17
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Glexec overview Gerben Venekamp NIKHEF

INFSO-RI-508833 Enabling Grids for E-sciencE Glexec overview Gerben Venekamp NIKHEF

  • View
    218

  • Download
    0

Embed Size (px)

Citation preview

INFSO-RI-508833

Enabling Grids for E-sciencE

www.eu-egee.org

Glexec overview

Gerben VenekampNIKHEF

European Condor week June 28th, Milano 2

Enabling Grids for E-sciencE

INFSO-RI-508833

Contents

• What is glexec?

• Why do we need glexec (and gsexec)?

• How does glexec fit in the gLite architecture?

• How can glexec be invoked?

• Glexec on the worker node

• Status

European Condor week June 28th, Milano 3

Enabling Grids for E-sciencE

INFSO-RI-508833

What is glexec?

glexec

a thin layerto change unix credentials

based on grid identity and attribute information

you can think of it as:• ‘a replacement for the gatekeeper’• ‘a griddy version of Apache’s suexec(8)’• ‘a program wrapper around LCAS, LCMAPS or GUMS’

European Condor week June 28th, Milano 4

Enabling Grids for E-sciencE

INFSO-RI-508833

What glexec does

Input1. a certificate chain, possibly with VOMS extensions2. a user program name & arguments to run

Action1. check authorization (LCAS, GUMS)

• user credentials, proper VOMS attributes, executable name

2. acquire local credentials– local (uid, gid) pair, possibly across a cluster

3. enforce the local credential on the process

Result1. user program is run with the mapped credentials

European Condor week June 28th, Milano 6

Enabling Grids for E-sciencE

INFSO-RI-508833

Condor schedd

lcmaps.dbgroupmapfilegrid-mapfile

lcmaps.dbgroupmapfilegrid-mapfile

WMSWorkSpace

Service

GK

Gridmapdir poolindices

Plug-ins%2fo%3ddutchgrid%2fo%3dusers%2fo%3dnikhef%2fcn%3dmartijn%20steenbakkers%3atlas atlas001

[…]

Voms poolaccount

poolaccount

Setuid, setgid

LCMAPS

Workspace Service

quarantine

and terminate

LCMAPS and the WSS in gLite-1

European Condor week June 28th, Milano 7

Enabling Grids for E-sciencE

INFSO-RI-508833

Why was glexec devised?

• gatekeeper and other schedulers are complex, and need not be run with root privileges all the time– take an example from Apache httpd, where user cgi scripts can

be run under their own identity, but without the web server itself having to run as root

– to accomplish this, a small, program is needed with setuid(2) power: ‘suexec(8)’

• variety in grid job submission systems is increasing– need a common way of obtaining and enforcing site policy and

credential mapping– without the need to modify each and every system

– as such, glexec in this deployment mode is an alternative to having authorization and mapping call-outs in each system

European Condor week June 28th, Milano 8

Enabling Grids for E-sciencE

INFSO-RI-508833

‘suexec’ requirements

• Do as little as possible with ‘root’ privileges• Allow VO-services to use (pool)accounts for each user

job• In- and outgoing pipes, file descriptors should be

preserved as much as possible.• Should be usable by C/C++ and java services: program

executable.• Sites should still be able to control the access to their

resources• Apache’s suEXEC fulfills many of these requirements

– Safe code, has proven itself– Works with apache– 2 clones from apache’s suEXEC: gsexec (part of gridsite) and

glexec (part of gLite)

European Condor week June 28th, Milano 9

Enabling Grids for E-sciencE

INFSO-RI-508833

suexec wrapper

Thin layer with root privileges will replace gatekeeper• Intended for identity-switching services:

– condor, gridsite, globus gram, cream.

• Internal– Uses LCMAPS/Workspace service as credential mapping

mechanism– Executes the requested command with local credentials

• External interface– Should be usable by C, java (, perl?) services: program

executable.– A (user) credential should be passed to suexec.– In- and outgoing pipes, file descriptors should be preserved as

much as possible.

