GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania

Preview:

Citation preview

GRID 

Centralized management of the Globus grid-mapfile

Carlo Rocca

INFN, Catania

GRID Grid-mapfile management

• In a Grid environment is fundamental that a group of hosts with common purposes shares the same access policy.

• Using Globus Toolkit this can be realized editing the grid-mapfile on every Globus host, but...... this task can complicate the management of the grid-mapfile.

GRID Grid-mapfile management

• INFN-GRID has implemented a system that simplifies gridmap-files management, allowing Globus administrators to update their grid-mapfile with consistent information.

GRID  Repository

• This has been done implementing a central repository of users information to be used for authentication and authorization in the Globus environment.

• This information is then used by Globus installation to build the users database (grid-mapfile) on Globus hosts periodically.

• The server provides only access policy, the final authentication is done by the Globus host.

GRID  Repository

• Users are identified by their X.509 user certificate subject, that is mapped to a local unix account by the grid-mapfile.

• The main purpose of this repository is to provide user cerificates (subjects) and grouping of users to the Globus hosts.

GRID  Repository

• The best choice for a repository of this information is a LDAP server that uses the Globus domain component based namespace (GIIS namespace).

• The information of the server must use standard objectclasses to permit easier integration of the system with existing software.

GRID  Objectclasses

• The Objectclasses that best represent users in this context are:– person– organizationalPerson– inetOrgPerson– groupOfNames

GRID  Objectclasses

• Grouping of users can be defined using the groupOfNames Objectclass.

• The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.

GRID 

T re e L ayo ut

cn = C A M a n a g er

cn = C M S M a n a g er

cn = A tla s M an a g er

o u = M a n ag e rs

m e m b e r= D N1

m e m b e r= D N2

m e m b e r= D N3

cn = g r1

cn = g r2

cn = g r3

o u =E xpe rim e n t1

...

o u =E xpe rim e n t2

o u = gro u ps

d n = use r1

d n = use r2

o u =p eo p le

d c= de p t1

...

d c= de p t2

d c= in fn ,d c= it,o = G rid

This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.

GRID Maintaining the repository

• CA Manager– Produces authentication information (certificates) and

publishes this info in the repository with a tool (certpublish) that accepts certificates and publishes them to the directory.

– The email address contained in the certificate will be used to produce the DN as in the following example:Carlo.Rocca@ct.infn.it

becomes

Dn: mail=Carlo.Rocca@ct.infn.it,ou=people,dc=ct,dc=infn,dc=it,o=Grid

GRID Maintaining the repository

• Organizational Unit Managers– They are responsible of editing OU Groups,

creating new ones and editing memberships.– Grouping can be used to produce gridmap files

as well as for other administrative purposes.

GRID Maintaining the repository

• LDAP Managers– They have full access to the directory, create

the directory layout and assign privileges to group managers and the CA manager

GRID  Using the repository

• The repository info is used by Globus Administrators who can update periodically the gridmap-file using their preferred policy.

• A tool for Globus Administrator should be able to:– Connect to the server and download selected

certificates choosing a filtering policy (all, group, domain, etc.)

– Produce grid-mapfile lines.

GRID  Security Issues

• The group subtree must follow a restrictive security policy:– Accessible only from Globus hosts– TLS should be used for maintenance operation (cert

publishing, group editing, operations where password are sent over the net) and for queries where possible.

• Access control lists to establish managers privileges on the DIT must be implemented.

Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.

GRID  Tools

• Two tools have been developed– certpublish, that allows the CA managers

to publish certificates– certretrieve, that allows Grid

administrators to create grid-mapfiles automatically

• Group Managers can edit groups using many existing LDAP tools.

GRID  Tools

Certpublish syntax

certpublish

-in <filename> : Encoded Certificate to publish

-host hostname : Name of the server

-port integer : Port Number

-base DN : Base for searches

-DN DN : Bind DN

-help : This help

GRID  Tools

Certretrieve syntax

certretrieve

-host hostname : Name of the server

-port integer : Port Number

-base DN : Base for searches

-DN DN : Bind DN

-groupDN groupDN : If present return only users in group

-lcluser user : User to map certificates

-help : This help

GRID  Tools

• An example on how to retrieve certificate subjects is by the following command:

certretrieve –groupDN “cn=gen,ou=CMS,dc=infn,dc=it,o=Grid”

This will retrieve certificate subjects of users in the gen subgroup

Recommended