/[pdpsoft]/trunk/grid-mw-security/ees/thesis/grid_auth.tex
ViewVC logotype

Diff of /trunk/grid-mw-security/ees/thesis/grid_auth.tex

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 952 by aramv, Tue Oct 20 14:33:07 2009 UTC revision 953 by aramv, Wed Oct 21 08:40:48 2009 UTC
# Line 5  Line 5 
5  % Authenticatie: persoonlijke certificaten, VOMS, SAML statements en  % Authenticatie: persoonlijke certificaten, VOMS, SAML statements en
6  \section{Authentication \& authorization mechanisms}  \section{Authentication \& authorization mechanisms}
7  Grid computing requires a mechanism to authorize users' access to Grid resources.  Grid computing requires a mechanism to authorize users' access to Grid resources.
8  This authorization can be granted at different levels depending on different types of credentials supplied by - or associated with - the user and which service he or she tries to access.  This authorization can be granted at different levels depending on different types of credentials supplied by - or associated with - the user and on which service he or she tries to access.
9    
10  \subsection{X.509 certificates}  \subsection{X.509 certificates}
11  The various Grid middleware stacks rely heavily on X.509 certificates \cite{rfc2459} as the 'lingua Franca' for authenticating users.  The various Grid middleware stacks rely heavily on X.509 certificates \cite{rfc2459} as the 'lingua Franca' for authenticating users.
12  It's a personal public key certificate that can be traced back to the issuer, a \textit{Certificate Authority} (CA).  It's a personal public key certificate that can be traced back to the issuer, a \textit{Certificate Authority} (CA).
13    
14  It contains:  It contains (among other things):
15  \begin{itemize}  \begin{itemize}
16  \item The subject \textit{Distinguished Name} (DN), which identifies the person, service or system that the certificate represents  \item The subject \textit{Distinguished Name} (DN), which identifies the person, service or system that the certificate represents
17  \item The subject's public key  \item The subject's public key
# Line 41  These proxy certificates can be traced b Line 41  These proxy certificates can be traced b
41  % FQANS zijn onderdeel van de VOMS attributes.  % FQANS zijn onderdeel van de VOMS attributes.
42  \subsection{Virtual Organizations}  \subsection{Virtual Organizations}
43  \label{vo_section}  \label{vo_section}
44  Because of scalability issues Grid authentication is mostly based on group affiliation.  Because of scalability issues, Grid authentication is mostly based on group affiliation.
45  The group affiliations are expressed in several tiers, the most high level of which is a \textit{Virtual Organization} (VO).  The group affiliations are expressed in several tiers, the most high level of which is a \textit{Virtual Organization} (VO).
46  \glossary{name={VO}, description={Virtual Organization}}  \glossary{name={VO}, description={Virtual Organization}}
47  VOs appear to work like regular organizations, but are not explicitly connected by location, employer or other affiliation.  VOs appear to work like regular organizations, but are not explicitly connected by location, employer or other affiliation.
48  However they collaborate and present themselves as a unified organization, working towards a common goal  However they collaborate and present themselves as a unified organization, working towards a common goal.
49    
50  \subsubsection{Virtual Organization Management Service}  \subsubsection{Virtual Organization Management Service}
51  VOs can make use of a \textit{Virtual Organization Management Service} (VOMS) to manage and register their users.  VOs can make use of a \textit{Virtual Organization Management Service} (VOMS) to manage and register their users.
# Line 75  This authentication solution requires th Line 75  This authentication solution requires th
75  %this information, there is no way to have the same format also be readable by other AC users without risking misunderstandings. \cite{ac-rfc}  %this information, there is no way to have the same format also be readable by other AC users without risking misunderstandings. \cite{ac-rfc}
76    
77  \subsection{Pool accounts}  \subsection{Pool accounts}
78  Pool accounts are part of a mechanism to map users' Grid certificate credentials to actual user accounts on compute clusters. \cite{gridmapdirsite}  \label{poolaccounts_section}
79    Pool accounts are part of a mechanism to map users' Grid certificate credentials to actual Unix user accounts on compute clusters. \cite{gridmapdirsite}
80  These pool accounts are generic user accounts that are mapped to the remote user based on the credentials in their certificate.  These pool accounts are generic user accounts that are mapped to the remote user based on the credentials in their certificate.
81  The various sets of pool accounts are created by site administrators, which are then 'loaned' to users working in certain roles.  The various sets of pool accounts are created by site administrators, which are then 'leased' to users working in certain roles.
82  The pool accounts are not associated with a user in their initial setup.  The pool accounts are not associated with a user in their initial setup.
83    
84  When a pool account is in use, there is a strong link between the pool account and the user credentials that were mapped to it.  When a pool account is in use, there is a strong link between the pool account and the user credentials that were mapped to it.
85    
86    A pool account is a regular Unix account that is already present on a system and is already setup to have certain particular privileges of a particular group of users that might also have a specific role e.g. a Production manager, Software Manager or regular user.
