LCAS

1
LCAS LCMAPS functionalitiesAn overview of the
plug-ins

• Oscar Koeroo

2
index

• Little overview
• LCAS
• Currently deployed functionality
• Newly created functionality
• LCMAPS
• Currently deployed functionality
• Newly created functionality
• Status Future

3
Where to place it all
Credential Acquisition
Enforcement
CREDs
4

• LCAS

5
lcas basic plugins

• The basics
• userban
• Blacklisting on DN
• userallow
• White listing against DNs
• timeslots
• Timeslot verification (site open hours)

6
lcas_voms

• Checks the VOMS data from the users proxy
• Executes a white list check with
• Gridmapfile which includes FQANs
• GACL file
• XACML (not supported, but should work)
• -use_user_dn
• Switches the module from VOMS-only mode into
  dual mode
• Now able to get authorized when either presenting
  
• VOMS credentials
• If no VOMS credentials then a DN needs to be
  verified with the grid-mapfile
• No support for Hybrid mode
• If VOMS credentials but not authorized then have
  a look at the DN and gain authorization through
  the DN

7
lcas_check-executable

• Checks if the RSL contains a white listed
  executable
• For glexec weve created a fake RSL to do the
  work
• -exec /bin/sh/opt/torque/bin/qsub
• Especially needed for the glexec on WN scenario
• Also used on the CE to prevent rogue usage

8

• LCMAPS

9
lcmaps_localaccount.mod (A)

• Reads grid-mapfile
• Searching for the users DN in the grid-mapfile
• Collects the local Unix account
• The UID/GID combo is stored in the framework for
  later processing

10
lcmaps_poolaccount.mod (A)

• Reads grid-mapfile
• Searching for the users DN in the grid-mapfile
• to collect the pool (name or prefix)
• Reads the directory listing of the gridmapdir
• Searching for an existing mapping in the
  directory
• A mapping is done by creating an filesystem
  hardlink between the url_encoded (DN) and the
  poolaccount name, resembled by an empty file
• If the search was inconclusive, then a search
  starts for an not yet mapped poolaccount by
  searching on the poolname in the directory which
  needs to be a prefix to the poolaccount
• The poolaccount file in the gridmapdir needs to
  have an inode count of 1 and the correct prefix
• If a poolaccount has been found then the UID, GID
  and Secondary GIDs will be search for in the
  systems Password file (or equivalent system) and
  stored into the Frameworks memory
• The UID/GID combo is stored in the framework for
  later processing

11
lcmaps_poolaccount.mod (A)

• -override_inconsistancy
• If a poolaccount file in the gridmapdir is found
  
• and it has an i-node count of 1 then the
  poolaccount is still free
• But if If a poolaccount file has and i-node count
  of two then it must be mapped
• If an url_encoded (DN) has an i-node count of two
  then it must be mapped
• If an url_encoded (DN) only has an i-node count
  of one then it is a dangling pointer
• This situation and only this situation is due to
  a goof-up on the FS which could be restored by
  the original poolaccount, every submission of a
  job would be impossible, unless the admin cleans
  it. In this case I override the situation by
  unlinking the url_encoded (DN) and let the
  mapping proces start over again.
• -strict_poolprefix_match
• The poolaccount file needs to have the correct
  prefix only followed by numbers
• Warning We made this fix to avoid Pool Map
  Flooding but it can still be done when creating a
  pool ending with a number d0 001
• -max_mapping_pr_credential
• Sets a maximum of poolaccounts mappings per DN to
  multiple poolaccount

12
lcmaps_posix_enf (E)

• Reads frameworks memory
• Fetches UID, Primary GID and Secundary GIDs (if
  available)
• Enforces the UID, PGID and SGID(s) on the current
  proces
• Checks if the amount of UIDs, GIDs and Secondary
  GID doesnt exceed a system boundary or a preset
  boundary
• (if defined) NGROUPS will be
• 32 on a 2.4.x kernel (max 32 secondary GIDs
  active in proces)
• 216 on a 2.6.x kernel (max 216 sec. GIDs active
  in a proces)
• Otherwise kernel level error (nasty)
• It is possible to only set the effective UID
  and/or GID
• Note it is possible to gain root access again

13
lcmaps_vomslocalgroup (A)

• Reads a groupmapfile
• Similar to grid-mapfile format, but has VOMS
  FQANs mappings
• This plugin only searches for FQAN to the
  poolgroup mappings
• /EGEE/RoleNULL/CapabilityNULL egeegrp
• The GID(s) is/are stored in the framework for
  later processing
• -mapall
• All available FQANs need to be mapped to GIDs
• -mapmin
• Sets a minimum mapping 0 by default
• You may use wildcards
• /EGEE/ egeeallgrp

14
lcmaps_vomspoolgroup (A)

