Difference between revisions of "LCMAPS Tracking GroupID plugin"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 58: Line 58:
 
=== CAVEAT 2 ===
 
=== CAVEAT 2 ===
 
I might have made some typos and style mistakes in the documentation and man pages. These will be fixed in a next release.
 
I might have made some typos and style mistakes in the documentation and man pages. These will be fixed in a next release.
 +
 +
=== CAVEAT 3 ===
 +
We have not tested this on an AFS site. We know that AFS issues secondary GIDs itself. We have not tested nor assessed (yet) what the potential security implications could be of preserving the AFS issued secondary GIDs with respect to accessing the AFS token from the MUPJ's payload process.

Revision as of 12:42, 9 April 2011

Tracking Group IDs are added to batch jobs to be able to track them regardless if they escape the process tree. Batch systems that use this feature are:

  • Sun Grid Engine (SGE, now known as the Oracle Grid Engine)
  • Condor-C batch system

Other batch systems are known to have the feature, but it doesn't seem to be used in (known) Grid deployments:

  • LSF
  • Torque/PBS

What's a Tracking Group ID?

A tracking Group ID is a group ID issued by the batch system and attached to the first process that is the batch job of a user. When a process spwans a child process, then the set of secondary GroupIDs is also inherited by the process image copy of the fork() system call. All stray processes can be rounded up by the secondary Group ID that each of the user's process own.

Process tree example

Here is an example process tree on a PBS/Torque based cluster Worker Node. For illustration purposes all non-relative processes are removed from the tree:

init-+
     ├─pbs_mom
     │   ├─bash
     │   │   └─1337.stro.n /var/spool/pbs/mom_priv/jobs/1337.stro.nikhef.nl.SC
     │   │       └─jobwrapper /opt/lcg/libexec/jobwrapper ./CREAM31337_jobWrapper.sh
     │   │           └─CREAM31337_ -l ./CREAM31337_jobWrapper.sh
     │   │               └─glexec /bin/bash payload.sh
     │   │                   ├─payload.sh

gLExec's involvement

The problem is that gLExec ignores the tracking Group ID issued by the batch system. gLExec will use LCMAPS to decide to which Unix account the payload needs to be mapped. The Tracking Group ID plug-in will make LCMAPS aware of the tracking Group IDs and preserve them when LCMAPS is building the Unix account mapping resolution.

Distribution

The distribution is going to be officially through the EMI-1 release.

Temporary Distribution (April 9th, 2011)

Source tarball: http://software.nikhef.nl/security/lcmaps-plugins-tracking-groupid/

Binary from Etics (from Volatile repository!) in tarball and RPM form: http://etics-repository.cern.ch/repository/download/volatile/salle/emi/emi.sac.lcmaps-plugins-tracking-groupid/0.0.1/sl5_x86_64_gcc412EPEL

At the moment I recommend the binary tarball from Etics, as the RPM is build with the FHS compliant "/usr" prefix, but it doesn't seem to be relocatable with rpm -i --prefix [...].

A man page and documentation is packaged with it.

LCMAPS configuration

The LCMAPS configuration file for my gLExec was changed to add this snippet in the top part:

trackinggid = "lcmaps_tracking_groupid.mod"
              "--tracking-groupid-min 1000"
              "--tracking-groupid-max 2000"

and at the bottom the flow of plugins to execute was altered to the following:

pluginexecpolicy:
verify_proxy -> good
good -> trackinggid
trackinggid -> posix_enf

As you can see, I've placed the trackinggid before the posix_enf plugin and after the good plugin. Replace the good plugin with the regular set of sequences of plugin to make it work. If you have multiple of these blocks, place the 'trackinggid' right before each instance of the posix_enf.

CAVEAT 1

The gLExec version 0.8.1-1 checks if all newly mapped UserIDs, (primary) GroupIDs and all secondary GroupIDs are resolvable to usernames and groupnames as a safety measure. You will not be hindered by this detail, but do note that other sites might experience problems. We're still discussion our options, but I take on it is that the UID and primary GID can perfectly be checked, but the secondary GID check and failure is a false-positive and should be regarded as a pedantic check that hinders Tracking GID deployments.

CAVEAT 2

I might have made some typos and style mistakes in the documentation and man pages. These will be fixed in a next release.

CAVEAT 3

We have not tested this on an AFS site. We know that AFS issues secondary GIDs itself. We have not tested nor assessed (yet) what the potential security implications could be of preserving the AFS issued secondary GIDs with respect to accessing the AFS token from the MUPJ's payload process.