87    In its initial state a pool account is not associated to any user.
88    During the mapping process a user's credentials are mapped to a specific pool account which means that the selected free pool account is strongly tied to the set of user credentials.
89    
90  % pool accounts zijn niet geassocieerd met gebruiker totdat die is langsgekomen/gemapped  % pool accounts zijn niet geassocieerd met gebruiker totdat die is langsgekomen/gemapped
91  % gebruikers zijn op deze manier sterk verbonden met het UNIX account  % gebruikers zijn op deze manier sterk verbonden met het UNIX account
92  %This facilitates late binding between users within a VO and the concrete UNIX accounts they use to do work on the Grid.  %This facilitates late binding between users within a VO and the concrete UNIX accounts they use to do work on the Grid.
# Line 91  The unassociated accounts are returned t Line 97  The unassociated accounts are returned t
97    
98    
99  \subsection{Fully Qualified Attribute Names}  \subsection{Fully Qualified Attribute Names}
100    \label{fqan_section}
101  \textit{Fully Qualified Attribute Names} (FQANs) are explicit and unambiguous strings that can describe the group and subgroups a user is associated with.  \textit{Fully Qualified Attribute Names} (FQANs) are explicit and unambiguous strings that can describe the group and subgroups a user is associated with.
 Please see table \ref{fqan_table} for an example of the information that can be expressed in an FQAN string.  
102  These can be given out by a VOMS service through an Attribute Certificate.  These can be given out by a VOMS service through an Attribute Certificate.
103  Besides group affiliation, roles and capabilities can be attributed to the user.  Besides group affiliation, roles and capabilities can be attributed to the user.
104  By being affiliated with a certain group, a user can claim authorization at a grid service.  By being affiliated with a certain group, a user can claim authorization at a grid service.
105    
106  It is up to a service to take a local policy and the presented credentials into account, base authorization on them and allow a certain action.  It is up to a service to take a local policy and the presented credentials into account, base authorization on them and allow a certain action.
107  The result can be different for every site and service type.  The result can be different for every site and service type.
108  % TODO rewrite  
109    Please see table \ref{fqan_table} for an example of the information that can be expressed in an FQAN string.
110    
111  %In VOMS AC's komen FQANS voor  %In VOMS AC's komen FQANS voor
112  %FQAN is 1 string die beschrijving geeft van de VO groepen, subgroepen, rollen en capabilities  %FQAN is 1 string die beschrijving geeft van de VO groepen, subgroepen, rollen en capabilities
# Line 116  The result can be different for every si Line 124  The result can be different for every si
124      \hline      \hline
125    \end{tabular}    \end{tabular}
126  \end{center}  \end{center}
127  \caption[FQAN fields]{A table showing examples of the FQAN fields VO, group, subgroup, role and capability}  \caption[FQAN fields]{A table showing examples of the FQAN fields VO, group, subgroup and role}
128  \label{fqan_table}  \label{fqan_table}
129  \end{table}  \end{table}
130    
# Line 139  Many different organizations worldwide d Line 147  Many different organizations worldwide d
147  % Door Delegation of credentials from your certificate to a WMS zodat die service functioneert als een agent.  % Door Delegation of credentials from your certificate to a WMS zodat die service functioneert als een agent.
148  % Alleen de private key van de delegation blijft over op de WMS. Je eigen private key van je op jouw naam staande certificate wordt niet overdragen aan de agent.  % Alleen de private key van de delegation blijft over op de WMS. Je eigen private key van je op jouw naam staande certificate wordt niet overdragen aan de agent.
149  % Het proxy certificate is cryptografisch verbonden, omdat jij de signer bent.  % Het proxy certificate is cryptografisch verbonden, omdat jij de signer bent.
150  Support for these mechanisms has evolved over the past decade, and gradually got more flexible.  %Support for these mechanisms has evolved over the past decade, and gradually got more flexible.
151    Interoperability standards for various middleware stacks have evolved over the past decade, and have led to more flexible middleware services.
152  % Het gebruik van de authenticatie technieken heeft relatie tot volwassenheid en evolutie van authenticatie technieken en de use cases (refereer naar delegation). Open standaarden zijn vereist.  % Het gebruik van de authenticatie technieken heeft relatie tot volwassenheid en evolutie van authenticatie technieken en de use cases (refereer naar delegation). Open standaarden zijn vereist.
153    
154  % End-to-end security: dat je de chain van de worker node kunt terugleiden naar de persoon die de job submitte.  % End-to-end security: dat je de chain van de worker node kunt terugleiden naar de persoon die de job submitte.
# Line 186  Different types of credentials that can Line 195  Different types of credentials that can
195  \item[Personal, host and service X.509 certificates] % Wie ben je  \item[Personal, host and service X.509 certificates] % Wie ben je
196  % TODO personal might also be for a robot/agent  % TODO personal might also be for a robot/agent
197  {The Subject \textit{Distinguished Name} (DN) is a field in an X.509 certificate.  {The Subject \textit{Distinguished Name} (DN) is a field in an X.509 certificate.
