WLCG Questionnaire

Reference: http://indico.cern.ch/getFile.py/access?sessionId=4&resId=0&materialId=2&confId=20230

Describe in a schematic way all components of the system.

If a component needs to use IPC to talk to another component for any reason, describe what kind of authentication, authorization, integrity and/or privacy mechanisms are in place. If configurable, specify the typical, minimum and maximum protection you can get.

DIANE 2 is primarily single user system (with optional multiuser facilities). On a master machine (with inbound connectivity) a user starts up a server which listens on 1 port and uses CORBA (omniORB). Independently of that worker agents are sent out (by some grid submission tool, typically Ganga). The worker agent wrapper script is very thin and it first wgets diane itself from http server (by default at CERN) and then start the worker agent process (instead of wgetting the diane code is small enough to be put in the input sandbox directly). The address of the master is encoded in a file which is shipped in the input sandbox. The worker agent process makes CORBA calls to the master process. Using GSI to initiate connections is optional and easily configurable.

CORBA messages contain python pickles. The content of the pickle and the actions which are performed by the worker agent are defined by the application plugin (chosen or implemented by a user).

There is an optional Directory Service process which may be used to dynamically match workers to (multiple) masters. This may be done in a single user mode. Single user mode is mandatory if GSI authentication is switched on and the default authorization policies are applied (based on proxy DN). By changing the authorization policies (SSH plugin) multiple users may share workers however this has not been tried. Without GSI authentication there is no constraint (nor guarantee) to freely mixing the user worker agents.

Describe how user proxies are handled from the moment a user submits a task to the central task queue to the moment that the user task runs on a WN, through any intermediate storage.

There is no central task queue - every master process has its own task queue.

What happens around the identity change on the WN, e.g. how is each task sandboxed and to what extent?

Currently there is no identity change. This is required but currently not implemented for the multiuser, GSI-enabled directory service.

How can running processes be accounted to the correct user?

They are accounted by default. Not implemented for multiuser directory service.

How is a task spawned on the WN and how is it destroyed?

A pickle containing task parameters is received from the master process. Then this pickle is passed to the application plugin to start the task.

How can a site be blocked?

This cannot be done centrally as there is no central system. Each user controls to which sites he submitted given his VO credentials.

What site security processes are applied to the machine(s) running the WMS? [ Here WMS means the VO WMS, not the gLite WMS. ]

At CERN we have few machines which are managed by the CERN Computing Center (CCC).

Who is allowed access to the machine(s) on which the service(s) run, and how do they obtain access?

Only users who directly collaborate with our team and who's been granted access by us.

How are authorized individuals authenticated on the machine(s)?

As on lxplus.

What is the process for keeping the service(s) and OS patched and up-to-date, especially with respect to security patches?

CERN Computing Center (CCC).

Do you have an identified security contact?


Describe the incident response plan to deal with security incidents and reports of unauthorized use?

Confront the user and ban from using our machine.

What services (in general) run on the machine(s) that offer the WMS service?

No other services. A user however may choose to startup a point-to-point file transfer service (with/without GSI authentication) that is provided as an additional tool in the DIANE suite. The file transfer service is implemented using the same technology as other services. The file transfer service is like FTP but it offers additional protection: the file upload or download is restricted to a predefined path which is a parameter of the file transfer service on the master machine (e.g. if /a/b/c is specified as allowed path clients may not get/put files outside of this area, neither via symlinks). So if there is a symlink /a/b/c/d -> /root and the client requests to read file /a/b/c/d/x such request will be rejected.

What processes exist to maintain audit logs (e.g. for use during an incident)?

No process.

What monitoring exists on the machine(s) to aid detection of security incidents or unauthorized use?

Defined by CCC.

Can you limit the users that can submit jobs to the VO WMS? How?

Every user has its own, private WMS so that's not possible. Limitations may come from the VO management.

-- JakubMoscicki - 22 Aug 2008

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2008-08-22 - JakubMoscicki
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ArdaGrid All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback