Universit degli Studi di Bari Corso di Laurea
Università degli Studi di Bari – Corso di Laurea Specialistica in Informatica “Tecnologia dei Servizi “Grid e cloud computing” A. A. 2009/2010 Giorgio Pietro Maggi giorgio. maggi@ba. infn. it, http: //www. ba. infn. it/~maggi Lezione 7 a - 9 Dicembre 2009 Il materiale didattico usato in questo corso è stato mutuato da quello utilizzato da Paolo Veronesi per il corso di Griglie Computazionali per la Laurea Specialistica in Informatica tenuto nell’anno accademico 2008/09 presso l’Università degli Studi di Ferrara. Paolo Veronesi paolo. veronesi@cnaf. infn. it, pveronesi@unife. it http: //www. cnaf. infn. it/~pveronesi/unife/ Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 0
Referenze p g. Lite doc http: //glite. web. cern. ch/glite/documentation/default. asp n n n g. Lite user. Guide https: //edms. cern. ch/file/722398//g. Lite-3 -User. Guide. pdf VOMS Guide https: //edms. cern. ch/file/973684/1/voms-guide. pdf VOMS Admin User Guide https: //edms. cern. ch/file/974094/1/vomsadmin-user-guide. pdf Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 1
Make a proxy p p p Inspecting personal certificate (grid-cert-info). Creation of a proxy without voms extensions and check your proxy (grid-proxy-init) Creation of a proxy with voms extensions and check your proxy (voms-proxy-init) Use <command> -help to check how to use them Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 2
grid-cert-info Ispeziona il certificato pubblico in $HOME/. globus p Nessuna communicazione di rete p Stesso risultato che si ottiene ispezionando con I comandi openssl o verificando il certificato nel sito della Certification Authority p Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 3
grid-proxy-init p p p Crea un proxy senza estensioni voms (password richiesta perchè si usa la chiave privata) Durata predefinita: 12 ore Si possono creare proxy di durata superiore alla validità del certificato! Verifica del proxy: grid-proxy-info –all Posso solo autenticarmi, le autorizzazioni sono basate sulle estensioni VOMS $ grid-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi/CN=1777588616 issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi identity : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi type : Proxy draft (pre-RFC) compliant impersonation proxy strength : 512 bits path : /tmp/x 509 up_u 11397 timeleft : 1513: 49: 55 (63. 0 days) Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 4
voms-proxy-init p p p Equivalente a grid-proxy-init se non si specifica la VO; Viene contattato il voms server per recuperare le estensioni; Verifica con voms-proxy-info –all (da notare i due campi timeleft distinti, cosa succede quando uno dei due scade? ) $ voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi identity : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi type : proxy strength : 512 bits path : /tmp/x 509 up_u 11397 timeleft : 11: 58: 17 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms. ct. infn. it attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11: 58: 17 Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 5
Requesting Voms Group/Role in Proxy One of the main features of VOMS is its capability to create groups and roles which allows VO administrator to differentiate users' privileges and right. Users, if already belonging to a group, or already assigned to a Role, can apply the request while creating the proxy with voms-proxy-init command. In this way, the information will be signed by the VOMS server and inserted in the proxy AC; resources will be able to parse them assigning to the user the expected rights. Syntax The group/role request is done by users appending a request command to the --voms option of voms-proxy-init p voms-proxy-init mixed (group --voms Your. VO: /Your. VO/Desired-Group in case of group request; --voms Your. VO: /Your. VO/Role=Desired-Role in case of role request; --voms Your. VO: /Your. VO/Desired-Group/Role=Desired-Role in case of + role) request. Let's make it plain by some examples Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 6
Group request Suppose you want to create a voms proxy for the gilda VO, requesting the membership of generic-users group. Then you have to just to run voms-proxy-init --voms gilda: /gilda/generic-users Of course this wouldn't work if you don't belong to the gilda VO or either you don't belong to the generic-users group. You can verify that the command has run successfully with voms-proxy-info command : === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=CATANIA/CN=CATANIA 49/Email=tony. calanducci@ct. infn. it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms. ct. infn. it attribute : /gilda/generic-users/Role=NULL/Capability=NULL attribute : /gilda/Role=NULL/Capability=NULL timeleft : 11: 59: 37 Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 7
Role request If you belong to gilda VO and want to get the Role Generic. Role within your proxy, you have to run just voms-proxy-init --voms gilda: /gilda/Role=Generic. Role You can verify then with voms-proxy-info –all === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=CATANIA/CN=CATANIA 49/Email=tony. calanducci@ct. infn. it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms. ct. infn. it attribute : /gilda/Role=Generic. Role/Capability=NULL attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/generic-users/Role=NULL/Capability=NULL timeleft : 11: 57: 56 Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 8
Group + Role (1/2) You may have noticed that both when requesting a Role or a VO membership, the first part of the command you append starts always with /gilda : that's because the group with the VO name is the default group where all the VO members belong; even if it's a default, it is to be always specified. As a consequence, the request : /gilda/Role=Generic. Role and /gilda/generic-users/Role=Generic. Role are different, as you can verify by executing them and confronting the first attribute inserted in the created voms proxies. In the former you are requesting the Role within the default group, while in the latter you're requesting the Role within the group generic-users. By the way, you will notice that the syntax is /group/subgroup 1/. . /Role Of course, to be working, the request has to be consistent with the privileges that the VO-Admin has given you. Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 9
Group + Role (2/2) Here an example of a Role requested within a subgroup : you can compare the output of a successive voms-proxy-info and see the differences with the one obtained in the paragraph before. $voms-proxy-init --voms gilda: /gilda/generic-users/Role=Generic. Role […] === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=CATANIA/CN=CATANIA 49/Email=tony. calanducci@ct. infn. it issuer : /C=IT/O=INFN/OU=Host/L=Catania/CN=voms. ct. infn. it attribute : /gilda/generic-users/Role=Generic. Role/Capability=NULL attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/generic-users/Role=NULL/Capability=NULL timeleft : 11: 59: 36 Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 10