198  %TODO reference RDN (rfc 2511)  It's composed of multiple \textit{Relative Distinguished Name}s (RDN) \cite{rfc2253} \cite{rfc2511}.
199  This uniquely identifies a user, host or service through a Public Key Infrastructure (PKI) which includes identity vetting by a trusted third party.  This uniquely identifies a user, host or service through a PKI infrastructure which includes identity-vetting by a trusted third party.
200  It's composed of multiple \textit{Relative Distinguished Name}s (RDN) \cite{rfc2253}.  
201  The subject DN is mostly used in the OpenSSL oneline format \cite{how_to_handle_openssl}.  The subject DN is mostly used in the OpenSSL oneline format \cite{how_to_handle_openssl}.
202  Another supported format that is less used is the X.500 \cite{rfc2253} notation of the DN.  Another supported format that is less used is the X.500 \cite{rfc2253} notation of the DN.
 % TODO herschrijf  
203    
  This uniquely identifies a user, host or service through a PKI infrastructure which includes identity-vetting by a trusted third party.  
204  }  }
205    
206  \item[VOMS attributes]{  \item[VOMS attributes]{
207  The DN information is used to query a certain VOMS server associated with a project, which returns an \textit{Attribute Certificate} \cite{rfc3281} in which each field and the Attribute Certificate as a whole are signed by the VOMS server.  The DN information is used to query a certain VOMS server associated with a project, which returns an \textit{Attribute Certificate} \cite{rfc3281} in which each field and the Attribute Certificate as a whole are signed by the VOMS server.
208  This is mechanism is explained in more detail in section \ref{vo_section}.  This mechanism is explained in more detail in section \ref{vo_section}.
209  }  }
210    
211  % Op basis van de info in het certificaat (je DN) en VOMS credentials (FQAN) worden user geauthoriseerd.  % Op basis van de info in het certificaat (je DN) en VOMS credentials (FQAN) worden user geauthoriseerd.
# Line 209  This is mechanism is explained in more d Line 216  This is mechanism is explained in more d
216  \item[SAML statements] % Zie je terug in Shibolleth. Altijd terug te leiden naar X.509 certificates. Andere niet-standaard authenticatiemethoden. Komt meer uit de web-hoek.  \item[SAML statements] % Zie je terug in Shibolleth. Altijd terug te leiden naar X.509 certificates. Andere niet-standaard authenticatiemethoden. Komt meer uit de web-hoek.
217    
218  {The \textit{Security Assessment Markup Language} \cite{saml} is an XML standard for exchanging authentication and authorization data between security domains.  {The \textit{Security Assessment Markup Language} \cite{saml} is an XML standard for exchanging authentication and authorization data between security domains.
219  Grid services try to translate SAML information back to an X.509 certificate, as it remains the 'lingua Franca'.  Grid services will attempt to translate SAML information back to an X.509 certificate, as it remains the 'lingua Franca' for communicating credentials.
220  }  }
221  \glossary{name={SAML}, description={Security Assessment Markup Language}}  \glossary{name={SAML}, description={Security Assessment Markup Language}}
222  % Bedoeld om een claim te geven over identiteit  % Bedoeld om een claim te geven over identiteit
# Line 290  Please see table \ref{xacml_table} for a Line 297  Please see table \ref{xacml_table} for a
297    
298  \pagebreak  \pagebreak
299    
300  \section{Grid security middleware and services}  \section{Grid security middleware and services in gLite}
301    %TODO? vragen of dit SAC in de titel moet hebben
302  %\subsection{ADAM}  %\subsection{ADAM}
303  %% No longer used.  %% No longer used.
304  %ADAM stands for \textit{AmPS Data Analysis Method}, which as the name implies was first developed to process data generated by the AmPS \textit{Amsterdam Pulse Stretcher}.  %ADAM stands for \textit{AmPS Data Analysis Method}, which as the name implies was first developed to process data generated by the AmPS \textit{Amsterdam Pulse Stretcher}.
# Line 299  Please see table \ref{xacml_table} for a Line 307  Please see table \ref{xacml_table} for a
307  %It was not designed as a security middleware, but it does have a pluggable architecture to extend its functionality.  %It was not designed as a security middleware, but it does have a pluggable architecture to extend its functionality.
308  %The core component was a framework that got raw data as input from the detectors and used specific plug-ins to perform detector specific analysis. \cite{adampage}  %The core component was a framework that got raw data as input from the detectors and used specific plug-ins to perform detector specific analysis. \cite{adampage}
309    
310  Grid computing requires a mechanism to provide end-to-end accoutability for security reasons.  This chapter tries to give a brief overview of the \textit{Site Access Control} (SAC) suite in the gLite middleware stack.
311  Please see appendix \ref{use_cases} for a schematic describing the different systems interacting at a Grid site.  The SAC suite, comprising LCAS, LCMAPS, SCAS and gLExec, provides the mechanisms to implement authorization decisions and to make (and enforce) a mapping from grid credentials to the Unix world.
312    %Please see appendix \ref{use_cases} for a schematic describing the different systems interacting at a Grid site.
