDPs)
• VOMS-ACL Java authZ framework
• proxy lifetime check C Java
• SAAARG requirement 1.4.1.1 for proxies
• Limited proxy check C Java
• Decides to accept limited proxies or not
• Old (gt2) style proxies DN contains CNlimited
  proxy
• RFC3820 proxies check proxy policy language OID
  (defined by globus)

17
Coarse timeline
18
References

• LCMAPS and LCAS
• http//www.nikhef.nl/grid/lcaslcmaps/
• WorkSpace Service
• http//www-unix.mcs.anl.gov/workspace/
• DJRA3.2 Site Access Control Architecture
• https//edms.cern.ch/document/523948/

19
Local Authorization - PDPs

• Policy Decision Points (PDPs)
• ban/allow and VOMS-ACL Java
• proxy lifetime check C Java
• SAAARG requirement 1.4.1.1 for proxies
• OID- (of generic extension) check C Java
• SAAARG requirement 1.3.4
• Strength of user key storage contained in
  policy-OID extension to be checked against a
  pre-defined (site-approved) list.
• Coordination required with identity certificate
  providers
• peer hostname check for certs Java
• Limit the use of agent credentials to domain-name
  of originating system by linking it to
  authentication data
• SubjectAltName or dNSName extension.
• central revocation checking
• If not easily switched on in OpenSSL, make it a
  PDP
• phase1 static central CRL checking (similar to
  SAZ at Fermilab)
• phase2 OCSP

20
Authorization standards

• Move towards standard authZ interfaces
• globus authZ interface (LCAS)
• Credential mapping and setuid interface (LCMAPS)
• Definition underway (GGF)
• Authorization Service via OGSA-AuthZ-WG spec
• Start using XACML for policy expression
• How about the plans to define of a minimal set of
  XACML and have a C implementation of that?

21
GAAA integration-1

• Remote/central GAAA authZ service
• flexible combination of pull, push, agent access
  control models
• AuthZ assertions/tickets and/or tokens for
  performance optimisation
• Integration with EGEE/GT AuthZ framework and
  other EGEE services based on SAML, XACML,
  WS-Security industry standards and GT AuthZ
  interface.
• Pilot callout from gridftp to GAAA AuthZ service
• LCAS a java authZ FW a GAAA authZ service or
• LCAS a GAAA authZ service
• EGEE Requirement 100375 (PTF Savannah)
  Authorization for network resources access
• Gap to fill for GAAA? Multidomain authZ?
• More info http//staff.science.uva.nl/demch/work
  sinprogress/draft-oce-security-architecture-authz-
  02.pdf

22
GAAA integration motivation and benefits

• GAAA and gLite/GT in general
• AIRG is experimenting with using Grid for Optical
  network management and resource reservation using
  currently GT3.3
• Resource management and policy is based on GAAA
  Az F/w
• GAAA and gridFTP
• The same as above gridFTP is used for bulk
  file/data transfer to generate above Gigabit
  datastreams
• GAAA/GAAAPI gLite/GT4 AuthZ framework
• GAAAPI implements generic RBAC and GAAA Authz f/w
  functionality flexibly configurable for agent,
  pull and push models
• Uses SAML for AuthZ assertions and XACML for
  AuthZ messaging and policy exchange
• Provides functionality for handling AuthZ and
  AuthN tickets and tokens both in proprietary and
  SAML format
• Configurable for different distributed access
  control scenarios
• Single domain PEP-PDP, different domains PEP-PDP
  and PDP-PEP
• All context handlers and ticket/token handling
  modules can work at both PEP and PDP side

23
GAAA integration-2

• remote invocation C client
• As a plugin for LCAS
• Callout to java authZ FW and/or GAAA server by
  GGF OGSA-authZ WG standards
• What should be passed from client to authZ
  service?
• Complete Subject Attributes/Roles, Resource,
  Actions
• All what is required for policy evaluation
• Minimum SubjectID, Resource, Actions
• All remaining information must be added by
  PEP-PDP context handler
• This functionality is available in GAAAPI
• SubjectID must be provided with Subject
  confirmation data cryptographically (Signature or
  Encryption) proving Subjects identity
• Communication XML security, gsoap, MLS?
• Performance?