VOMS from a to z

1
VOMS from a to z

• Oscar Koeroo

2
index
3
(No Transcript)
4
Review on LCG-2 (2)
host cert(long life)
service
user
crl update
user cert(long life)
VO-LDAP
registration
VO-LDAP
grid-proxy-init
VO-LDAP
mkgridmap
proxy cert(short life)
grid-mapfile
VO-LDAP
authentication info
5
VOMS Workflow
host cert(long life)
service
user
crl update
user cert(long life)
VO-VOMS
registration
registration
VO-VOMS
voms-proxy-init
VO-VOMS
proxy cert(short life)
VO-VOMS
authz cert(short life)
authentication authorization info
edg-java-security
LCASLCMAPS
6
VOMS Proxy example

• edg-voms-proxy-init

bash-2.05a edg-voms-proxy-init --voms
EGEE Invalid configuration filename
/opt/edg/etc/vomses Your identity
/Odutchgrid/Ousers/Onikhef/CNOscar
Koeroo Enter GRID pass phrase for this
identity Creating temporary proxy
....................................
Done /CCH/OCERN/OUGRID/CNlxb2023.cern.ch /CCH
/OCERN/OUGRID/CNCERN CA Creating proxy
......................................... Done
7
VOMS Proxy example (2)

• bash-2.05a openssl x509 -in /tmp/x509up_u539
  -noout -text
• Certificate
• Data
• Version 3 (0x2)
• Serial Number 321 (0x141)
• Signature Algorithm md5WithRSAEncryption
• Issuer Odutchgrid, Ousers, Onikhef,
  CNOscar Koeroo
• Validity
• Not Before Oct 26 215955 2004 GMT
• Not After Oct 27 100455 2004 GMT
• Subject Odutchgrid, Ousers, Onikhef,
  CNOscar Koeroo, CNproxy
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (512 bit)
• Modulus (512 bit)
• 00c4aa17c7b5fecf0a99
  2e53da73f6
• 1fefd25f30e21823e1fc
  ea88cd3fa2
• da34893dc869b5ba881d
  1756cec913
• f880d164864fcdc60b12
  7423efb92a

... X509v3 extensions
1.3.6.1.4.1.8005.100.100.5
0...0...0...0......0X.V0P.N0L1.0...U. ..dutchgrid1
.0...U. ..U.ers1.0 0...U.ef1.0...U....Oscar
Koeroo...A.K0I.G0E1.0...U....CH1 ..........0"..200
41026220454Z..20041027100454Z0s0q. .....Edd.1c0a0
...EGEE//lxb2023150010G../EGEE/RoleNULL/Capabil
ityNULL./EGEE .............5II0.D._at_
...0.i...R....1.t88.........O"."H....-.eW.Ml..
....1...k. T.m.7Nj...i?....gt........Lb .e.....V.
..Tlt......a..dv_at_..D._at_.k...r.q.'.....b....../ffs50
..fD....lL....s.... .f.N..7..F),O("....JT?...
Y.(sIr?...... 1.3.6.1.4.1.8005.100.10
0.6 03
8
VOMS Server
GSI
vomsd
voms-proxy-init
DB
soap
JDBC
https
mkgridmap
VOMS server
9
VOMS Admin Web Interface
10
Site Security with VOMS aware tools

• Current site security mechanisms on LCG-2
• JAVA edg-java-security
• C grid-mapfile LCAS/LCMAPS
• I only know the LCAS/LCMAPS very well so Ill
  continue with this
• LCAS/LCMAPS can be used for AuthZ and user
  mapping functionality in the edg-gatekeeper and
  edg-gridFTP
• Currently available as LCG software
• edg-gridFTP with LCAS/LCMAPS call-out has been
  tested by LCG

11
Example CE workflow
CE
Job with proxy
Gatekeeper
LCAS
LCMAPS
12
LCAS

• Local Centre Authorization Service
• Pluggable authorization framework
• grid-mapfile
• Plug-in for VOMS
• Uses VOMS API
• AuthZ policy in GACL format (or grid-mapfile)
• Convenience tool to convert grid-mapfile into
  GACL format
• edg-lcas-voms2gacl
• Ban list
• Other conditions that can be true or false (like
  fabric opening times)
• Extendable

13
LCMAPS

• Local Credential MAPping Service
• Pluggable identity mapping framework
• Provides local credentials needed for jobs in
  fabric
• Mapping based on user identity, VO affiliation,
  site-local policy
• Supports standard UNIX credentials (uid gid,
  AFS Tokens)
• Poolaccounts Poolgroups
• Fine grained mapping driven by the local site
  policy and VOMS-proxy extensions
• LDAP user directory update
• The Job Repository is a plug-in that can store
  the user, VO and job information, with regards to
  its mapping, into a database
• Can be used as accounting information base