313    
314    For an introduction to the gLite middleware stack please see the \textit{gLite user guide} \cite{glite_user_guide}.
315    For a reference to the SAC suite please refer to the \textit{Nikhef GridWiki} \cite{nikhefwebsite:gridwikisac}.
316    Please see appendix \ref{use_cases} for a description of possible use cases and the roles of the systems involved.
317    
318  \subsection{gLExec}  \subsection{gLExec}
319  %By the virtue of the pilot job framework use case a Worker Node has now become a new entry point to the cluster.  %By the virtue of the pilot job framework use case a Worker Node has now become a new entry point to the cluster.
320  % reference naar suEXEC  % reference naar suEXEC
321  gLExec is a pluggable suEXEC-like \cite{suexec} wrapper program that requests a mapping between Grid credentials and Unix user accounts and groups.  gLExec is a pluggable suEXEC-like \cite{suexec} wrapper program that requests a mapping between Grid credentials and Unix user accounts and groups.
322  It can enforce this mapping to wrapped executables by modifying the \textit{uid} and \textit{gid}s of the executing process to the ones the user is mapped to, before passing execution to the wrapped binary.  It can enforce this mapping to wrapped executables by modifying the \textit{uid} and \textit{gid}s of the executing process to the ones the user is mapped to, before passing execution to the wrapped binary.
323  gLExec will authenticate credentials using a callout to LCAS and LCMAPS.  gLExec will authenticate credentials using a callout to LCAS and LCMAPS, which provide authorization and user mapping facilities respectively.
324  It can act as both a light-weight 'gatekeeper' on the Compute Element or be used on the Worker Node for late-binding (pilot job) use cases. Please see appendix \ref{use_cases} for a description of possible use cases.  %It can act as both a light-weight 'gatekeeper' on the Compute Element or be used on the Worker Node for late-binding (pilot job) use cases.
325  The callout to LCMAPS can procure a pool account by itself, but through the SCAS client in LCMAPS, a central mapping and authorization service like SCAS (or any interoperable SAML2XACML2 \cite{authzinterop} service) can be used. \cite{nikhefwebsite:gridwikiglexec}  The callout to LCMAPS can procure a pool account by itself, but also through the SCAS client in LCMAPS.
326    
327  \subsection{LCAS}  \subsection{LCAS}
328  The \textit{Local Centre Authorization Service} (LCAS) makes binary ('yes' or 'no') authorization decisions at the site and resource level.  The \textit{Local Centre Authorization Service} (LCAS) makes binary ('yes or no') authorization decisions at the site and resource level.
329  \glossary{name={LCAS}, description={Local Centre Authorization Service}}  \glossary{name={LCAS}, description={Local Centre Authorization Service}}
330  %In making this decision it can use a variety of inputs, among which are:  %In making this decision it can use a variety of inputs, among which are:
331    
# Line 323  The \textit{Local Centre Authorization S Line 336  The \textit{Local Centre Authorization S
336  %\end{itemize}  %\end{itemize}
337    
338  It supports basic black and white list functionality, but also more complex VOMS-based expressions, based on the GACL \cite{gaclsite:home} language.  It supports basic black and white list functionality, but also more complex VOMS-based expressions, based on the GACL \cite{gaclsite:home} language.
339  The framework fetches data, stores it, and through static means offers structures to plug-ins that contain the following values:  The framework fetches data, stores it, and offers structures to plug-ins that contain the following values:
340    
341  \begin{itemize}  \begin{itemize}
342  \item X.509 certificate chain string (in PEM \cite{rfc1421} format) \cite{rfc2459}  \item X.509 certificate chain string (in PEM \cite{rfc1421} format) \cite{rfc2459}
# Line 336  The framework fetches data, stores it, a Line 349  The framework fetches data, stores it, a
349  \glossary{name={GACL}, description={Grid Access Control Library}}  \glossary{name={GACL}, description={Grid Access Control Library}}
350    
351  \subsubsection{Plug-ins}  \subsubsection{Plug-ins}
352    Site admins can configure plug-ins to enforce their authorization policy.
353  The plug-ins that LCAS executes must all exit successfully before authorization can continue. \cite{nikhefwebsite:gridwikiindex}  The plug-ins that LCAS executes must all exit successfully before authorization can continue. \cite{nikhefwebsite:gridwikiindex}
354    Here are the plug-ins \cite{lcas_apidoc} available at the time of writing.
355    
356  \begin{description}  \begin{description}
357  %\item[Gridlist]{A plug-in that maps allowed users to pool accounts using the gridmapfile \cite{gridmapfile}}  %\item[Gridlist]{A plug-in that maps allowed users to pool accounts using the gridmapfile \cite{gridmapfile}}
358  \item[Timeslots]{A plug-in that makes authorization decisions based on the time of day a job request is received \cite{lcas_apidoc}}  \item[Timeslots]{A plug-in that makes authorization decisions based on the time of day a job request is received.}
359  \item[Userban]{A plug-in that checks a file that contains a list of Subject DNs of users to be banned from the site \cite{lcas_apidoc}}  \item[Userban]{A plug-in that checks a file that contains a list of Subject DNs of users to be banned from the site.}
360  \item[Userallow]{A plug-in that checks a file that contains a list of Subject DNs of users to be allowed to the site. \cite{lcas_apidoc}}  \item[Userallow]{A plug-in that checks a file that contains a list of Subject DNs of users to be allowed to the site.}
361  \item[Check executable]{A plug-in that checks if the executable requested is whitelisted by the service.}  \item[Check executable]{A plug-in that checks if the executable requested is whitelisted by the service.}
362  % TODO reference Check executable  \item[VOMS]{Works like the userallow plug-in, except it verifies the FQANs present in a proxy certificate instead of the Subject DN.
