The Grid Manager utility (GridMgr)

   Formerly the GenGridMap utility

Overview

The GridMgr (and formerly the GenGridMap) utility was designed to help Grid resource administrators maintain an up-to-date Globus 2 setup. In practice, this utility can be used to help maintain any Grid Middleware supporting a grid-mapfile style of authentication (LCG, NorduGrid, VDT).

This functionality is possible by introducing the concept of a virtual organisation or VO. It is left up to the administrator of a virtual organisation to maintain a list of authorised users and certificate authority configuration files. This is done via a central LDAP database. Resource administrators wishing to participate in this VO can use this utility (GridMgr) to allow VO members to access their resource. VO subgroups can be created and specified independantly and administrators can still allow or block specific users.

The GridMgr utility is a greatly modified version of NorduGridmap (NorduGrid developers), which is a modified version of the mkgridmap (v1.6) Perl script written by the EU DataGrid, authorization team sec-grid@infn.it.

Features

• Resource administrators can still maintain a local, hardcoded, grid-mapfile.
• Email notification of modified account mappings, files, and files that require administrator checking and intervention.
• Installed host certificates can be checked and notification sent if expiring within a specified period of time.
• Extraction of Grid subjects from multiple VOs within LDAP databases.
• Allow or block Grid subjects from VO subgroups within LDAP.
• Allow or block individual Grid subjects from VOs within LDAP.
• Each VO or subgroup can be mapped to a global shared account or separate shared accounts.
• Each VO or subgroup can be mapped (via hashing) to a range of local accounts allowing limited account separation.
• The common name of a subject can be used to match to an individual local account, allowing for systems where shared accounts are prohibited. Administrators are optionally notified of new mappings and can require manual validation before becoming active.
• Grid subject can be specified in an LDAP database in one of 3 ways: with description attributes in the form "subject=..." ; or with the users certificate stored directly into the database as userCertificate;binary data ; or the distinguished name of the entry in the database.
• Configurable allow/deny rules based on certificate subject matching.
• Restriction of mappings to specific local account groups providing greater security for matched accounts.
• Reason for account denial is stored in grid-mapfile as a comment
• LDAP and HTTP storage and download of a VO required CA certificates and files lists, including automatic deletion of old files.
• Automatic checking of valid CA certificates as bad certificates can kill you Globus services!
• Administrator are optionally notified to check new files before they are installed. Problem files can be permanently disabled.
• Extraction of files from downloaded archives (tar,tgz,zip).
• Update of CA CRL (Certificate Revocation List) files following the EDG method of using *.crl_url files.
• Separate updating of CRL files allows administrators to perform this more frequently for a more secure environment.
• Logging of new or modified account mappings and file changes.
• Removed dependencies on Perl modules to reduce system installation effort. Dependencies are now on command line 'openssl' which is likely to be installed with Globus.
• Local simplified implementation of Net::LDAP and Net::LDAPS which uses OpenLDAP 'ldapsearch' command, likely to be installed
• Globus.
• Local simplified implementation of Net::HTTP and Net::SSLeay::get_https which uses the 'wget' command.
• Mapping to root or root group accounts can be explicitly denied.

System Architecture

There are two components that are required for this system:

• VO Server (LDAP service) -
  Each VO is expected to centrally maintain a VO server containing a list of it's members and internal structures (groups and roles).
• Grid Resources -
  The GridMgr utility is installed at the each resource and configured to allow access to one or more VOs, VO groups, or VO members.

Of course an LDAP service could reside anywhere, and could be hosted at any local grid resource. Many LDAP implementations allow for master/slave services, so VO information can also be replicated at a number of locations. It is also worth considering that a single LDAP service can be configured to host multiple VOs.

Requirements

The original NorduGridmap had a number Perl module and library requirements. The GridMgr utility has attempted to reduce these by reimplementing some of the complex Net:: and SSL packages using simple and common command line tools.

The following must be installed for GenGridMap to work:

• Perl 5
• OpenLDAP (ie. the 'ldapsearch' command commonly found in Globus)
• OpenSSL (ie. the 'openssl' command commonly found in Globus)
• wget
• mail or some command line mail sender

The following are recommended requirements:

• tar, gzip, zip (needed if downloaded CA files are archives)
• useradd or some account creation tool

The VO Server (LDAP)

Installing and Configuring an LDAP server is not in the scope of this document. See the OpenLDAP project.

Individual users should be stored in the VO Server (LDAP server) as publicly readable objectClass=organizationalPerson entries. (These are typically also objectClass=inetOrgPerson entries to allow email attributes to be set.) The Grid subject of each organizationalPerson is determined first by any description attribute matching subject=... (with no quotes), second by any stored userCertificate attribute (binary, PEM or DER), or thirdly by the actual distinguished name (DN) of the entry itself. To disable an organizationalPerson entry just set a description attribute of "subject=", blanking the subject. The following is an example individual user entry:

dn: cn=Lyle Winton,ou=Belle Members,ou=People,o=BelleTestbed,o=Grid
cn: Lyle Winton
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Belle Members
givenName: Lyle
sn: Winton
street: School of Physics\, University of Melbourne
l: Melbourne AUSTRALIA
st: VIC
postalCode: 3010
telephoneNumber: 61 3 8344 5455
description: subject=/O=Grid/O=Belle/OU=People/CN=Lyle Winton

Groups of individuals can be specified using objectClass=groupOfNames entries with multiple member attributes. Each member attribute must be the distinguished name (DN) of an existing organizationalPerson entry.