European Condor week June 28th, Milano 10

Enabling Grids for E-sciencE

INFSO-RI-508833

Scenario I: Apache

European Condor week June 28th, Milano 11

Enabling Grids for E-sciencE

INFSO-RI-508833

Scenario II: Cream

European Condor week June 28th, Milano 12

Enabling Grids for E-sciencE

INFSO-RI-508833

Scenario III: Condor/WSS

European Condor week June 28th, Milano 14

Enabling Grids for E-sciencE

INFSO-RI-508833

Usage of glexec (1)

Two run-modes depending on setuid bit settings:

1. glexec is setuid-root: setuid()/setgid() to local user in glexec code and execute the program

-r-s--x--- 1 root apache /usr/sbin/glexec

In the next release:1. glexec runs as special user: glexec uses sudo for

identity switching and program execution:-r-s--x--- 1 glexec glexec /opt/glite/sbin/glexec sudo preserves only stdin, stdout, stderr sudo can be configured to allow the user “glexec” to run a

predefined set of programs (blahp, qsub)

European Condor week June 28th, Milano 15

Enabling Grids for E-sciencE

INFSO-RI-508833

Usage of glexec (2)

• Environment variables to be set before calling glexec– GLEXEC_MODE:

“lcmaps_verify_account”: glexec <uid> <gid> <command+args> “lcmaps_get_account”: glexec <command+args>

– SSL_CLIENT_CERT and SSL_CLIENT_CERT_<n>: PEM-encoded strings containing the proxy cert and chain components.

– GLEXEC_SOURCE_PROXY: location of the (delegated) proxy to be used by the user job..

– GLEXEC_TARGET_PROXY: location where the proxy should be copied to. If not specified ~/.glexec/proxy is used.

– GLEXEC_ID (optional): unique job id to be used as an index for the jobrepository:

• All other environment variables are cleared

European Condor week June 28th, Milano 16

Enabling Grids for E-sciencE

INFSO-RI-508833

Usage of glexec (3)

Configuration:• At compilation time the default defines in the apache

headers (/usr/include/httpd/*.h) are overridden by glexec.h– Contains at the moment hardcoded locations of lcas and lcmaps

config files– Next version will use a configuration file instead.

• lcas and lcmaps use the following config files:– /opt/glite/etc/lcas/lcas-glexec.db– /opt/glite/etc/lcmaps/lcmaps-glexec.db

European Condor week June 28th, Milano 18

Enabling Grids for E-sciencE

INFSO-RI-508833

VO pilot job on the node

Note: proper uid change by Gatekeeper or Condor-C/BLAHP on head node should remain default

• On success: the site will set the uid/gid of the new user’s job• On failure: glexec will return with an error, and pilot job can terminate or obtain other job

European Condor week June 28th, Milano 19

Enabling Grids for E-sciencE

INFSO-RI-508833

Status today

• Status of ‘glexec’ today– implementation ready & tested,

based off the Apache HTTP suexec code base– uses the LCAS and LCMAPS for enforcement and mapping in their

library-based implementation– new modules have been added

LCAS: RSL (executable path) constraints validation of cert chain and proxy lifetime

– restrictions policy should be located on local posix-accessible file systems policy transport should be ‘trustworthy’

• Needed specifically for the –on-WN model– make the credential acquisition process (LCAS/LCMAPS) work

with a site-central policy engine enforcement will have to stay local

– changeover to standard callouts for both are needed– needs more site-sysadmin configuration capabilities

European Condor week June 28th, Milano 20

Enabling Grids for E-sciencE

INFSO-RI-508833

Plans

• Integration on prototype with CREAM and Condor

• Replace callouts to LCAS and LCMAPS by a callout to Workspace service (a.k.a. the full scenario).– Workspace bind service

• Use of sudo

• Use of a glexec configuration file

• Interoperability: use the common standardized authZ/mapping callout interface (OSG collaboration)