363  \item[LCAS VOMS]{Works like the userallow plug-in, except it verifies the FQANs present in a proxy certificate instead of the Subject DN. These were added to the certificate by a VOMS service. With this plug-in, more complex policies for authorization can also be expressed in the GACL \cite{gaclsite:home} language.}  (Please see section \ref{fqan_section} for an explanation of FQAN attributes.)
364      
365    These were added to the certificate by a VOMS service. With this plug-in, more complex policies for authorization can also be expressed in the GACL \cite{gaclsite:home} language.}
366  \end{description}  \end{description}
367    
368  \glossary{name={RSL}, description={Resource Specification Language}}  \glossary{name={RSL}, description={Resource Specification Language}}
# Line 363  The plug-ins that LCAS executes must all Line 380  The plug-ins that LCAS executes must all
380  LCMAPS is the \textit{Local Credential Mapping Service}.  LCMAPS is the \textit{Local Credential Mapping Service}.
381  \glossary{name={LCMAPS}, description={Local Credential Mapping Service}}  \glossary{name={LCMAPS}, description={Local Credential Mapping Service}}
382  It takes care of translating Grid credentials to Unix credentials local to a Grid site.  It takes care of translating Grid credentials to Unix credentials local to a Grid site.
383  It ensures that different individuals on the Grid maintain distinct, isolated Unix accounts using the pool account mechanism \cite{gridmapdirsite}.  LCMAPS can ensure that, within a site, different individuals on the Grid maintain distinct, isolated Unix user accounts using the pool account mechanism \cite{gridmapdirsite}.
384    Please see section \ref{poolaccounts_section} for a description of the pool account mechanism.
385    
386    A set of user credentials, i.e. the Subject DN or associated group and role affiliations listed in the VOMS attributes, will be linked to a specific pool account.
387    When a user returns to the same site with the same set of credentials the user will be mapped to the same Unix account again.
388    
389  This mechanism can be extended to dynamic groups when needed.  This mechanism can be extended to dynamic groups when needed.
390    LCMAPS can also interact with a site-local LDAP database to translate Grid credentials into site-local credentials.
391  Using group mappings based on the user's VO attributes, scheduling priority decisions can be made.  Using group mappings based on the user's VO attributes, scheduling priority decisions can be made.
392    %TODO? ... in the LRMS?
393    
394  The LCMAPS framework hosts a list of specific credential types in its core.  The LCMAPS framework hosts a list of specific credential types in its core.
395  These are offered to the plug-ins via an API.  These are offered to the plug-ins via an API.
396  Each plug-in has a specific task to perform, like in the previous frameworks.  Each plug-in has a specific task to perform like in the LCAS framework.
397  The plug-ins are able to write intermediate results or final results into the core memory of the framework.  These plug-ins can be used to configure policies for site-local access by Grid-wide users.
398    The plug-ins are able to write intermediate or final results into a part of the internal memory of the framework.
399    
400    % BEGIN oscar
401    \label{lcmaps_failover}
402  The LCMAPS framework has two failover mechanisms in the execution of its loaded plug-ins that can be defined by the configuration file.  The LCMAPS framework has two failover mechanisms in the execution of its loaded plug-ins that can be defined by the configuration file.
403  The first failover mechanism is similar to a state machine.  The first failover mechanism is similar to a state machine.
404  If a plug-in 'a' executes and its execution was a success, then progress to plug-in 'b'.  If a plug-in 'a' executes and its execution was a success, then progress to plug-in 'b'.
405  Otherwise progress to plug-in 'c'.  Otherwise progress to plug-in 'c'.
406  The state machine must end with a successful result.  The state machine must end with a successful result.
407    
408  The second failover mechanism is to define (execution) policies.  The second failover mechanism is to define (execution) policies.
409  Each complete state machine is an execution policy.  Each complete state machine is an authorization policy.
410  If multiple policies are defined and if the calling application allows it, then on a failure of such policy the framework can select the next policy to execute.  If multiple policies are defined and if the calling application allows it, then on a failure of such policy the framework can select the next policy to execute.
411  Between policy switch the internal memory (with the intermediate results) will be erased. \cite{nikhefwebsite:gridwikiindex}  Between policy switch the internal memory (which holds the intermediate results) will be erased. \cite{nikhefwebsite:gridwikiindex}
412    
 % BEGIN oscar  
 A set of user credentials, e.g. the DN and combination of group and role affiliations listed in the VOMS credentials, will be linked to a specific pool account.  
