Transition to Role-based Assignment of Local User-Ids

U.S. CMS and U.S. ATLAS Privilege Project
http://computing.fnal.gov/docs/products/voprivilege/

Date: 2005-01-11, Last Updated 2005-01-17
Author: Markus Lorch, Email: mlorch at vt dot edu

Content:

1. Background
2. Centralized Identity Mapping Functionality and Components
3. Role-based Identity Mapping Functionality and Components
4. Transition Scenarios
5. Expected Transition Path
6. Error Scenarios / FAQ
7. Advanced Functionality

This document is intended as a high-level overview and transition guideline for OpenScienceGrid sites wishing to employ improved access-control mechanisms for their Grid resources based on the mechanisms made available by the Privilege Project.

1. Background

Virtual Organizations that want to become part of OpenScienceGrid will have to provide information on who the VO's members are. The mechanisms provided by the Privilege Project built on the management of VO members through VOMRS (The Virtual Organization Registration Service) and VOMS (the Virtual Organization Membership Service) as already practiced in Grid03 VOs. In Grid03 the membership information from VOMS was frequently converted into grid-mapfiles which in turn were distributed to the gatekeepers.

This basic approach has several limitations, most notably only a many-to-one mapping can effectively be implemented where all members of a VO get mapped to the same local identity. This decreases overall system and data security and hinders accounting due to the use of shared accounts. Individual one-to-one mappings, while theoretically possible, are typically not used due to prohibitive administrative overhead. Further more a single grid identity (certificate DN of a user) could not be member of more than one VO. To deal with this issue users sometimes had to hold, maintain and use multiple different identity certificates.

These issues and the motivation for the Privilege Project are documented in a motivational document. [motivation-2005-01-14.pdf].

The Privilege Project functionality developed for OSG-0 enables primarily two improved ways to manage the assignment of local user accounts:

1. It allows for the centralized management of the Grid-identity (user's certificate distinguished name) to local user Id (operating system user name) mapping. This alleviates the issues associated with the creation of static grid-mapfiles and their distribution to all grid resources as the mapping information is now being kept in a centrally managed database. This functionality is referred to in this document as "centralized identity mapping".
2. It provides mechanisms for user's to select a specific VO-membership and VO-role combination out of the set of VOs and roles that the user's are authorized to use. The system can map grid user identities to local user Ids based on the selected VO and role attributes. A single grid user identity (DN of the user's identity certificate) can be mapped to a variety of local accounts based on other attributes of the user (the user-selected VOs/VO-roles and possibly other attributes in the future). This functionality is referred to in this document as "role-based identity mapping"

The infrastructure provided by the Privilege Project components allows for additional functionality to be provided in the future. This functionality can include fine-grained access control decisions based on advanced access control policies as well as distributed management of access control through direct delegation of access rights.

Figure 1 provides an architectural overview that shows the components needed for "centralized identity mapping" in blue (PRIMA module, GUMS Server) and the additional components that enable "role-based identity mapping" in pink (VOMS-Proxy-Init). The light green components (VOMS and VOMRS or VOMS-admin) are already in place in Grid03 VOs but will need to be updated to current versions.

Figure 1 - Privilege Architecture Overview

The following sections provide information on what Privilege Project components are required to achieve either only the "centralized identity mapping" or also the "role-based identity mapping" functionality and their dependencies.

2. Centralized Identity Mapping Functionality and Components

To support centralized identity mapping on compute resources two components are required. The PRIMA module on each gatekeeper and the GUMS server for each administrative domain (local user account domain).

1. PRIMA module requirements

• Globus Gatekeeper with the Grid-map callout introduced in GT3.2 and compiled against the OpenSSL library version 0.9.7. This version of the Globus Gatekeeper will be distributed with VDT 1.3
• Ability to open an outgoing HTTPS connection to the appropriate GUMS Server

2. GUMS requirements

• Tomcat web service container (tested with version 5.0 and 5.5, should be ok with 4.x)
• Incoming HTTPS connections to one port (e.g. 8443) allowed from all gatekeepers of the local administrative domain
• MySQL database
• Synchronization of database with the VOMS servers of all supported VOs

3. Role-based Identity Mapping Functionality and Components

3.1 PRIMA module configuration

• On every gatekeeper the set of VOMS server public-key certificates that are trusted to issue VOMS-extended proxies to users must be present (similar to trusted CAs)
  --> This requirement is currently being revisited (2005-01-17)

3.2 VOMS-proxy-init

• the VOMS-proxy-init client program must be available on every workstation and configured with the set of available VOMS servers
• VOMS version of 1.2.19 or 1.3.1 (NOT 1.3.0 which is really 1.2.16, though patches for this older version that fix an encoding flaw are available from the privilege team)
• The VOMS server port must accept incoming connections from every possible VO member's workstation

4. Transition Scenarios

The following transition scenarios are envisioned in which the introduced components may not be deployed at all sites:

1. Legacy Client+Server Scenario: neither Grid client nor Grid compute resource have privilege components installed
   Effect: Grid subject to local user account mapping is based solely on the user's distinguished name and the mapping entries in the grid-map file
   
2. Legacy Client Scenario: Grid client does not have privilege components installed, Grid compute resource has GT3.2 gatekeeper with PRIMA module and access to a GUMS service
   Effect: "Centralized User Mapping" is enabled and the site can employ more flexible mapping policies that may include the dynamic allocation of individual accounts from a pool of shared accounts. Identity mapping policy is centrally administered at the GUMS service, the grid-map file is no longer used. The Grid user can only be mapped to one (default) local user account. Mapping a single Grid user to different VOs or roles within a VO is not possible.
   
