Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Slides:



Advertisements
Similar presentations
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Advertisements

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Controlling Files Richard Newman based on Smith “Elementary Information Security”
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Windows 2000 Certificate Authority By Saunders Roesser.
Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team
Introduction to OSG Security Suchandra Thapa Computation Institute University of Chicago March 19, 20091GSAW 2009 Clemson.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Security Mechanisms The European DataGrid Project Team
VO Management on the US-ATLAS/CMS Test Grids Rick Cavanaugh University of Florida DataTAG/WP4 Meeting 23 May, 2002.
6 th Annual Focus Users’ Conference 6 th Annual Focus Users’ Conference Import Testing Data Presented by: Adrian Ruiz Presented by: Adrian Ruiz.
Application of the EDG Testbed Bockjoo Kim*, Soo-Bong Kim Seoul National University (SNU) Kihyeon Cho, Youngdo Oh, Dongchul Son Center for High Energy.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.
Semi-Automatic patch upgrade kit
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
December 17, 2015 A Secure VO Software for ATLAS Grid User Management Dantong Yu Brookhaven National Lab.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
CMap Version 0.16 Ben Faga. CMap CMap Version 0.16 Bug fixes and code optimizations More intuitive menu system Asynchronous loading of comparative map.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
11 WORKING WITH ACTIVE DIRECTORY SITES Chapter 3.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Status of Globus activities Massimo Sgaravatto INFN Padova for the INFN Globus group
Insert Your Name Insert Your Title Insert Date Client Registration Examples Alan Frindell 2/18/2011.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
9-Jul-02D.P.Kelsey, DataGrid Security1 EU DataGrid Security 9 July 2002 UK Security Task Force Meeting #2 David Kelsey CLRC/RAL, UK
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Authentication and Authorization
AuthN and AuthZ in StoRM A short guide
Classic Storage Element
SPS FPDS-NG Integration: System Administration
Update on EDG Security (VOMS)
Created by : Asst. Prof. Ashish Shah
The GENIUS Security Services
Presentation transcript:

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris

WP6 Meeting5 March 2002, Paris1 M9 Authorization Structure Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory (o=xyz,dc=eu- datagrid,dc=org): –members (ou=People); –groups (e.g. ou=Testbed1): each user must belong to at least one group; –each user entry contains: the URI of the certificate on the CA LDAP server; the Subject of the user’s certificate (to speed up grid-mapfile generation). grid-mapfiles are generated from the VO Directories: –looking for the members of the groups; –according to users’ attributes (the Certificate Subject, for the moment); –according to the existence of an entry with the same Certificate Subject in an “Authorization Directory”; –with different local names, according to local requirements (e.g. McNab patch).

WP6 Meeting5 March 2002, Paris2 Authorization Tools Available from the Authorization WG CVS server: –CA Directory management: –VO Directory management: –grid-mapfile generation: Developers’ mailing list: Authorization WG mailing list:.....

WP6 Meeting5 March 2002, Paris3 CA Directory Management Tools: –pem2ldif.pl: initial loading; –crtUpd.pl: insertion of certificates; –crlUpd.pl: insertion of CRLs; –delUser.pl: removal of users. Available DataGrid CA Directories (1/3/02): CESNET: ldap://tady.ten.cz INFN: ldap://security.fi.infn.it NICKEF: ldap://certificate.nikhef.nl

WP6 Meeting5 March 2002, Paris4 grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

WP6 Meeting5 March 2002, Paris5 VO Directory Management 1/2 Insertion of users: –from CAs LDAP servers: vop.pl 1.VO manager specifies CA and VO Directories 2.users’ entries are read from the specified CA Directory; 3.validity of users’ certificates is checked; 4.VO manager selects the users to be inserted. –from certificate files: cert2ldif.pl reads user certificate; produces an LDIF file for the insertion of the user. Consistency check between VO and CA Directories: chkusers.pl

WP6 Meeting5 March 2002, Paris6 VO Directory Management 2/2 Creation of groups: creategroup.pl Population of groups: group.pl 1.VO Manager indicates the group; 2.the list of all the users and of those already in the group are shown; 3.VO manager selects the users to be inserted in the group.

WP6 Meeting5 March 2002, Paris7 grid-mapfile generation: mkgridmap perl script, to be run at appropriate intervals by the local site manager. Produces a grid-mapfile from the entries in the VO Directories, according to the directives specified in a configuration file: mkgridmap.conf. Mapping between Certificate Subjects and local user names is customizable by the local site managers.

WP6 Meeting5 March 2002, Paris8 mkgridmap.conf directives group [ ] selects the VO Directories., if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group. allow ( deny ) users allowed (banned) in the grid-mapfile: – may contain wildcards; –the test is done on the user certificate subject; –parsing stops at the first match; –if there is at least an allow, there is an implicit deny * at the end. auth the user is inserted only if there is an entry on the Auth Server with the same Certificate Subject. default_lcluser the local username in the grid-mapfile (e.g. “. ” for McNab patch) If AUTO, the local username is generated by an external program (subject2user). gmf_local is a local grid-mapfile to be inserted.

WP6 Meeting5 March 2002, Paris9 Sample mkgridmap.conf #### GROUP: group URI [lcluser] group ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org group ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org group ldap://grid-vo.nikhef.nl/ou=testbed1,o=cms,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou=testbed1,o=lhcb,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou=testbed1,o=earthob,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou= testbed1,o=biology,dc=eu-datagrid,dc=org group ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org #group ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it #### Optional - DEFAULT LOCAL USER: default_lcluser lcluser default_lcluser AUTO #### Optional - AUTHORIZED VO: auth URI auth ldap://marianne2.in2p3.fr/ou=people,o=testbed,dc=eu-datagrid,dc=org #### Optional - ACL: deny|allow pattern_to_match deny *INFN* #### Optional - GRID-MAPFILE-LOCAL #gmf_local /opt/edg/etc/grid-mapfile-local

WP6 Meeting5 March 2002, Paris10 grid-mapfile customization: subject2user External program called by mkgridmap when default_lcluser or lcluser is AUTO. It allows local sites to customize the output of mkgridmap: –it is called with the user certificate subject as argument. –it must write to the standard output the local username associated with the user certificate subject. The version supplied maps cn=Name Surname to nsurname (e.g. cn=Pinco Pallino to ppallino).

WP6 Meeting5 March 2002, Paris11 Pool of Accounts With mkgridmap and mkgridpool it’s possible to create a fixed matching between certificate subjects and local usernames belonging to a pool of accounts. –default_lcluser or lcluser is + in mkgridmap.conf –It doesn’t need a patch to the Globus code, but may cause the creation of a large number of unused accounts. The pool of usernames (e.g. user001, user002, …) is managed by mkgridpool. –Perl script, to be run by the local site manager, or by mkgridmap, to create or delete a pool of users. –mkgridpool –add/del creates/deletes a pool of users. –For each username an empty file in /etc/grid-security/mkgridpool is created with the same name as the user. When a username is mapped, mkgridmap creates a link to it, with the same name as the subject certificate (as in the gridmapdir patch).

WP6 Meeting5 March 2002, Paris12 Future Plans Evaluation of CAS and PERMIS –interaction with WP1 & WP4 Better VO Directory management; Support of replicas of VO Directories; Support for users’ attributes in the VO Directories: –e.g. the AUP signing information (with expiration date...)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.