14
VOMS mapping with LCMAPS

• Support for multiple VOs per user (and thus
  multiple UNIX groups)
• Boundary conditions
• Has to run in privileged mode
• Has to run in process space of incoming
  connection (for fork jobs)
• Extendable
• The most essential VOMS plug-ins can do
• Parsing of the proxy certificate for VOMS
  attributes
• Determining how to map a FQAN to a UNIX group
• Described in the groupmapfile
• Plug-ins can look for localgroups poolgroups
• Determining which (VOMS) poolaccount it should
  lease for the (set of) FQANs
• Described in vomapfile or extended grid-mapfile

15
Example groupmapfile

• This groupmapfile handles four VOs
• Note these lines are not FQANs but look and
  feel like them

okoeroo_at_asen okoeroo cat /etc/grid-security/gro
upmapfile Example groupmapfile Users with
the exact VO-group info "/VOfred/GROUPfred/ROLE
husband" will be added to the local group
"fredje""/VOfred/GROUPfred/ROLEhusband"
fredje All users from VO wilma will be added
to the allocated pool group "pool1-9""/VOwilm
a/GROUP" .pool For the ITeam
VO"/VOiteam/GROUP/iteam" iteam For the
wpsix VO"/VOWP6/GROUP/WP6" wpsix
16
Example extended grid-mapfile

• This extended grid-mapfile contains information
  for the VOMS poolaccounting
• This mapping will be determined by the first VOMS
  attribute that you have in the VOMS proxy

"/Odutchgrid/Ousers/Onikhef/CNJeffrey
Templon" templon "/Odutchgrid/Ousers/Onikhef/CN
Martijn Steenbakkers" .test "/Odutchgrid/Ousers
/Onikhef/CNOscar Koeroo" okoeroo "/Oedgtutorial
/Ousers/Oedg-tutorial/CNGrid pupil 20"
davidg "/VOfred/GROUP/fred/"
.test "/VOiteam/GROUP/iteam" .test "/VOwilma/GR
OUP/wilma/pebbles" martijn "/VOwilma/GROUP/wilm
a" .test "/VOwpsix/GROUP/wpsix" .test
17
Example job-run

• Job run without VOMS (Exec /usr/bin/id a)
• uid1802(ncf002) gid2022(ncf) groups2022(ncf)
• Job with VOMS (Exec /usr/bin/id a)
• With VOMS attributes scenario A
• /VOfred/GROUPfred/ROLEhusband
• With VOMS attributes scenario B
• /VOwilma/GROUPwilma
• /VOwilma/GROUPwilma/ROLEwife
• Or all at once with /VOwilma/GROUPwilma/ROLEwi
  fe as first attribute
• VOMS Job Results
• A uid4001(test001) gid4001(fredje)
• B uid4002(test002) gid4101(pool001)
  groups4102(pool002)
• C uid4003(test003) gid4102(pool002)
  groups4101(pool001),4001(fredje)

18
Future

• LCG will adopt VOMS in 2005
• VOMS LCAS/LCMAPS will continue as part of gLite
• VOMS Parser in JAVA (before only in C())
• Tomcat5 gLite Trust Manager
• Possible multi DN support
• Dynamic Account Service (DAS)
• Provides an account management interface
• Authorization will be based on VOMS credentials
  DN
• Assignment of poolaccounts through LCMAPS
  interface
• Su-exec program with call-outs to LCAS LCMAPS
  for Apache web servers (Grid Site)
• Use a standard configuration format like XACML
• Support for multiple DN per user

19
VOMS Cert Dist problems

• The X.509 certificate needs to be installed in
  VOMSDIR on disk for each infrastructural machine
  that uses VOMS and this needs to be done per VOMS
  server
• That are a lot of machines
• To solve a vulnerability since VOMS core daemon
  version gt 1.6.8 you can create directories with
  the name of the VO in the configured VOMSDIR
  directory
• Example directory
• /etc/grid-security/vomsdir/atlas/kuiken.nikhef.nl.
  pem
• Though it seems similar to the CA RPMs
  distribution and installation, the amount of VOs
  on planet Earth will exceed the amount of CAs
  thanks to the IGTF ?
• VOMS certificates are normal host certificates
  that usually expire each year and need
  redistribution to keep the server alive and
  kicking
• Most SysAdmins didnt know that the base64
  encoded part is the only thing that OpenSSL is
  concerned about and not the humanly readable
  decoded part
• cat kuiken.nikhef.nl.pem
• openssl x509 in kuiken.nikhef.nl.pem text
• can have a significantly different result!

