Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthN and AuthZ in StoRM A short guide

Published byHenry Jasper Gibbs Modified over 6 years ago

Similar presentations

Presentation on theme: "AuthN and AuthZ in StoRM A short guide"— Presentation transcript:

1 AuthN and AuthZ in StoRM A short guide

2 A simple access scenario
1 A Grid User with a valid proxy certificates wants to read a file pointed by SURL. So she performs a srmPrepareToGet (srmPtG) call. StoRM-Tutorial for supporter, IGI, Bologna, Italy

3 A simple access scenario
2 StoRM verifies if the identified User with the FQANs is authorized to perform srmPtG (read operation) on that SURL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

4 A simple access scenario
3 StoRM retrieves the local mapping for the grid user. The Mapping configuration is the same used by the Computing Element. StoRM-Tutorial for supporter, IGI, Bologna, Italy

5 A simple access scenario
4 StoRM set up an ACL entry to the physical file corresponding to the required SURL. This entry could be removed when the pin expires or when the file will be released by the user. StoRM-Tutorial for supporter, IGI, Bologna, Italy

6 A simple access scenario
5 The Grid User submits a job to the Computing Element close to the SE holding the wished SURL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

7 A simple access scenario
6 The user job can access to the file directly (file://), because the job is running with the same local credential previously added by StoRM in the ACL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

8 Security layers A stop can occurs at every level!
StoRM-Tutorial for supporter, IGI, Bologna, Italy

9 Authentication of requestors
1 Authentication of requestors The requestor MUST have a valid proxy certificate It is not expired The proxy certificate MUST to be issued by a trusted CA The CA public certificate must be installed on StoRM FrontEnd hosts The user holds a certificate that hasn’t been revoked The user is not banned! Check the Certificate Revocation Lists (CRLs) Stored in the directory: /etc/grid-security/certificates CRL is a file {CA_hash}.r0  StoRM-Tutorial for supporter, IGI, Bologna, Italy

10 Trusted Grid CAs for EGI and LCG sites
1 Trusted Grid CAs for EGI and LCG sites The trusted CAs are distributed via RPM available in the YUM repo “EGI-trustanchors.repo”: The meta-package lcg-CA should be installed and updated: # yum clean cache metadata # yum update lcg-CA StoRM-Tutorial for supporter, IGI, Bologna, Italy

11 Trusted Grid CA installed
1 Trusted Grid CA installed Information about the trusted Certification Authorities are stored in: /etc/grid-security/certificates/ StoRM-Tutorial for supporter, IGI, Bologna, Italy

12 VOMS awareness: LSC files
1 VOMS awareness: LSC files StoRM is a VOMS-aware service It verifies the trusting VOMS server by checking the correspondence in the certificate subject and what is stored in the LSC (“LiSt of Certificates”) files For each supported VO, for each of its VOMS servers there needs to be an LSC file in the directory: $X509_VOMS_DIR/${VO} by default: /etc/grid-security/vomsdir/${VO} StoRM-Tutorial for supporter, IGI, Bologna, Italy

13 2 Approachable rules Approachable rules define which users (or which class of users) can approach a certain Storare Area identified by the Virtual FS name in namespace.xml StoRM-Tutorial for supporter, IGI, Bologna, Italy

14 Approachable rules: Grammar
2 Approachable rules: Grammar StoRM-Tutorial for supporter, IGI, Bologna, Italy

15 Approachable rules: Grammar
2 Approachable rules: Grammar <dn>*</dn> means that everybody can access the storage Area. It is possible use regular expression on DN fields to define more complex approachable rules. <vo-name>*</vo-name> means that everybody belonging to a VO access the storage Area. users without VOMS extension aren’t recognized as belonging to VOs then they will not be allowed to approach the SA. removing this line imply that the Storage Area is approachable to users without VOMS extensions. StoRM-Tutorial for supporter, IGI, Bologna, Italy

16 Approachable rules: Examples
2 Approachable rules: Examples <dn>C=IT<dn> means that only Italian users can approach the Storage Area. <vo-name>dteam</vo-name> means that only users belonging to the VO dteam will be allowed to access the Storage Area. This entry can be a list of comma separeted VO-name. StoRM-Tutorial for supporter, IGI, Bologna, Italy

17 Approachable rules: QUIZ !!
2 Approachable rules: QUIZ !! StoRM-Tutorial for supporter, IGI, Bologna, Italy

18 Storage Area protection: path-authz.db
2 Storage Area protection: path-authz.db ‘path-authz.db’ is a file containing authorization policies. The policies are defined via ACL (Access Control List), that is an ordered list of ACE (Access Control Entry) Every ACE is expressed as: <user-class, path,permission,ace-type> The evaluation algorithm is the same of NFSv4.1 # cat /etc/storm/backend-server/path-authz.db StoRM-Tutorial for supporter, IGI, Bologna, Italy

19 3 Grid User mapping The grid user mapping occurs at BE side
using the LCMAPS library /etc/storm/backend-server/lcmaps.db The mapping policy is: Map the primary group, based on VOMS credentials, if this is successful, continue trying to allocate a pool account based on VOMS credentials. If any of the steps fails, it tries to map a poolaccount following the normal /etc/grid-security/grid- mapfile. If even that fails tries to map a local account (necessary for *sgm users) StoRM-Tutorial for supporter, IGI, Bologna, Italy

20 3 Grid User mapping Primary Group: vomslocalgroup
The mapping is based on file: /etc/grid-security/groupmapfile StoRM-Tutorial for supporter, IGI, Bologna, Italy

Download ppt "AuthN and AuthZ in StoRM A short guide"

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.

ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.

National Computational Science National Center for Supercomputing Applications National Computational Science Alliance Setup Package Requirements Jim Basney.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Similar presentations

Ads by Google