CA configuration files should be stored in the VO Server as objectClass=document entries. The documentIdentifier attribute of these entries is used to store the name of the file as installed under Globus. The documentLocation attribute is used as the location from where the file will be downloaded. HTTP and HTTPS are supported for file download locations. If any description attribute is set to "delete" the file will be scheduled for deletion. The files may be archives including TAR, TGZ, and ZIP. Configuration files are extracted from these archives to be processed before storing in the cert-path directory. Directories within archives are ignored. The following is an example CA configuration file entry:

dn: cn=5e24fe33.0,ou=Melbourne EPP CA,ou=CAFiles,ou=Documents,o=BelleTestbed,o=Grid
documentLocation: https://epp-ca.ph.unimelb.edu.au/Belle/5e24fe33.0
documentIdentifier: 5e24fe33.0
objectClass: top
objectClass: document
documentVersion: 1.0
documentPublisher: Melbourne EPP CA
cn: 5e24fe33.0

Download

Right click and save the GridMgr utility and configuration file from here:

• gridmgr : Grid Manager utility
• gridmgr.conf : Grid Manager configuration file
• vo-adduser : optional utility to create new VO users.
• vo-addcertfiles : optional utility to add or replace new VO CA files.
• LICENSE: GNU License for GridMgr
• ausgrid-gridmgr.conf: Suggested AusGrid testbed configuration file. Remember to change the notify-mail-address and both local-user settings.

Installation (on the Grid Resource)

1. Login as root.
2. Copy the files 'gridmgr' and 'gridmgr.conf' to /etc/grid-security
3. Make 'gridmgr' executable ("chmod ugo+x /etc/grid-security/gridmgr")
4. Edit 'gridmgr' and modify the second line '$GLOBUS_LOCATION=' to reflect the location of Globus on your system.
5. If you haven't done so already copy your static grid-mapfile to 'local-grid-mapfile' . This will be used for hardcoded entries.
6. Edit 'gridmgr.conf' and change the following:
   • notify-mail-address
   • notify-mail-command (is this your correct mail command?)
   • create-account-command (you may need to specify full path of useradd?)
   • local-user (set this to your default shared user account or comment it)
   • vo-users (check that these point to your VO)
   • vo-users local-user= (check that these are set to your shared local accounts, or <match> to perform common name matcing, or <none> to block the VO or group)
   • vo-certs (check that these point to your VO)
7. Test the installation by running "./gridmgr -t all"
8. Install gridmgr as a crontab entry in /etc/crontab . Setting it to run once an hour should be sufficient. The line usually looks like:

        0   *  *  *  *  root     /etc/grid-security/gridmgr all

Now you can configure some functionality to occur more frequently. The following crontab entries will enable the update users twice an hour, certificate revocation lists twice an hour, certificate configuration files once a day, and will check host certificates once a day.

     0,30   *  *  *  *  root     /etc/grid-security/gridmgr update-users
     5,35   *  *  *  *  root     /etc/grid-security/gridmgr update-crls
     0      0  *  *  *  root     /etc/grid-security/gridmgr update-certs
     0      0  *  *  *  root     /etc/grid-security/gridmgr check-certs

Configuration (on the Grid Resource)

You can type 'gridmgr -h | less' for help. If you wish to test a new configuration file before installing it you can run 'gridmgr -t -f conffile'. The test will not change any files but will explain what it would do. The resulting grid-mapfile will be printed to standard out followed by any notification that would have been sent. Check the comments in the grid-mapfile for reasons why subjects were denied.

If you wish to map a VO or subgroup to a shared local account you should add a line of the following format (all on the same line):

     vo-users = ldap://belle-vo.ph.unimelb.edu.au/ou=People,o=AusGrid,o=Grid
       local-user=ausgrid

This is the actual entry for the Aus-Grid Research testbed. Here 'ausgrid' is the shared local account.

If you wish to map a VO or subgroup to local accounts matching the Grid subject common name to the full name of the local account add a line of the following format (all on the same line):

     vo-users = ldap://belle-vo.ph.unimelb.edu.au/ou=People,o=AusGrid,o=Grid
       local-user=<match> allow-groups=grid,testing

In this example access will only be given to local accounts that are in group 'grid' or 'testing'. You should also ensure that the setting 'notify-user-change' is set to 'true' as local account full names are tainted. If your notify-mail settings are correct it will notify you of any modified account mappings.

You will also need to include the VO list of trusted certificate authorities by adding a line of the following format (all on the same line):

     vo-certs = ldap://belle-vo.ph.unimelb.edu.au/ou=CAFiles,ou=Documents,o=AusGrid,o=Grid

If you require greater security you should ensure your notification settings are correct. Make sure your 'notify-mail-address' setting is correct and that the 'notify-mail-command' works for root. All other 'notify-*' setting should be 'true'. At the very least, the 'cert-cafile-check' setting should be 'true' to prevent malicious CA certificate spoofing.

External Tools

You can use any LDAP browser to view VO LDAP entires. For example, you can BROWSE the AusGrid VO online using LDAPExplorer (get it from Debian-stable).

I recommend the java application LDAP Browser/Editor for the management of LDAP databases or VO entries.

Support

Email Lyle Winton (winton @ physics.unimelb.edu.au) if you require any help or have any bug fixes. Have fun.