20
VOMS Cert Dist proposed solution

• Lets embed the VOMS Host Certificate in the proxy
  per VOMS blob in each user proxy

• In sequence
• Initiate voms-proxy-init voms EGEE
• VOMS Server signs VOMS ACs (as they do now)
  VOMS Server host public cert is embeded into
  return BLOB
• VOMS ACs (plus host cert) will be embedded into
  the proxy
• User initiates job execution sends proxy to
  Gatekeeper (or the any service)
• VOMS API receives proxy and extracts the VOMS
  Host Cert from proxy
• VOMS API runs the host cert through openssl
  verify calls (validate Chain, CRL check, and so
  on)
• VOMS API checks vomses file and authorizes the
  VOMS server
• VOMS API extracts FQANs and checks if the VOMS
  server is authorized to be issuing these FQANs.

21
The vomses file/directory

• The vomses file has lines of the format
• EGEE kuiken.nikhef.nl 15001
  /Odutchgrid/Ohosts/OUnikhef.nl/CNkuiken.nikhe
  f.nl EGEE
• The vomses file is located usually on a system at
  (LCG uses an edg path)
• /opt/glite/etc/vomses
• /.glite/vomses
• But the vomses file can also be a directory
• /opt/glite/etc/vomses/thiswouldbethesamefileasIhad
  butnowIhavemultiple
• /.glite/vomses/justliketheotherlinessays

22
Change request for the vomses directory to be
/etc/vomses.d/

• The simple request to change the vomses directory
  into
• /opt/edgglite/etc/vomses.d/
• Where all the individual VO lines are described

23
VO Naming practice and suggested development

• Oscar Koeroo

24
Index.voms

• VO Name Information
• New Global VO Naming convention
• The solution
• What we did for GGF AuthZ workgroup
• The accepted VO Naming statement
• The document highlights

25
VO Name Information (1)

• Allowed VO (and group/role name) characters
• a-zA-Z0-9-_\.
• In English
• VO names can start with a number
• VO Names are alphanumeric and can also contain
  the characters minus/dash/hyphen, underscore and
  dot
• The FQAN format is defacto standardized to the
  following format
• Group(s) part
• /ltVO Namegt /ltgroup 1gt/ltsubgroup Ngt
• Where ltVO Namegt equals the root group which
  equals the VO Name
• Role part
• /Roleltyour rolegt
• Capability part (deprecated but still available)
• /Capabilityltyour capabilitygt
• An FQAN is a concatenation of the Group(s), Role
  and Capability part

26
VO Name Information (2)

• VO names should not have a limited length
  (including the group and role names)
• Examples
• /United-Federation-Of-Planets_Starship.Enterprise.
  NGC1701/RoleNULL/CapabilityNULL
• 83 characters VO Name (root group) only
• /picard/whatistheexactamountofcharactersthatIcanpu
  tintothishugestringtobeusedforanormaltypeofgroupin
  thevonamedafterthecaptainoftheussenterprisefromthe
  startrekthenextgenerationseriesfromthenineteennigh
  tees/RoleNULL/CapabilityNULL
• 230 characters VO Name and one group
• /picard/whatistheexactamountofcharactersthatIcanpu
  tintothishugestringtobeusedforanormaltypeofgroupin
  thevonamedafterthecaptainoftheussenterprisefromthe
  startrekthenextgenerationseriesfromthenineteennigh
  tees/Rolethisisanewrolespecificallycreatedtocrash
  asystemthatusesVOMSofcourseIhopethatmysoftwarewhic
  hisLCMAPSprimarilywillholdoutofcourse/CapabilityN
  ULL
• 354 characters VO Name, one group and one role
• /TEST/01234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678/RoleNULL/CapabilityNULL
• 281 characters VO Name and one group which
  combined are a max length
• /TEST/01234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678901234567890123456789012345678901234567890123
  45678/Role012345678901234567890123456789012345678
  90123456789012345678901234567890123456789012345678
  90123456789012345678901234567890123456789012345678
  90123456789012345678901234567890123456789012345678
  90123456789012345678901234567890123456789012345678
  90123456789/CapabilityNULL
• 527 characters VO Name and previous displayed
  group plus a Role of max length