3. Legacy Server Scenario: Grid client does have VOMS-proxy-init installed and access to a VOMS server but Grid compute resource does not have the PRIMA module installed.
   Effect: In this case the VOMS extension which embeds role information into the user's proxy certificate is ignored by the gatekeeper (all versions) and identity mapping is based solely on the contents of the grid-map file.
   
4. Full Support Scenario: Both Grid client and Grid compute resources have the privilege components installed.
   Effect: Full support for "centralized identity mapping" and "role based identity mapping"

5. Expected Transition Paths

The following discussion assumes that existing Grid03 sites utilize a grid-map generation and distribution mechanisms that generates grid-map files from VOMS databases and distributes these files frequently to all Grid compute resources. The transition to support centralized identity mapping and role-based identity mapping is envisioned as follows:

1. Sites set up a site GUMS identity mapping service in parallel to the generation of grid-mapfiles. Both sources uses the VOMS vo-membership database as their data source.
   This allows the introduction of a GUMS server (which will be utilized in the next steps) but enables the continued use of grid-map files for those gatekeeper that are in
   production and cannot be updated soon as outlined in step 2. It also makes sure that the mapping entries in these grid-mapfiles and the decisions returned by GUMS if used as a service in step 2 are consistent and reflect changes in the VOMS database.
   
2. Incrementally the compute resources are updated to utilize the PRIMA module and replace the grid-mapfile. The grid-mapfile may still be provided to the compute resources and switching between the two mechanisms is simply done through the modification of the Globus grid-map callout configuration file during operation.
   
3. Trusted VOMS servers are configured on the gatekeepers by downloading the public key certificates of the VOMS servers from a trusted repository to each gatekeeper.
   
4. The Grid clients are updated to VDT 1.3.1 which will include the voms-proxy-init and users educated in how they can specify a role that differs from their default role.
   

6. Error Scenarios / FAQ

6.1 PRIMA extracts an unrecognized attribute certificate from the proxy certificate or doesn't recognize the VOMS that supplied the ACs.

Invalid ACs (ACs without a VOMS payload are being ignored) by the PRIMA module.

6.2 The PRIMA module recognizes the VOMS attribute and the GUMS does not. In some ways, the question is ... if something is screwed up on the server side does a job created using a globus-proxy-init have a better chance of running than one created with voms-proxy-init, or are they equal?

Due to the (current) seeding of the GUMS database from VOMS it is unlikely that there would be a VOMS issued attribute that GUMS doesn't know about. However, we already identified a scenario where people who are not in a VO (and thus not in a VOMS database) would like to run with a (locally managed) role and include a "desired role" attribute. PRIMA would pass this attribute on and GUMS makes a decision based on its policy (which may include these people and their roles) knowing that the attribute was in fact self-signed by the user. (this is not yet implemented for OSG-0)

In any case, depending on how the GUMS policy is written:

If the user requests a role that he/she is not a member of (in the view of GUMS) then
the mapping/access request will be denied. There is a good chance that by not requesting
a specific role (e.g. through a standard proxy) the user may be mapped to a default account (which may be associated with a different VO than the user intended). So I think this boils down to the issue of "What should be the default VO/default mapping for a user". (see below)

6.3 What should be the default user mapping if a request comes in with a standard proxy certificate without an indication of the desired role? Presumably the users will register the same DN+CA in multiple VOMRS. If a user subsequently uses a legacy client, what happens to the request since there is no way to determine which VO should be used? [remember, the user may not know or have control over the site and set of servers the job is sent to.]

This is the "what is the default VO/role" question from above. In Grid03 the user had to "know" which of his certificates is mapped to which of his VOs at what site. This has been reduced to "to which role is my certificate mapped to at site X".

This question is currently being discussed (2005-01-17).

In the current architecture it is up to the GUMS administrator to define this behavior (default mapping) for the local site. I see that this may breed confusion and issues on the user sites if the GUMS administrators at different sites may different default mapping choices. (And they will).
E.g. if I run at FNAL my default (primary) VO may be USCMS, at BNL my default VO may be USATLAS.
-> should we include a field in VOMRS which identifies a VO as a primary VO?
-> should we recommend that there is no default mapping? Then legacy proxy support would have to be specifically requested from the site/GUMS administrator.

6.4. The user presents an AC from a VOMS but the GUMS doesn't know anything about the user.

Then this user is not allowed at the GUMS site - even though he is a member of a VO. Request is denied.

7. Advanced Features

7.1 Dynamically allocated user accounts

The GUMS server is able to map a user on the user's first access to a site to a previously unallocated user account (from a pool of precreated accounts). On subsequent accesses the user will always be mapped to the same account. This can alleviate delays present if standard allocation procedures, designed for interactive accounts at the site, are followed to create local user accounts for grid resources.

7.2 Dynamic mapping of local group ID and supplemental group IDs

The GUMS identity mapping service can also provide, together with a local user ID, the local group ID and the set of supplemental group IDs that a request access should be executed with. This is a proposed mechanism that would allow to dynamically change the group access rights available to a user based e.g. on the current role the user has. This idea is discussed in more detail in a separate document [group mapping doc].

If group IDs and supplemental group IDs are to be dynamically set, the PRIMA module has to override the default group ID assignment based on /etc/password and /etc/group. Provisions must be in place that assure that the same mapping is being performed on the worker nodes of cluster computers at the time of job execution by the batch system. Prevalent batch systems do not support this dynamic, request-specific allocation of group IDs.