Credential Storage My. Proxy Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 11
What is My. Proxy? p An Online Certificate Authority n n p Issues short-lived X. 509 End Entity Certificates Avoid need for long-lived user keys An Online Credential Repository n n Issues short-lived X. 509 Proxy Certificates Long-lived private keys never leave the server p Supporting multiple authentication methods p Open Source Software Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 12
My. Proxy Logon p Authenticate to retrieve PKI credentials n n n p My. Proxy maintains the user’s PKI context n n n p End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login My. Proxy integrates with existing authentication systems n Providing a gateway to grid authentication Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 13
Scenario 1: Users already have PKI credentials p My. Proxy repository can help users manage the credentials by: p p p Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with My. Proxy-enabled applications Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 14
Scenario 2: Users have site logons but no PKI credentials p Users have site logons but no PKI credentials n My. Proxy CA can provide the bridge Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 15
Scenario 3: Users need to register to obtain PKI credentials n User registration portals provide a My. Proxy interface Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 16
Scenario 4: Users need run Grid jobs longer than the typical proxy life p A myproxy server is used to create and store a long term proxy which is used to renew short term proxies when they are going to expire Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 17
My. Proxy Repository Policies p Who can store credentials? n n p Who can retrieve credentials? n n p Restrict to specific users or CAs Restrict to administrator only Allow anyone with correct password Allow only trusted services / portals server-wide and per-credential Maximum lifetime of retrieved credentials Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 18
My. Proxy in EGEE p EGEE security based on proxy certificates n p often carrying VOMS attribute certificates My. Proxy used for several purposes: n Solution for portals (P-GRADE, Genius) p n Long-running jobs and data transfers p n a common way of using My. Proxy credential renewal t-Infrastructure CA p formalized on-line CA based on My. Proxy Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 19
Long-running Jobs p Jobs require valid credentials n n p Job's lifetime can easily exceed the lifetime of a proxy n n p consider waiting in the queues, possible resubmissions, computation time, data transfers, etc. also VOMS certificates have limited lifetime Impossible to submit a job with sufficiently long credentials n n p e. g. to access Grid. FTP data repositories on the user‘s behalf these operations must be secured, using the users‘ credentials the overall job lifetime not known in advance violation of the meaning of short-time proxies increased risk when the credential is stolen might be unacceptable for the end resources How to provide jobs with a valid short-lived credential throughout their run? Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 20
Proxy Renewal Service p Periodical renewal of credentials n n maintains a list of jobs' proxy certificates to be kept valid using My. Proxy repository p p p n p server specified by user in the job description uses the renewal mode authenticates using the WMS credential AND authorizes using the proxy being renewed Support for renewal of VOMS attributes Part of the broker node (WMS) n n A proxy of a job is registered upon submission It is renewed whenever it is going to expire p n n several attempts done until renewal succeeds After renewal a new proxy is pushed to the computing resource, where the job is running After the job completion the proxy is unregistered Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 21
Proxy Renewal Service Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 22
Proxy Renewal Service p p Ensures that jobs always have a valid short-time proxy Users have full control over their proxies and renewal n p p Support for VOMS All operations are logged n p the WMS credential are necessary for renewal An older (still valid) proxy must be available for renewal n p allows an audit Stolen credentials can't be renewed easily n p Using the My. Proxy repository reduces the risk when services are compromised Developed in EU Datagrid, in production use in EGEE Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 23
Long-term Data Transfers p p p EGEE applications often need to move large amount of data The File Transfer Service (FTS) is used to handle such file movement requests Similar problem as in the case of jobs n p p the transfer can last long time, can be rescheduled etc. FTS currently uses a password based retrieval from My. Proxy Support for renewal is currently being added n based on routines from the renewal service Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 24
Credential Delegation through My. Proxy p My. Proxy. Use n Register a long living proxy in the My. Proxy server grid 001. ct. infn. it (myproxy-init) n Gather information about the proxy in the My. Proxy server (myproxy-info) n Get a delegated proxy from the Myproxy server (myproxy-get-delegation) n Destroy remote proxy (myproxy-get-destroy) Use <command> -help to check how to use them Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 25
myproxy-init Crea archivia un proxy senza estensioni voms sul server myproxy (il proxy è protetto da password diversa da quella della chiave privata); p Durata di default: 7 giorni p Verifico con myproxy-info p $ myproxy-init Your identity: /C=IT/O=GILDA/OU=Personal Certificate/L=unife/CN=Paolo Veronesi Enter GRID pass phrase for this identity: Creating proxy. . . . Done Proxy Verify OK Your proxy is valid until: Tue May 12 14: 03: 12 2009 Enter My. Proxy pass phrase: Verifying - Enter My. Proxy pass phrase: A proxy valid for 168 hours (7. 0 days) for user veronesi now exists on myproxy. ct. infn. it. Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 26
myproxy-get-delegation Recupero un proxy precedentemente salvato su un server myproxy voms-proxy-init -noregen --voms gilda -cert /tmp/x 509 up_u 11397 p Aggiungo le estensioni voms ad un proxy senza rigenerare il proxy stesso => rinnovo delle estensioni VOMS p Tecnologia dei Servizi “Grid e cloud computing” - Lezione 007 a 27
- Slides: 28