 A pool account is a regular Unix account that is already present on a system and is already setup to have certain particular privileges of a particular group of users that might also have a specific role e.g. a Production manager, Software Manager or regular user.  
 In its initial state a pool account is not associated to any user.  
 During the mapping process a user's credentials are mapped to a specific pool account which means that the selected free pool account is strongly tied to the set of user credentials.  
 When a user returns to the same site with the same set of credentials the user will be mapped to the same Unix account again.  
413    
414    
415  \subsubsection{Plug-ins}  \subsubsection{Plug-ins}
416    \label{lcmaps_plugins_section}
417    Site admins can configure plug-ins to enforce possible mappings to execution environments that a user can receive.
418  The plug-ins that LCMAPS executes must all exit successfully before authorization can continue. \cite{nikhefwebsite:gridwikiindex}  The plug-ins that LCMAPS executes must all exit successfully before authorization can continue. \cite{nikhefwebsite:gridwikiindex}
419    Here are the plug-ins \cite{lcmaps_apidoc} available at the time of writing.
420    
421  \begin{description}  \begin{description}
422  %\item[Gridlist]{A plug-in that maps users to pool accounts using the gridmapfile \cite{gridmapfile}}  %\item[Gridlist]{A plug-in that maps users to pool accounts using the gridmapfile \cite{gridmapfile}}
423  \item[Local account]{Maps the supplied user credentials (i.e. a Subject DN or VOMS-signed FQANs) to a local user account on a target system \cite{lcmaps_apidoc}}  \item[Local account]{Maps the supplied user credentials (i.e. a Subject DN or VOMS-signed FQANs) to a local user account on a target system.}
424  \item[Pool account]{Maps the supplied user credentials (i.e. a Subject DN or VOMS-signed FQANs) to a pool account on a target system \cite{lcmaps_apidoc}}  \item[Pool account]{Maps the supplied user credentials (i.e. a Subject DN or VOMS-signed FQANs) to a pool account on a target system.}
425  \item[POSIX enforcement]{A plug-in that applies acquired credential information to procure a Unix user account on a target system and verifies that the account was successfully attained. \cite{lcmaps_apidoc}}  \item[POSIX enforcement]{A plug-in that applies acquired credential information to procure a Unix user account on a target system and verifies that the account was successfully attained.}
426  \item[LDAP enforcement]{A plug-in that applies acquired credential information in a target LDAP database \cite{lcmaps_apidoc}}  \item[LDAP enforcement]{A plug-in that applies acquired credential information in a target LDAP database.}
427  \item[Verify proxy]{This plug-in can verify the validity and authenticity of the incoming Grid credentials, and enforce life time constraints on the proxy \cite{lcmaps_apidoc}}  \item[Verify proxy]{This plug-in can verify the validity and authenticity of the incoming Grid credentials (a proxy certificate), and enforce life time constraints on the proxy.}
428    \item[SCAS client]{This plug-in delegates the mapping functionality to the \textit{Site Central Authorization Service} (SCAS).
429    It interacts with the SCAS or other any interoperable service using the SAML2XACML2 \cite{authzinterop} profile for Authorization Interoperability.}
430  \end{description}  \end{description}
431    
432  \subsection{SCAS}  \subsection{SAML2XACML2}
433  The \textit{Site Central Authorization Service} makes authorization and mapping decisions upon the presented credentials.  The \textit{SAML2XACML2 profile for Authorization Interoperability in Grids} \cite{authzinterop} is an XML-based protocol that has been agreed upon by various Grid middleware vendors \cite{authzinterop}.
434  %It uses HTTPS authentication to authenticate a client, based on the credentials in their Grid certificate. %(as regular user or pilot job user) and present user credentials.  SAML2XACML2 defines a protocol to communicate the delegation of authorization enforcement securely.
435  The service is a front-end to the LCAS and LCMAPS frameworks and uses HTTPS with mutual authentication to setup a session in which a SAML2-XACML2 \cite{authzinterop} request is sent.  It is based on the SAML \cite{saml} profile for XACML v2.0 \cite{xacml}.
 \glossary{name={SCAS}, description={Site Central Authorization Service}}  
436    
437    The conditions that should be enforced by a Grid middleware service like LCMAPS are expressed as XACML Obligations.
438    An Obligation that gLExec might fulfil would be a Unix \textit{uid} and/or \textit{gid}s.
439    
440  The SCAS is specifically tailored to solve the use case involving pilot job frameworks. (Please see appendix \ref{use_case_pilot_job}.)  Obligations are name-spaced identifiers that can contain attributes.
441  %This relatively new use case involves the late binding of the \textit{Worker Node} (WN) resources by sending pilot jobs to all the compute clusters by a production manager.  Returned XACML obligations are non-repudiable (undeniable) and must be handled by the client who receives them.
442  %When the pilot jobs come out of the queue and have started their run, they'll discover if the Worker Node on which they have acquired a job slot meets the criteria specified by the user.  The XACML convention is to abort the authorization (and mapping) process if the client cannot meet the obligations set by the service.
