View
218
Download
0
Tags:
Embed Size (px)
Citation preview
European Condor week June 28th, Milano 2
Enabling Grids for E-sciencE
INFSO-RI-508833
Contents
• What is glexec?
• Why do we need glexec (and gsexec)?
• How does glexec fit in the gLite architecture?
• How can glexec be invoked?
• Glexec on the worker node
• Status
European Condor week June 28th, Milano 3
Enabling Grids for E-sciencE
INFSO-RI-508833
What is glexec?
glexec
a thin layerto change unix credentials
based on grid identity and attribute information
you can think of it as:• ‘a replacement for the gatekeeper’• ‘a griddy version of Apache’s suexec(8)’• ‘a program wrapper around LCAS, LCMAPS or GUMS’
European Condor week June 28th, Milano 4
Enabling Grids for E-sciencE
INFSO-RI-508833
What glexec does
Input1. a certificate chain, possibly with VOMS extensions2. a user program name & arguments to run
Action1. check authorization (LCAS, GUMS)
• user credentials, proper VOMS attributes, executable name
2. acquire local credentials– local (uid, gid) pair, possibly across a cluster
3. enforce the local credential on the process
Result1. user program is run with the mapped credentials
European Condor week June 28th, Milano 6
Enabling Grids for E-sciencE
INFSO-RI-508833
Condor schedd
lcmaps.dbgroupmapfilegrid-mapfile
lcmaps.dbgroupmapfilegrid-mapfile
WMSWorkSpace
Service
GK
Gridmapdir poolindices
Plug-ins%2fo%3ddutchgrid%2fo%3dusers%2fo%3dnikhef%2fcn%3dmartijn%20steenbakkers%3atlas atlas001
[…]
Voms poolaccount
poolaccount
Setuid, setgid
LCMAPS
Workspace Service
quarantine
and terminate
LCMAPS and the WSS in gLite-1
European Condor week June 28th, Milano 7
Enabling Grids for E-sciencE
INFSO-RI-508833
Why was glexec devised?
• gatekeeper and other schedulers are complex, and need not be run with root privileges all the time– take an example from Apache httpd, where user cgi scripts can
be run under their own identity, but without the web server itself having to run as root
– to accomplish this, a small, program is needed with setuid(2) power: ‘suexec(8)’
• variety in grid job submission systems is increasing– need a common way of obtaining and enforcing site policy and
credential mapping– without the need to modify each and every system
– as such, glexec in this deployment mode is an alternative to having authorization and mapping call-outs in each system
European Condor week June 28th, Milano 8
Enabling Grids for E-sciencE
INFSO-RI-508833
‘suexec’ requirements
• Do as little as possible with ‘root’ privileges• Allow VO-services to use (pool)accounts for each user
job• In- and outgoing pipes, file descriptors should be
preserved as much as possible.• Should be usable by C/C++ and java services: program
executable.• Sites should still be able to control the access to their
resources• Apache’s suEXEC fulfills many of these requirements
– Safe code, has proven itself– Works with apache– 2 clones from apache’s suEXEC: gsexec (part of gridsite) and
glexec (part of gLite)
European Condor week June 28th, Milano 9
Enabling Grids for E-sciencE
INFSO-RI-508833
suexec wrapper
Thin layer with root privileges will replace gatekeeper• Intended for identity-switching services:
– condor, gridsite, globus gram, cream.
• Internal– Uses LCMAPS/Workspace service as credential mapping
mechanism– Executes the requested command with local credentials
• External interface– Should be usable by C, java (, perl?) services: program
executable.– A (user) credential should be passed to suexec.– In- and outgoing pipes, file descriptors should be preserved as
much as possible.
European Condor week June 28th, Milano 10
Enabling Grids for E-sciencE
INFSO-RI-508833
Scenario I: Apache
European Condor week June 28th, Milano 11
Enabling Grids for E-sciencE
INFSO-RI-508833
Scenario II: Cream
European Condor week June 28th, Milano 12
Enabling Grids for E-sciencE
INFSO-RI-508833
Scenario III: Condor/WSS
European Condor week June 28th, Milano 14
Enabling Grids for E-sciencE
INFSO-RI-508833
Usage of glexec (1)
Two run-modes depending on setuid bit settings:
1. glexec is setuid-root: setuid()/setgid() to local user in glexec code and execute the program
-r-s--x--- 1 root apache /usr/sbin/glexec
In the next release:1. glexec runs as special user: glexec uses sudo for
identity switching and program execution:-r-s--x--- 1 glexec glexec /opt/glite/sbin/glexec sudo preserves only stdin, stdout, stderr sudo can be configured to allow the user “glexec” to run a
predefined set of programs (blahp, qsub)
European Condor week June 28th, Milano 15
Enabling Grids for E-sciencE
INFSO-RI-508833
Usage of glexec (2)
• Environment variables to be set before calling glexec– GLEXEC_MODE:
“lcmaps_verify_account”: glexec <uid> <gid> <command+args> “lcmaps_get_account”: glexec <command+args>
– SSL_CLIENT_CERT and SSL_CLIENT_CERT_<n>: PEM-encoded strings containing the proxy cert and chain components.
– GLEXEC_SOURCE_PROXY: location of the (delegated) proxy to be used by the user job..
– GLEXEC_TARGET_PROXY: location where the proxy should be copied to. If not specified ~/.glexec/proxy is used.
– GLEXEC_ID (optional): unique job id to be used as an index for the jobrepository:
• All other environment variables are cleared
European Condor week June 28th, Milano 16
Enabling Grids for E-sciencE
INFSO-RI-508833
Usage of glexec (3)
Configuration:• At compilation time the default defines in the apache
headers (/usr/include/httpd/*.h) are overridden by glexec.h– Contains at the moment hardcoded locations of lcas and lcmaps
config files– Next version will use a configuration file instead.
• lcas and lcmaps use the following config files:– /opt/glite/etc/lcas/lcas-glexec.db– /opt/glite/etc/lcmaps/lcmaps-glexec.db
European Condor week June 28th, Milano 18
Enabling Grids for E-sciencE
INFSO-RI-508833
VO pilot job on the node
Note: proper uid change by Gatekeeper or Condor-C/BLAHP on head node should remain default
• On success: the site will set the uid/gid of the new user’s job• On failure: glexec will return with an error, and pilot job can terminate or obtain other job
European Condor week June 28th, Milano 19
Enabling Grids for E-sciencE
INFSO-RI-508833
Status today
• Status of ‘glexec’ today– implementation ready & tested,
based off the Apache HTTP suexec code base– uses the LCAS and LCMAPS for enforcement and mapping in their
library-based implementation– new modules have been added
LCAS: RSL (executable path) constraints validation of cert chain and proxy lifetime
– restrictions policy should be located on local posix-accessible file systems policy transport should be ‘trustworthy’
• Needed specifically for the –on-WN model– make the credential acquisition process (LCAS/LCMAPS) work
with a site-central policy engine enforcement will have to stay local
– changeover to standard callouts for both are needed– needs more site-sysadmin configuration capabilities
European Condor week June 28th, Milano 20
Enabling Grids for E-sciencE
INFSO-RI-508833
Plans
• Integration on prototype with CREAM and Condor
• Replace callouts to LCAS and LCMAPS by a callout to Workspace service (a.k.a. the full scenario).– Workspace bind service
• Use of sudo
• Use of a glexec configuration file
• Interoperability: use the common standardized authZ/mapping callout interface (OSG collaboration)