SlideShare una empresa de Scribd logo

Addressing the Pilot Security Problem with gLExec - from CHEP 2007

Igor Sfiligoi
Igor Sfiligoi

This talk from 2007 provides an overview why Grid-based pilot infrastructures need a tool like glexec. Also provides statistics of its use in 2007.

Tecnología
1 de 18
Descargar para leer sin conexión
CHEP 2007 Addressing the Pilot Security Problem  With gLExec by   I. Sfiligoi (Fermilab) in collaboration with D. Yocum (Fermilab) O. Koeroo (NIKHEF) G. Venekamp (NIKHEF) CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 1
Security in the Grid Local Grid Site 1 Queue Gatekeepers decide who to let in Grid site k Grid Site n Each user runs in Local Queue a different sandbox CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 2
Pilots and the Grid  (1) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Grid site k VO Queue Grid Site n Local Pilots and all users Queue run sharing the same local identity CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 3
Pilots and the Grid  (2) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Pilots may run jobs  Grid site i VO from unwanted users Queue Grid Site n Local Pilots and all users Queue run sharing the same OK for sites that trust the VO as a whole local identity but some sites need finer grained control CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 4
Pilots and the Grid  (3) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Users can steal or corrupt  each other's data,  if running on the same node Grid site i VO Queue Grid Site n Local Pilots and all users Queue run sharing the same Any user can impersonate  local identity the pilot job CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 5
Pilots and the Grid  (4) ● Pilots can be a problem for both the Grid sites  and pilot owners ● Grid sites – Who is running – Who to hold accountable – Reject jobs from unwanted users ● Pilot owners – Protect its infrastructure from malicious users – Protect users from each other – Avoid being held accountable for user's actions CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 6
The  (simplified)  life of a pilot job Validate node Any jobs no Cleanup pilot area in queue? yes Fetch user Terminate job and credentials Cleanup job area Execute job Return output CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 7
Introducing gLExec ● A x509 aware  (apache)  suExec equivalent ● Given a proxy and a binary Pilot job – authenticates and authorizes User proxy + – changes UID/GID user job executable – executes the binary gLExec Site policies ● Necessarily owned by root and suid­ed User job – Not a daemon CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 8
Pilots with gLExec  (1) Local Grid Site 1 Queue Sites decide who to let run VO pilot factory Grid site k VO Queue Grid Site n Pilots and users run in Local Queue different sandboxes CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 9
Pilots with gLExec  (2) Local Grid Site 1 Queue Sites decide who to let run VO pilot factory Like having a  Grid site i VO gatekeeper on every WN Queue VO still in charge Grid Site n of job scheduling Pilots and users run in Local Queue different sandboxes CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 10
The need for centralized authorization ● With gLExec used by Pilots, sites can have  thousands of decision points – A centralized authorization infrastructure helps  keep consistency ● Open Science Grid (OSG) has GUMS/PRIMA – A PRIMA gLExec module exists  Local Grid Site Queue GUMS CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 11
gLExec deployment @ Fermilab ● The PRIMA plugin for gLExec was jointly  developed by the NIKHEF and Fermilab  groups ● Fermilab was the first OSG site to install  gLExec on the worker nodes – First release in Oct'06 – Current release deployed in May'07 CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 12
gLExec/GUMS @ Fermilab ● gLExec deployed and  used on more than  no gLExec no gLExec 500 nodes w/gLExec w/gLExec – Primary user is CDF ● GUMS shown to be  very scalable – Routinely handling  more than 500k  requests per day – gLExec contributing  for at most 20k CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 13
gLExec in OSG ● gLExec with PRIMA plugin has been  incorporated in VDT 1.8 ● OSG sites will be encouraged to deploy it with  the upcoming OSG 0.8.0 release CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 14
gLExec monitoring ● gLExec keeps a log of all authorization  requests – The DN and FQAN of the proxy – PID of the calling process – (Sub­)processes spawned – Start times and end times ●  Gratia probe uses this data – Gives accounting the real user identity CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 15
Summary ● Pilots are becoming a reality – But are introducing new problems ● Yesterday's Grid security mechanisms are not  enough anymore – Site admins want fine grained control – Pilot owners want OS level protection ● gLExec can help solve the technical problems ● Fermilab experience positive,  waiting for wide OSG deployment CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 16
CHEP 2007 Pilot Security with gLExec Backup slides CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 17
gLExec jobs a day @ FNAL fcdfosg1 fcdfosg2 CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 18

Recomendados

glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM... glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
Igor Sfiligoi
 
Security in the Open Science Grid
Security in the Open Science GridSecurity in the Open Science Grid
Security in the Open Science Grid
Igor Sfiligoi
 
