1. Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati

2. Third DataGrid Project ConferenceOctober 3-5, Frascati1 Structure Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory which contains its members: –each user belongs to one or more groups; –each user entry may contain: a pointer to the certificate on the CA LDAP server; the “Subject” field of the certificate (to speed up grid-mapfile generation); a certificate attesting that the user agreed to the usage policy for TB1; grid-mapfiles are generated from the VO Directories: –starting from the groups (users who don’t belong to a group are ignored); –according to users’ attributes (the certificate Subject, for the moment); –with different outputs, according to local requirements (e.g. McNab patch).

3. Third DataGrid Project ConferenceOctober 3-5, Frascati2 Certification Authority LDAP Directory O=infn,C=it domain organization CN=www.fi.infn.it CN=Mario Rossi CN=INFN CA organization pkiCA person organizationalPerson inetOrgPerson pkiUser Available CA LDAP Directories (30/9/01): CESNET: tady.ten.cz INFN: security.fi.infn.it NICKEF: certificate.nikhef.nl

4. Third DataGrid Project ConferenceOctober 3-5, Frascati3 LDAP Directory for “XYZ” VO OU=group1 DC=XYZ, DC=Datagrid OU=group2 CN=Franz ElmerCN=John SmithCN=Mario Rossi organization groupOfNames person organizationalPerson inetOrgPerson pkiUser Authentication Certificate Authorization Certificate OU=people

5. Third DataGrid Project ConferenceOctober 3-5, Frascati4 grid-mapfile generation: mkgridmap perl script, to be run at appropriate intervals (1 day?) produces a grid-mapfile from the entries in the VO LDAP Directories, according to the rules specified in a configuration file (mkgridmap.conf): –allow and deny directives may contain wildcards and the test is done on the user certificate subject parsing stops at the first match; if there is at least an allow, there is an implicit deny * at the end; –directives: group [ ] selects the VO Directories., if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group allow users allowed in the grid-mapfile deny users banned from the grid-mapfile default_lcluser the local username in the grid-mapfile (e.g. default_lcluser. for McNab patch) If AUTO, the local username is generated by an external program (subject2user). gmf_local local grid-mapfile to be inserted

6. Third DataGrid Project ConferenceOctober 3-5, Frascati5 grid-mapfile generation: mkgridmap.conf Sample configuration file #### GROUP: group URL [lcluser] group ldap://ldap.vo1.org/cn=group1,dc=testbed2,dc=org tb2 group ldap://ldap.vo1.org/cn=group3,dc=testbed6,dc=org group ldaps://ldap.vo2.org/cn=group2,dc=testbed4,dc=org tb4 #### ACL: deny|allow pattern_to_match deny *L=Parma* allow *O=INFN* allow *CESNET* deny *John* allow *dutchgrid* #### DEFAULT LOCAL USER default_lcluser testbed1 ##### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/grid-mapfile-local

7. Third DataGrid Project ConferenceOctober 3-5, Frascati6 grid-mapfile generation: subject2user External program called by mkgridmap when default_lcluser is AUTO. It is called with the user certificate subject as argument. It should write to the standard output the local username associated with the user certificate subject. It allows local sites to customize the output of mkgridmap.

8. Third DataGrid Project ConferenceOctober 3-5, Frascati7 VO Directory Management Initial Directory loading: –users: from CAs LDAP servers; from certificate files; –members of groups. Directory update: –single user; –group membership Consistency check between VO and CA Directories. Replicas? ACLs?

9. Third DataGrid Project ConferenceOctober 3-5, Frascati8 VO Directory Management

10. Third DataGrid Project ConferenceOctober 3-5, Frascati9 VO Directory Management