Virtual Accounts
Contents:
Introduction
The issue of virtual or temporary accounts in PROOF is related to sand-boxing.
PROOF queries need to be executed in a protected environment - which we call
sandbox - essentially
for two reasons:
- privacy of the results and/or activities;
- protection against undesired/unwanted actions from other users.
The second reason maybe the most relevant in HEP environments: we do not want that an uncontrolled
action of one user screws up the work of others.
Currently
sand-boxing is achieved using the the user UNIX account: at the end of session setup the
user is
logged into her/his account, and a dedicated PROOF area is created
under user's $HOME and used to cache packages and macro files and store the results of queries.
This proved to work well; however, this requires an UNIX account for any potential user of the PROOF
cluster.
The
sandbox problem is not limited to PROOF, but is a general problem in
GRID environments.
Some solutions are being studied, ranging from temporary UNIX accounts created on the fly, to
virtual machines used to create a user environment.
For the PROOF purposes the solution with temporary UNIX accounts seems appropriate. In the following
we will outline the requirements.
Requirements
We assume that the sandbox service runs with su-privileges. This may be the PROOF daemon itself
(as now) or an external
agent devoted to sand-boxing.
The sand-boxing service should provide:
- possibility to create a user account to be assigned temporarily to a user authorized to use the facility (i.e. a user who proved to have the credentials to do so)
- what is needed, in fact, are a pair of (uid,gid) to be used to create a private space into an area devoted to user sandboxes
- the account should not be loggable from outside (i.e. shell /bin/false)
- the unique name of the user could be the 8 chars hash of the DN (Distinguished Name)
- it would probably good to have a unique group ID (group 'proof')
- the user ID should be chosen in a given (tunable) range
- the account should have the minimal privileges to run a query on the machine
- possibility to delete such accounts at any time
- dynamic mapping of users with their (existing, if the case) PROOF accounts
Things to look at before starting
- How DPM (Disk Pool Management, Jean-Philippe Baud) deals with virtual accounts
- Not much documentation, only a few slides
- look at the code
- GRID solutions for sandboxing, in particular those dealing with temporary UNIX accounts
- Predrag Bencig mentioned something that could perhaps be useful.
--
GerardoGanis - 03 Apr 2006