Grid Lingo - in glideinWMS context
Grid Lingo - in glideinWMS contextGrid Lingo - in glideinWMS context
Grid Lingo - in glideinWMS context
Igor Sfiligoi
 
glideinWMS - The Larger Picture
glideinWMS - The Larger PictureglideinWMS - The Larger Picture
glideinWMS - The Larger Picture
Igor Sfiligoi
 
Where to find DHTC resources - OSG School 2014
Where to find DHTC resources - OSG School 2014Where to find DHTC resources - OSG School 2014
Where to find DHTC resources - OSG School 2014
Igor Sfiligoi
 
Solving Grid problems through glidein monitoring
Solving Grid problems through glidein monitoringSolving Grid problems through glidein monitoring
Solving Grid problems through glidein monitoring
Igor Sfiligoi
 
Wedding convenience and control with RemoteCondor
Wedding convenience and control with RemoteCondorWedding convenience and control with RemoteCondor
Wedding convenience and control with RemoteCondor
Igor Sfiligoi
 
GPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive SolutionsGPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive Solutions
GlobalLogic Ukraine
 

Recomendados

glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM... glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
glideinWMS Frontend Installation - Part 2 - Frontend Installation -glideinWM...
Igor Sfiligoi
 
Security in the Open Science Grid
Security in the Open Science GridSecurity in the Open Science Grid
Security in the Open Science Grid
Igor Sfiligoi
 
Grid Lingo - in glideinWMS context
Grid Lingo - in glideinWMS contextGrid Lingo - in glideinWMS context
Grid Lingo - in glideinWMS context
Igor Sfiligoi
 
glideinWMS - The Larger Picture
glideinWMS - The Larger PictureglideinWMS - The Larger Picture
glideinWMS - The Larger Picture
Igor Sfiligoi
 
Where to find DHTC resources - OSG School 2014
Where to find DHTC resources - OSG School 2014Where to find DHTC resources - OSG School 2014
Where to find DHTC resources - OSG School 2014
Igor Sfiligoi
 
Solving Grid problems through glidein monitoring
Solving Grid problems through glidein monitoringSolving Grid problems through glidein monitoring
Solving Grid problems through glidein monitoring
Igor Sfiligoi
 
Wedding convenience and control with RemoteCondor
Wedding convenience and control with RemoteCondorWedding convenience and control with RemoteCondor
Wedding convenience and control with RemoteCondor
Igor Sfiligoi
 
GPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive SolutionsGPU Virtualization in Embedded Automotive Solutions
GPU Virtualization in Embedded Automotive Solutions
GlobalLogic Ukraine
 
Preparing Fusion codes for Perlmutter - CGYRO
Preparing Fusion codes for Perlmutter - CGYROPreparing Fusion codes for Perlmutter - CGYRO
Preparing Fusion codes for Perlmutter - CGYRO
Igor Sfiligoi
 
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
Igor Sfiligoi
 
Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...
Igor Sfiligoi
 
The anachronism of whole-GPU accounting
The anachronism of whole-GPU accountingThe anachronism of whole-GPU accounting
The anachronism of whole-GPU accounting
Igor Sfiligoi
 
Auto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resourcesAuto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resources
Igor Sfiligoi
 
Speeding up bowtie2 by improving cache-hit rate
Speeding up bowtie2 by improving cache-hit rateSpeeding up bowtie2 by improving cache-hit rate
Speeding up bowtie2 by improving cache-hit rate
Igor Sfiligoi
 
Performance Optimization of CGYRO for Multiscale Turbulence Simulations
Performance Optimization of CGYRO for Multiscale Turbulence SimulationsPerformance Optimization of CGYRO for Multiscale Turbulence Simulations
Performance Optimization of CGYRO for Multiscale Turbulence Simulations
Igor Sfiligoi
 
Comparing GPU effectiveness for Unifrac distance compute
Comparing GPU effectiveness for Unifrac distance computeComparing GPU effectiveness for Unifrac distance compute
Comparing GPU effectiveness for Unifrac distance compute
Igor Sfiligoi
 
Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...
Igor Sfiligoi
 
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory AccessAccelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Igor Sfiligoi
 
Using A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific OutputUsing A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific Output
Igor Sfiligoi
 
Using commercial Clouds to process IceCube jobs
Using commercial Clouds to process IceCube jobsUsing commercial Clouds to process IceCube jobs
Using commercial Clouds to process IceCube jobs
Igor Sfiligoi
 
Modest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYROModest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYRO
Igor Sfiligoi
 
Data-intensive IceCube Cloud Burst
Data-intensive IceCube Cloud BurstData-intensive IceCube Cloud Burst
Data-intensive IceCube Cloud Burst
Igor Sfiligoi
 