• Reads a groupmapfile
• Similar to grid-mapfile format, but has VOMS
  FQANs mappings
• This plugin only searches for FQAN to the
  non-poolgroup mappings
• /EGEE/RoleNULL/CapabilityNULL .egee
• Each FQAN can be mapped to an individual
  poolgroup (unix group)
• Works like lcmaps_poolaccount
• Sets a mapping between an FQAN and a poolgroup in
  the groupmapdir
• The GID(s) is/are stored in the framework for
  later processing
• Like the lcmaps_vomslocalaccount
• -mapall
• -mapmin
• You may use wildcards
• /EGEE/ .egeeall

15
lcmaps_vomspoolaccount (A)

• Reads a grid-mapfile
• Similar to grid-mapfile format, but has VOMS
  FQANs mappings
• Supports hybrid DNs FQANs grid-mapfiles
• This plugin only searches for FQAN to the
  poolaccount mappings
• /EGEE/RoleNULL/CapabilityNULL .egee
• /EGEE/ .egee
• Each FQAN can be mapped to an individual
  poolaccounts
• Works like lcmaps_poolaccount
• Sets a mapping between an URL encoded DN plus
  mapped GIDs in the gridmapdir
• Same user with a different set of FQANs results
  into another poolaccount
• The UID is stored in the framework for later
  processing
• -do_not_use_secondary_gids
• Mapping is done on DN primary GID, neglecting
  the Sec. GIDs
• -max_mappings_per_credential
• Limits the max mapping per user and its mapped
  gids
• url_encoded (DN)gid1gid2mapcountltmapnumbergt
  gets limited mapnumber

16
lcmaps_vomslocalaccount (A)

• Reads a grid-mapfile
• Similar to grid-mapfile format, but has VOMS
  FQANs mappings
• Supports hybrid DNs FQANs grid-mapfiles
• This plugin only searches for FQAN to the
  non-poolgroup mappings
• /EGEE/Roleproduction-manager/CapabilityNULL my
  user
• Based on the FQAN, one can map to an individual
  unix account
• Works like lcmaps_localaccount
• The UID is stored in the framework for later
  processing
• -use_voms_gid
• When set, this plugin relies on another plugin to
  provide the primary GID

17
lcmaps_ldap_enf (E)

• Reads a the LCMAPS memory for the UID and GIDs
• Enforces the mapping in the LDAP user DB env.
• Needed for the lcmaps_poolgroup plugin
• It can result in arbitrary mappings which did not
  yet exist in the /etc/passwdgroup files
• Optional in regular mappings both for VOMS and
  non-VOMS plugins

18
New or not yet deployed but available

• Verify-Proxy
• GUMS
• Job Repository

19
lcmaps_verify-proxy (A)

• Verifies the certificate chain of the user
• OpenSSL checks
• CRL checks
• Chain check
• Can be overridden by the only-post-verify-checks
  option
• This will force the plugin to trust the chain
  cryptographically (slow process) but still to
  some easy paranoia test
• Validation timeperiod
• DN created throughout the chain is consistend
  with the specs
• And a few other things
• Implements a Proxy Time To Live (per proxy level)
  check
• Per proxy level
• first level MyProxy, second level a delegation,
  Leaf proxy final delegation in the chain
• In the near future it will support the TTL checks
  of the VOMS credentials

20
lcmaps_gums (A)

• GUMS Grid User Management System
• is a Grid Identity Mapping Service
• Supplies a central (to a site) database for
  mapping DNs (and FQANs) into a UID and GID pair
• Protocol is SAML Obligations over the wire
  between the PRIMA module and the GUMS server
• OSG has provided a split PRIMA module
• The first part has a Globus specific interface
• The second part handles the SAMLObl. Protocol
• A new LCMAPS plugin will be create that uses
  (only) the second part of the PRIMA module to
  connect to GUMS

21
lcmaps_jobrep (E)

• Provides a site central database that records all
  mapping invocations executed by LCMAPS
• The mapping information will be stored in a
  relational way
• Users DN is a central spoke in the database
• Users DN hooks to the FQANs that it has used
  (timestamped)
• Users FQANs are linked to its mapped UID and GID
  mappings
• A snippet of the JDL will be recorded to see what
  a user has executed
• Also the certificate chain is stored
• Schema is open to add new service details to the
  same user credential for centralized (and
  relation) aggregation of the usage at a site

22
Status

• Getting glexec up to speed on a CE and on the WN
  scenarios
• Support OSGs demands for glexec on WNs
• Support GUMS
• Support SAZ in a later stage
• Addressing the GPbox LCMAPS plugin
• Code cloned all VOMS enabled plugins and
  blended the common functionality into one big
  plugin that has the GPbox magic going on from the
  inside

23
Future

• New plugin for OSG which contacts SAZ is going on
  ice until September
• In the lcmaps_verify-proxy support will be added
  to do VOMS credential TTL
• Designing a site central mapping service (looks
  like GUMS but better)
• Creating our own design because GUMS doesnt
  provide and optimal solution
• One LCAS and LCMAPS to support all installed
  instances of LCAS and LCMAPS throughout a site
• Optimization of the mapping, gaining speed when
  deployed on NFS

24

• ?