Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.

Slides:



Advertisements
Similar presentations
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Advertisements

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team
Introduction To Windows NT ® Server And Internet Information Server.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.
Implementing Secure Shared File Access
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
C. Loomis – Testbed Status – 28/01/2002 – n° 1 Future WP6 Tasks Charles Loomis January 28, 2002
Controlling Files Richard Newman based on Smith “Elementary Information Security”
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
Windows 2000 Certificate Authority By Saunders Roesser.
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas
Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team
New MR Repository & Security Universal Object Access Brian A Suter VP WebFOCUS Product Development November 16, 2015 Copyright 2009, Information Builders.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.
VO Management on the US-ATLAS/CMS Test Grids Rick Cavanaugh University of Florida DataTAG/WP4 Meeting 23 May, 2002.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
December 17, 2015 A Secure VO Software for ATLAS Grid User Management Dantong Yu Brookhaven National Lab.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Session 8 Windows Platform Dina Alkhoudari. Learning Objectives Read Only Domain Controller Active Directory Certificate Service Group Policy.
LDAP (Lightweight Directory Access Protocol)
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.
Last update 31/01/ :41 LCG 1 Maria Dimou Procedures for introducing new Virtual Organisations to EGEE NA4 Open Meeting Catania.
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
1 Configuring Sites Configuring Site Settings Configuring Inter-Site Replication Troubleshooting Replication Maintaining Server Settings.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
Authentication and Authorization
AuthN and AuthZ in StoRM A short guide
CollegeSource Security Application &
Classic Storage Element
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Update on EDG Security (VOMS)
Shiv Kaushal, University of Manchester
Presentation transcript:

Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati

Third DataGrid Project ConferenceOctober 3-5, Frascati1 Structure Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory which contains its members: –each user belongs to one or more groups; –each user entry may contain: a pointer to the certificate on the CA LDAP server; the “Subject” field of the certificate (to speed up grid-mapfile generation); a certificate attesting that the user agreed to the usage policy for TB1; grid-mapfiles are generated from the VO Directories: –starting from the groups (users who don’t belong to a group are ignored); –according to users’ attributes (the certificate Subject, for the moment); –with different outputs, according to local requirements (e.g. McNab patch).

Third DataGrid Project ConferenceOctober 3-5, Frascati2 Certification Authority LDAP Directory O=infn,C=it domain organization CN= CN=Mario Rossi CN=INFN CA organization pkiCA person organizationalPerson inetOrgPerson pkiUser Available CA LDAP Directories (30/9/01): CESNET: tady.ten.cz INFN: security.fi.infn.it NICKEF: certificate.nikhef.nl

Third DataGrid Project ConferenceOctober 3-5, Frascati3 LDAP Directory for “XYZ” VO OU=group1 DC=XYZ, DC=Datagrid OU=group2 CN=Franz ElmerCN=John SmithCN=Mario Rossi organization groupOfNames person organizationalPerson inetOrgPerson pkiUser Authentication Certificate Authorization Certificate OU=people

Third DataGrid Project ConferenceOctober 3-5, Frascati4 grid-mapfile generation: mkgridmap perl script, to be run at appropriate intervals (1 day?) produces a grid-mapfile from the entries in the VO LDAP Directories, according to the rules specified in a configuration file (mkgridmap.conf): –allow and deny directives may contain wildcards and the test is done on the user certificate subject parsing stops at the first match; if there is at least an allow, there is an implicit deny * at the end; –directives: group [ ] selects the VO Directories., if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group allow users allowed in the grid-mapfile deny users banned from the grid-mapfile default_lcluser the local username in the grid-mapfile (e.g. default_lcluser. for McNab patch) If AUTO, the local username is generated by an external program (subject2user). gmf_local local grid-mapfile to be inserted

Third DataGrid Project ConferenceOctober 3-5, Frascati5 grid-mapfile generation: mkgridmap.conf Sample configuration file #### GROUP: group URL [lcluser] group ldap://ldap.vo1.org/cn=group1,dc=testbed2,dc=org tb2 group ldap://ldap.vo1.org/cn=group3,dc=testbed6,dc=org group ldaps://ldap.vo2.org/cn=group2,dc=testbed4,dc=org tb4 #### ACL: deny|allow pattern_to_match deny *L=Parma* allow *O=INFN* allow *CESNET* deny *John* allow *dutchgrid* #### DEFAULT LOCAL USER default_lcluser testbed1 ##### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/grid-mapfile-local

Third DataGrid Project ConferenceOctober 3-5, Frascati6 grid-mapfile generation: subject2user External program called by mkgridmap when default_lcluser is AUTO. It is called with the user certificate subject as argument. It should write to the standard output the local username associated with the user certificate subject. It allows local sites to customize the output of mkgridmap.

Third DataGrid Project ConferenceOctober 3-5, Frascati7 VO Directory Management Initial Directory loading: –users: from CAs LDAP servers; from certificate files; –members of groups. Directory update: –single user; –group membership Consistency check between VO and CA Directories. Replicas? ACLs?

Third DataGrid Project ConferenceOctober 3-5, Frascati8 VO Directory Management

Third DataGrid Project ConferenceOctober 3-5, Frascati9 VO Directory Management

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.