 %If the job slot criteria can be satisfied the pilot job framework will download the payload from a VO central job repository queue, unpack the payload and start executing the actual job.  
443    
444  %In this use case there are two actors: a user and a VO production manager.  \subsection{SCAS}
445  %The VO production manager who has the responsibility to fill all the queues on the clusters according to the used quotas and taking into account what kind of data is stored nearby the compute cluster.  The \textit{Site Central Authorization Service} makes authorization and mapping decisions centrally.
446  %The user had to submit their analysis jobs to the central queue.  %It uses HTTPS authentication to authenticate a client, based on the credentials in their Grid certificate. %(as regular user or pilot job user) and present user credentials.
447  %The pilot jobs submitted by the VO production managers will pick up the analysis jobs from the central queue.  %The service is a front-end to the LCAS and LCMAPS frameworks and uses HTTPS with mutual authentication to setup a session in which a SAML2-XACML2 \cite{authzinterop} request is sent.
448    It allows site administrators to centrally manage LCAS and LCMAPS configurations for multiple clusters.
449    
450  %As this use case has two actors into play two sets of credentials will need to be authorized.  Other services can interact with the SCAS by sending SAML2-XACML2 requests through an HTTPS connection with mutual authentication to receive authorization and mapping decisions.
451  %The gLExec and SCAS are able to do this.  It uses LCAS and LCMAPS as a back-end to actually enforce this, so as to be as transparent as possible to deploy.
452    
453    The SCAS is specifically tailored to solve the use case involving pilot job frameworks. (Please see appendix \ref{use_case_pilot_job}.)
454    
455    The SCAS will authorize the pilot job framework production manager and it will authorize the payload user using the LCAS framework.
456    Upon successful authorization the user credentials of the payload will be mapped to site-local credentials by LCMAPS and returned in a SAML2-XACML2 \cite{authzinterop} response.
457    
458    \glossary{name={SCAS}, description={Site Central Authorization Service}}
459    
 % cite OASIS standard saml2-xacml2 .  
 The SCAS will authorize the pilot job framework production manager and it will authorize the payload user using the LCAS framework.  
 Upon successful authorization the user credentials of the payload will be mapped to Unix credentials by LCMAPS and returned in a SAML2-XACML2 \cite{authzinterop} response.  
 In such response there is a binary authorization statement given and optionally XACML obligations can be returned.  
460    
461  Obligations are name-spaced identifiers that can contain attributes.  \begin{figure}[hp]
462  Returned XACML obligations are non-repudiable (undeniable) and must be handled by the client who receives them.  \centering
463  An possible obligation for gLExec to fulfil might be a Unix \textit{uid} and/or \textit{gid}s.  \includegraphics[width=\textwidth]{scas}
464  The XACML convention is to abort the authorization (and mapping) process if the client cannot meet the obligations set by the service.  \caption[SCAS diagram]%
465  % oscar  {A diagram showing the architecture of a SCAS-based authenticating \& authorization installation}
466    \label{fig:scas}
467    \end{figure}
468    
469    
470    
471  \subsection{Limitations of existing frameworks}  \subsection{Limitations of existing frameworks}
472  The framework lacks the (native) support to process and pass through anything other than X.509 related information, VOMS credentials and Unix \textit{uid}s/\textit{gid}s.  The frameworks lack the (native) support to process and pass through anything other than X.509 related information, VOMS credentials and Unix \textit{uid}s/\textit{gid}s.
473  New use cases demand the possibility of passing other credentials and arbitrary information to operate.  New use cases demand the possibility of passing other credentials and arbitrary information to operate.
474  \begin{description}  \begin{description}
475  % Behalve de unix credentials zoals we die nu hebben doorgeven, we ook use-cases om dynamisch priority queues en priority scheduling te kunnen doen in verschillende typen batch systems met verschillende batch system scheduler.  % Behalve de unix credentials zoals we die nu hebben doorgeven, we ook use-cases om dynamisch priority queues en priority scheduling te kunnen doen in verschillende typen batch systems met verschillende batch system scheduler.
# Line 458  It should also be possible to manipulate Line 489  It should also be possible to manipulate
489  \item[No facility to interact with virtualization frameworks]{  \item[No facility to interact with virtualization frameworks]{
490  %kijk naar sander's e-mail van vanochtend (15 oct. 11:11)  onder taken.  %kijk naar sander's e-mail van vanochtend (15 oct. 11:11)  onder taken.
491  %describe interaction  %describe interaction
492  To enable the scheduling of Virtual Machine execution, a connection to existing virtualization frameworks must be made.  To enable the scheduling of Virtual Machine execution, a connection to existing virtualization frameworks must be facilitated.
493  The \textit{Open Cloud Computing Interface} (OCCI) API \cite{occi} or OpenNebula toolkit \cite{opennebula} are frameworks that could be incorporated to enable scheduling of virtual machine execution.  The \textit{Open Cloud Computing Interface} (OCCI) API \cite{occi} or OpenNebula toolkit \cite{opennebula} could be incorporated to enable scheduling of virtual machine execution.
