The Contents of this document are made available subject to the terms of the Sun Industry Standards Source License Version 1.2 (see [SISSL]).
| Revision History | |
|---|---|
| Revision 0.1 | 08 Nov 2006 |
| First draft | |
| Revision 0.2 | 12 Dec 2006 |
| Cleanup | |
This module defines the default security module for the Hedeby project. It is kept seperate from the Hedeby and can be in future replace be by security concepts.
Security for Hedeby means secure the network communication between Hedeby components (daemons and clients). All non networks based interactions on a Hedeby are restricted by file permissions.
All network communication in the Hedeby project run on top of SSL socket connections. The security module uses the Java Secure Socket Extension(see [JSSE]).
Each daemon has a keystore. It contains the private key of the daemon. It is created during the installation of a component. It is only accessable for a privileged user. The keystore also contains a certificate which is singed by the certificate authority.
Each component has access to the certificate of the certificate authority. With this certificate it is validated if the component is trusted or not (see javadoc of class com.sun.grid.grm.security.ca.GrmCATrustManager).
In future releases it should be possible to use a other software components for key and certificate management (LDAP, Active Directory, Identify Server). For the current version uses the java keystore implementation.
For authenticating communication partners the Hedeby system uses JAAS. Hedeby it self does not specify how authentication is done. It is in the responsiblity of the security module.
Each Hedeby component provides a JMX interface, they are running in a MBeanServer. Client which want's to manage the component has to provide some credentials to gain access onto the component. The credential are passed through the JMXAuthenticator mechanism to the MBeanServer. The MBeanServer uses Java Authentication and Authorization Service (JAAS) to authenticate the user.
Generally a client has to provide username and password to gain access to a component. If the user has a valid certificate in it's keystore it a password less authentication is also possible.
The authentication itself is delegated to JAAS LoginModules. LoginModules can be stacked. The final LoginModule must be the Hedeby RoleLoginModule which assigns the role to an authenticated user (e.g admin, user). For details about the JAAS system see [JAASRefGuide].
For password less authentication the communication partner needs a valid certificate which is signed by the CA. This certificate is obtained by the SSL communication layer.
For password less authentication the Hedeby system uses the com.sun.grid.grm.security.ca.GrmCATrustManager). It authenicates a coummnication partner if the SSL layer provides a X509 certificate which is trusted by the CA (used for passwordless authentication). The security module provides an mechanism to obtain keystores for users and daemons for the Certificate Authority.
Caution
These keystores should be stored for security reasons on the local file system (default path is<var>/security/daemons
and <var>/security/users).
While daemon always uses passwordless authentication, for users it is possible to
authenticate with a username/password pair. The remote component validates these
credentials using JAAS login modules. The client application is responsible for
providing username and password.
The JAAS login modules are defined by default in the file
<shared>/security/jaas.config
LoginModules for Username/Password authentication
com.sun.security.auth.module.JndiLoginModuleUsername/Password authentication against NIS and LDAP. Included in the Sun Java implementation. Needs additional jar files containing the [JNDI] providers.
com.sun.grid.security.login.UnixLoginModuleUsername/Password authentication against PAM and system specifiy authentication system (e.g. passwd/shadow). Included in the gridengine distribution
Authorization is performed by the JAAS system base on java permissions. After authenticating a communication partner the JAAS LoginModule adds Principals to the java security Subject. All actions triggered by the communication partner are executed under this security subject. The java system checks if the security subject has permissions to execute critical code.
Each role defines a set of permission. Permissions are not directly granted
to users, groups or daemons, instead the comunication partner is a member of a role.
The Hedeby system provides a special role login module which adds a
com.sun.grid.grm.security.role.RolePrincipal to the subject of an
authenticated users. Necessary permissions are granted to the RolePrincipal.
The com.sun.grid.grm.security.role.RoleLoginModule
must be the last in the authentication stack. It searches in the role definition
file (<shared>/security/roles.config) if a
prinicipal of the subject is member of a role and adds the corresponding RolePrincipal
to the subject.
Currently the Hedeby system knows only two roles:
- administrator
All users which should have access the Hedeby system should be in the adminstrator roles.
- daemon
All Hedeby daemons (jvms) are in the daemon roles.
Example 1.1. Sample roles definition file:
administrator {
com.sun.security.auth.UnixPrincipal name="grm_admin";
com.sun.security.auth.UnixNumericGroupPrincipal name="100";
};
daemon {
com.sun.grid.grm.security.GrmDaemonPrincipal regexp=".*";
};
java.security.auth.login.config.
The
Example 1.2. JAAS for the Hedeby system is configured in the file
<shared>/security/jaas.config.
hedeby_system {
com.sun.grid.grm.security.GrmCATrustManagerLoginModule requisite;
com.sun.security.auth.module.JndiLoginModule requisite
user.provider.url="nis://<server>/<nis domain>/user"
group.provider.url="nis://<nis server>/<nis domain>/system/group";
com.sun.grid.security.login.UnixLoginModule requisite
sge_root="${com.sun.grid.grm.bootstrap.sgeroot}"
auth_method="pam" pam_service="su";
com.sun.grid.grm.security.role.RoleLoginModule required
roleFile="${com.sun.grid.grm.bootstrap.shared}/security/roles.config";
};
Hedeby deliveres a standard java policy file which defines the set of permissions
for the roles of the grm system. The installation will copy this file into
<shared>/security/java.policy. All jvms in the Hedeby system uses
this file a default policy file.
A detailed description of the policy file syntax can be found at [PolicyFiles] It should be not necessary to modify this file by the customer.
[SISSL] Sun Mircosystems. The Sun Industry Standards Source License. http://hedeby.sunsource.net/license.html .
[JAASRefGuide] Sun Mircosystems. JavaTM Authentication and Authorization Service (JAAS). Reference Guide. http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html .
[JSSE] Sun Mircosystems. JavaTM Secure Socket Extension (JSSE). Reference Guide. http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html .
[JNDI] Sun Mircosystems. Java Naming and Directory Interface. JNDI http://java.sun.com/products/jndi/ .
[PolicyFiles] Sun Mircosystems. Policy Implementation and Policy File Syntax. http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html .
