why you should care about glexec hint it s about security
play

Why you should care about glexec Hint: Its about security OSG Site - PowerPoint PPT Presentation

Why you should care about glexec Hint: Its about security OSG Site Administrators Meeting Written by Igor Sfiligoi Presented by Alain Roy Traditional Grid Jobs User jobs come through the gatekeeper You see all jobs come in You


  1. Why you should care about glexec Hint: It’s about security OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy

  2. Traditional Grid Jobs • User jobs come through the gatekeeper − You see all jobs come in − You ensure they run as the correct user − You can do accounting GUMS Worker node Gatekeeper Resource Batch Job Broker 2 OSG All-Hands March 3, 2008

  3. Pilot Grid Jobs • User jobs don't come through the gatekeeper − Only pilots enter via gatekeeper − Each pilot accepts work from VO − You don’t see user jobs  No local authorization, no accounting  All user jobs share same user id GUMS Pilot Factory Gatekeeper Worker node Batch Pilot VO Queue Job 3 OSG All-Hands March 3, 2008

  4. Pilot user jobs share user ids! • Hey, mind if I borrow your proxy? • Oops, was that your file? • gLExec will solve this problem OSG All-Hands March 3, 2008

  5. Pilot jobs are in use today • Two VOs are actively using Pilot jobs − CDF − ATLAS • Others are about to start using them − CMS − MINOS • Pilot jobs are here to stay 5 OSG All-Hands March 3, 2008

  6. Pilot Grid Jobs with gLExec • User jobs started using gLExec − Authorized with local authorization tools (GUMS) − Correct user ID used to start job GUMS Worker node Pilot Gatekeeper Factory Batch Pilot VO Queue gLExec Job 6 OSG All-Hands March 3, 2008

  7. What is gLExec • A Grid-aware suExec derivative − Allows execution of commands as a different user − Authorization and mapping based on X.509 proxy • A privileged executable (setuid to root) − Needed to switch identities • Pluggable architecture − PRIMA/GUMS plugin used by default in OSG 7 OSG All-Hands March 3, 2008

  8. gLExec IS a privileged executable • gLExec is NOT a privileged service − Not listening on any network port • gLExec is a privileged executable − Will run as root at least part of the time − A bug can potentially give an attacher root privileges • gLExec has been audited by EGEE for potential security problems − None have been found 8 OSG All-Hands March 3, 2008

  9. gLExec and accounting • gLExec keeps detailed logs of each invocation, including − user DN and FQAN − start and stop times − process id • A gLExec GRATIA probe exists for automatic accounting extraction − but logs are also human readable 9 OSG All-Hands March 3, 2008

  10. gLExec and Pilots • Pilots cannot be forced to use gLExec − Pilots need to be gLExec-aware • But if gLExec is installed, site can require its use by policy • Using gLExec is in the best interest of pilots − Protects them from malicious users (UID switching) 10 OSG All-Hands March 3, 2008

  11. gLExec installation • gLExec supported by OSG − distributed via VDT • Needs to be installed on all the worker nodes • Requires host certificate or service proxy to talk to GUMS For more details, see talk in the “Configuring OSG” session 11 OSG All-Hands March 3, 2008

  12. Conclusions • Pilot jobs are gaining momentum − Most big VOs (do or will) use them • gLExec helps restore security for pilot jobs • It is a privileged executable − But security benefits overweight risks • Supported by OSG − Distributed in VDT 12 OSG All-Hands March 3, 2008

Recommend


More recommend