Scheduling a Kubernetes Federation with Admiralty
Scheduling a Kubernetes Federation with AdmiraltyScheduling a Kubernetes Federation with Admiralty
Scheduling a Kubernetes Federation with Admiralty
Igor Sfiligoi
 
Accelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACCAccelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACC
Igor Sfiligoi
 
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Igor Sfiligoi
 
Porting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUsPorting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUs
Igor Sfiligoi
 
Demonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public CloudsDemonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public Clouds
Igor Sfiligoi
 
TransAtlantic Networking using Cloud links
TransAtlantic Networking using Cloud linksTransAtlantic Networking using Cloud links
TransAtlantic Networking using Cloud links
Igor Sfiligoi
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 

Más contenido relacionado

Más de Igor Sfiligoi

Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...
Igor Sfiligoi
 
The anachronism of whole-GPU accounting
The anachronism of whole-GPU accountingThe anachronism of whole-GPU accounting
The anachronism of whole-GPU accounting
Igor Sfiligoi
 
Auto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resourcesAuto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resources
Igor Sfiligoi
 
Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...
Igor Sfiligoi
 
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory AccessAccelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Igor Sfiligoi
 
Using A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific OutputUsing A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific Output
Igor Sfiligoi
 
Modest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYROModest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYRO
Igor Sfiligoi
 
Accelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACCAccelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACC
Igor Sfiligoi
 
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Igor Sfiligoi
 
Porting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUsPorting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUs
Igor Sfiligoi
 
Demonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public CloudsDemonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public Clouds
Igor Sfiligoi
 

Más de Igor Sfiligoi (20)

Preparing Fusion codes for Perlmutter - CGYRO
Preparing Fusion codes for Perlmutter - CGYROPreparing Fusion codes for Perlmutter - CGYRO
Preparing Fusion codes for Perlmutter - CGYRO
 
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
O&C Meeting - Evaluation of ARM CPUs for IceCube available through Google Kub...
 
Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...Comparing single-node and multi-node performance of an important fusion HPC c...
Comparing single-node and multi-node performance of an important fusion HPC c...
 
The anachronism of whole-GPU accounting
The anachronism of whole-GPU accountingThe anachronism of whole-GPU accounting
The anachronism of whole-GPU accounting
 
Auto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resourcesAuto-scaling HTCondor pools using Kubernetes compute resources
Auto-scaling HTCondor pools using Kubernetes compute resources
 
Speeding up bowtie2 by improving cache-hit rate
Speeding up bowtie2 by improving cache-hit rateSpeeding up bowtie2 by improving cache-hit rate
Speeding up bowtie2 by improving cache-hit rate
 
Performance Optimization of CGYRO for Multiscale Turbulence Simulations
Performance Optimization of CGYRO for Multiscale Turbulence SimulationsPerformance Optimization of CGYRO for Multiscale Turbulence Simulations
Performance Optimization of CGYRO for Multiscale Turbulence Simulations
 
Comparing GPU effectiveness for Unifrac distance compute
Comparing GPU effectiveness for Unifrac distance computeComparing GPU effectiveness for Unifrac distance compute
Comparing GPU effectiveness for Unifrac distance compute
 
Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...Managing Cloud networking costs for data-intensive applications by provisioni...
Managing Cloud networking costs for data-intensive applications by provisioni...
 
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory AccessAccelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
Accelerating Key Bioinformatics Tasks 100-fold by Improving Memory Access
 
Using A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific OutputUsing A100 MIG to Scale Astronomy Scientific Output
Using A100 MIG to Scale Astronomy Scientific Output
 
Using commercial Clouds to process IceCube jobs
Using commercial Clouds to process IceCube jobsUsing commercial Clouds to process IceCube jobs
Using commercial Clouds to process IceCube jobs
 
Modest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYROModest scale HPC on Azure using CGYRO
Modest scale HPC on Azure using CGYRO
 
Data-intensive IceCube Cloud Burst
Data-intensive IceCube Cloud BurstData-intensive IceCube Cloud Burst
Data-intensive IceCube Cloud Burst
 
Scheduling a Kubernetes Federation with Admiralty
Scheduling a Kubernetes Federation with AdmiraltyScheduling a Kubernetes Federation with Admiralty
Scheduling a Kubernetes Federation with Admiralty
 
Accelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACCAccelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACC
 
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
Demonstrating a Pre-Exascale, Cost-Effective Multi-Cloud Environment for Scie...
 