494  % plug-in voor het batch systeem  % plug-in voor het batch systeem
495  }  }
496    
497  \item[No facility to interact with batch-systems in an arbitrary way]{  \item[No facility to interact with batch-systems in an arbitrary way]{
498  % Op ieder cluster systeem heb je allerlei trucjes om je systeem in leven te houden, dit maakt een hook voor je.  % Op ieder cluster systeem heb je allerlei trucjes om je systeem in leven te houden, dit maakt een hook voor je.
499  %Het idee is dat je met perl/python scripts systeembeheerders mogelijkheden geven om systeem-specifieke handelingen uit te kunenn voeren. bijv. interacties met lokale accounting systemen  %Het idee is dat je met perl/python scripts systeembeheerders mogelijkheden geven om systeem-specifieke handelingen uit te kunenn voeren. bijv. interacties met lokale accounting systemen
500  Because each cluster configuration is different it would be very beneficial to let system administrators hook their management scripts into the framework.  Because every cluster configuration is different it would be very beneficial to let system administrators hook their management scripts into the framework.
501  Adding support for high-level scripting languages like Perl or Python and providing them access to the internal plug-in API should be an effective way to allow this.  Adding support for high-level scripting languages like Perl or Python and providing them access to the internal plug-in API should be an effective way to allow this.
502  }  }
503  % We hebben een datastore. Datastore is toegespitst op X509,VOMS, en Unix credentials  % We hebben een datastore. Datastore is toegespitst op X509,VOMS, en Unix credentials
# Line 485  Adding support for high-level scripting Line 516  Adding support for high-level scripting
516  %\item Opaque and non-intuitive due to the above.  %\item Opaque and non-intuitive due to the above.
517  \end{description}  \end{description}
518    
 \begin{figure}[hp]  
 \centering  
 \includegraphics[width=\textwidth]{scas}  
 \caption[SCAS diagram]%  
 {A diagram showing the architecture of a SCAS-based authenticating \& authorization installation}  
 \label{fig:scas}  
 \end{figure}  
   
   
   
519  %\chapter{The new authorization framework}  %\chapter{The new authorization framework}
520  %\chapter{The EES Execution Framework}  %\chapter{The EES Execution Framework}
521  \pagebreak  \pagebreak
522  \section{Argus: the new authorization framework}  \section{Argus: the new authorization framework}
523  \subsection{Motivation}  
524  Argus aims to improve interoperability between Grid services.  Argus is the new gLite authorization framework and aims to improve interoperability between Grid services.
525    The Argus framework separates the roles and tasks as performed by the SCAS system into more granular and abstract services.
526  It is designed to be more modular than SCAS, and should be able to handle new use cases.  It is designed to be more modular than SCAS, and should be able to handle new use cases.
 The interaction between systems is similar at a high level, but the Argus framework separates the roles and tasks as performed by the SCAS system into more granular and abstract services.  
527  %, like what, why and how?  %, like what, why and how?
528  % Abstracter, meerdere componenten. duidelijke rolverdeling  % Abstracter, meerdere componenten. duidelijke rolverdeling
529  % Waarom waarom waarom???  % Waarom waarom waarom???
# Line 510  The interaction between systems is simil Line 531  The interaction between systems is simil
531    
532  \subsection{Components of the Argus framework}  \subsection{Components of the Argus framework}
533  %\section{Architecture of the Argus Authorization Services}  %\section{Architecture of the Argus Authorization Services}
 \begin{figure}[hp]  
 \centering  
 \includegraphics[width=\textwidth]{argus}  
 \caption[Argus diagram]  
 {A diagram showing the architecture of Argus authorization framework}  
 \label{fig:argus}  
 \end{figure}  
534    
535  \subsubsection{Policy Enforcement Point (PEP)}  \subsubsection{Policy Enforcement Point (PEP)}
536  The \textit{Policy Enforcement Point} is the client to the authorization service.  The \textit{Policy Enforcement Point} is the client to the authorization service.
# Line 553  It should be able to interact with many Line 567  It should be able to interact with many
567  \item Executing arbitrary scripts local to the site for management purposes, as an addition to site-specific tooling or to be able to support specific use cases for which native support is not available  \item Executing arbitrary scripts local to the site for management purposes, as an addition to site-specific tooling or to be able to support specific use cases for which native support is not available
568  \end{itemize}  \end{itemize}
569    
570    \begin{figure}[hp]
571    \centering
572    \includegraphics[width=\textwidth]{argus}
573    \caption[Argus diagram]
574    {A diagram showing the architecture of Argus authorization framework. As you can see, the SCAS client has been replaced by a PEP client, which provides access to the rest of the middleware framework}
575    \label{fig:argus}
576    \end{figure}
577    
578  % interacties met andere dingen  % interacties met andere dingen
579  % Pool account mapping  % Pool account mapping

Legend:
Removed from v.952  
changed lines
  Added in v.953

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28