27
VO Name Information (3)

• voms-proxy-info all
• subject /Odutchgrid/Ousers/Onikhef/CNOscar
  Koeroo/CNproxy
• issuer /Odutchgrid/Ousers/Onikhef/CNOscar
  Koeroo
• identity /Odutchgrid/Ousers/Onikhef/CNOscar
  Koeroo
• type proxy
• strength 512 bits
• path /tmp/x509up_u7381
• timeleft 115919
• VO TEST
• subject /Odutchgrid/Ousers/Onikhef/CNOscar
  Koeroo
• issuer /Odutchgrid/Ohosts/OUnikhef.nl/CNk
  uiken.nikhef.nl
• attribute /TEST/01234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678/Role012345678901234567890123456
  78901234567890123456789012345678901234567890123456
  78901234567890123456789012345678901234567890123456
  78901234567890123456789012345678901234567890123456
  78901234567890123456789012345678901234567890123456
  78901234567890123456789/CapabilityNULL
• attribute /TEST/blaat/RoleNULL/CapabilityNULL
• attribute /TEST/workshop/RoleNULL/CapabilityNU
  LL
• attribute /TEST/workshop_with_a_long_or_more_or_
  less_huge_name/RoleNULL/CapabilityNULL
• attribute /TEST/blaat/test/RoleNULL/Capability
  NULL
• attribute /TEST/01234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678901234567890123456789012345678901
  23456789012345678/RoleNULL/CapabilityNULL

28
VO Name Information (4)

• In theory there is no limit to the names
• This MUST be honored in all middleware that uses
  FQANs
• In reality the VOMS Database itself has a
  (practical) limitation to the length originating
  from the VOMS DB schema
• The Group(s), Role and Capability parts currently
  have a database limited length of 255 characters
  each
• Which means 255 -1 characters are possible for a
  VO name at maximum because all group FQANs are
  prefixed with a slash
• No (sub) groups can then be created within such
  string
• The Role string (without /Role) can be 255
  characters
• The Capability string (without the
  /Capability) can be 255 characters

29
VO Name Information (5)

• which means that an FQAN can be
• Groups part 255 characters
• Role part /Role (6) 255 261 chars
• Capability part /Capability (12) 255 267
  chars
• as large as 255 261 267 783 characters

30
New Global VO naming proposal

• The Problem
• No name (space) control
• Name clashes are starting to appear
• FUSION and FUSION
• first real name clash
• ATLAS vs. USATLAS vs. Swiss Atlas vs. NorduGrid
  ATLAS
• One VO with different names
• uscms vs. cms
• One VO with different names
• Biomed vs. Bio Italy
• Two VOs same area of work even same prefix
• The Solution
• A hierarchical, extensible VO name space is needed

31
The DNS solution

• Less confusion and less mix-ups
• The DNS scheme serves the same kind of purpose
• RFC 1034 Domain names - concepts and facilities
• Section 3.4 - Example name space
• Strong urge to only use 7-bit ASCII characters
• a-zA-Za-zA-Z0-9-\.\.

32
Time for GIN?

• The VO Grid Interoperability Now is the first to
  be created in the new scheme
• gin.ggf.org

33
Time for a change?

• The VO Grid Interoperability Now is the first to
  be created in the new scheme
• gin.ogf.org

34
The VO Naming statement

• The VO name is a string, used to represent the
  VO in all interactions with grid software, such
  as in expressions of policy and access rights.
  The VO name MUST be formatted as a subdomain
  name as specified in RFC 1034 section 3.5. The
  VO Manager of a VO using a thus-formatted name
  MUST be entitled to the use of this name, when
  interpreted as a name in the Internet Domain Name
  System.
• This entitlement MUST stem either from a direct
  delegation of the corresponding name in the
  Domain Name System by an accredited registrar for
  the next-higher level subdomain, or from a direct
  delegation of the equivalent name in the Domain
  Name System by ICANN, or from the consent of the
  administrative or operational contact of the
  next-higher equivalent subdomain name for that VO
  name that itself is registered with such an
  accredited registrar. Considering that RFC1034
  section 3.5 states that both upper case and 
  lower case letters are allowed, but no
  significance is to be attached to  the case, but
  that today the software handling VO names may
  still be case  sensitive, all VO names MUST be
  entirely in lower case.

35
The document

• The GGF draft document for VO Naming will
  contain
• An overview on the current EGEE/LCG (and GGF) VO
  practices
• A summary of the available documents created by
  the JSPG regarding the technical implementation
  of a VO name and the procedures to run a VO
• The proposed VO naming convention
• Its pros and cons
• Middleware implications
• The dos and donts in working with
  International Domain Names (IDN) as VO names
• Describing a solution to the VOMS Certificates
  distribution problem, for instance
• Secure DNS
• Or using an other model by only distribute the DN
  of the host

36

• ?