Porting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUsPorting and optimizing UniFrac for GPUs
Porting and optimizing UniFrac for GPUs
 
Demonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public CloudsDemonstrating 100 Gbps in and out of the public Clouds
Demonstrating 100 Gbps in and out of the public Clouds
 
TransAtlantic Networking using Cloud links
TransAtlantic Networking using Cloud linksTransAtlantic Networking using Cloud links
TransAtlantic Networking using Cloud links
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Addressing the Pilot Security Problem with gLExec - from CHEP 2007

  • 1. CHEP 2007 Addressing the Pilot Security Problem  With gLExec by   I. Sfiligoi (Fermilab) in collaboration with D. Yocum (Fermilab) O. Koeroo (NIKHEF) G. Venekamp (NIKHEF) CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 1
  • 2. Security in the Grid Local Grid Site 1 Queue Gatekeepers decide who to let in Grid site k Grid Site n Each user runs in Local Queue a different sandbox CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 2
  • 3. Pilots and the Grid  (1) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Grid site k VO Queue Grid Site n Local Pilots and all users Queue run sharing the same local identity CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 3
  • 4. Pilots and the Grid  (2) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Pilots may run jobs  Grid site i VO from unwanted users Queue Grid Site n Local Pilots and all users Queue run sharing the same OK for sites that trust the VO as a whole local identity but some sites need finer grained control CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 4
  • 5. Pilots and the Grid  (3) Gatekeepers know  Local Grid Site 1 only about the pilots Pilots decide Queue what jobs to run VO pilot factory Users can steal or corrupt  each other's data,  if running on the same node Grid site i VO Queue Grid Site n Local Pilots and all users Queue run sharing the same Any user can impersonate  local identity the pilot job CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 5
  • 6. Pilots and the Grid  (4) ● Pilots can be a problem for both the Grid sites  and pilot owners ● Grid sites – Who is running – Who to hold accountable – Reject jobs from unwanted users ● Pilot owners – Protect its infrastructure from malicious users – Protect users from each other – Avoid being held accountable for user's actions CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 6
  • 7. The  (simplified)  life of a pilot job Validate node Any jobs no Cleanup pilot area in queue? yes Fetch user Terminate job and credentials Cleanup job area Execute job Return output CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 7
  • 8. Introducing gLExec ● A x509 aware  (apache)  suExec equivalent ● Given a proxy and a binary Pilot job – authenticates and authorizes User proxy + – changes UID/GID user job executable – executes the binary gLExec Site policies ● Necessarily owned by root and suid­ed User job – Not a daemon CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 8
  • 9. Pilots with gLExec  (1) Local Grid Site 1 Queue Sites decide who to let run VO pilot factory Grid site k VO Queue Grid Site n Pilots and users run in Local Queue different sandboxes CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 9
  • 10. Pilots with gLExec  (2) Local Grid Site 1 Queue Sites decide who to let run VO pilot factory Like having a  Grid site i VO gatekeeper on every WN Queue VO still in charge Grid Site n of job scheduling Pilots and users run in Local Queue different sandboxes CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 10
  • 11. The need for centralized authorization ● With gLExec used by Pilots, sites can have  thousands of decision points – A centralized authorization infrastructure helps  keep consistency ● Open Science Grid (OSG) has GUMS/PRIMA – A PRIMA gLExec module exists  Local Grid Site Queue GUMS CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 11
  • 12. gLExec deployment @ Fermilab ● The PRIMA plugin for gLExec was jointly  developed by the NIKHEF and Fermilab  groups ● Fermilab was the first OSG site to install  gLExec on the worker nodes – First release in Oct'06 – Current release deployed in May'07 CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 12
  • 13. gLExec/GUMS @ Fermilab ● gLExec deployed and  used on more than  no gLExec no gLExec 500 nodes w/gLExec w/gLExec – Primary user is CDF ● GUMS shown to be  very scalable – Routinely handling  more than 500k  requests per day – gLExec contributing  for at most 20k CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 13
  • 14. gLExec in OSG ● gLExec with PRIMA plugin has been  incorporated in VDT 1.8 ● OSG sites will be encouraged to deploy it with  the upcoming OSG 0.8.0 release CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 14
  • 15. gLExec monitoring ● gLExec keeps a log of all authorization  requests – The DN and FQAN of the proxy – PID of the calling process – (Sub­)processes spawned – Start times and end times ●  Gratia probe uses this data – Gives accounting the real user identity CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 15
  • 16. Summary ● Pilots are becoming a reality – But are introducing new problems ● Yesterday's Grid security mechanisms are not  enough anymore – Site admins want fine grained control – Pilot owners want OS level protection ● gLExec can help solve the technical problems ● Fermilab experience positive,  waiting for wide OSG deployment CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 16
  • 17. CHEP 2007 Pilot Security with gLExec Backup slides CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 17
  • 18. gLExec jobs a day @ FNAL fcdfosg1 fcdfosg2 CHEP'07 ­ Sep 6th, 2007 Pilot Security with gLExec ­ by I. Sfiligoi 18