Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Authorization Working Group Report WP6 Meeting 5 March 2002, Paris."— Presentation transcript:

1 Authorization Working Group Report WP6 Meeting 5 March 2002, Paris

2 WP6 Meeting5 March 2002, Paris1 M9 Authorization Structure Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory (o=xyz,dc=eu- datagrid,dc=org): –members (ou=People); –groups (e.g. ou=Testbed1): each user must belong to at least one group; –each user entry contains: the URI of the certificate on the CA LDAP server; the Subject of the user’s certificate (to speed up grid-mapfile generation). grid-mapfiles are generated from the VO Directories: –looking for the members of the groups; –according to users’ attributes (the Certificate Subject, for the moment); –according to the existence of an entry with the same Certificate Subject in an “Authorization Directory”; –with different local names, according to local requirements (e.g. McNab patch).

3 WP6 Meeting5 March 2002, Paris2 Authorization Tools Available from the Authorization WG CVS server: –CA Directory management: http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/LDAP-CA/ –VO Directory management: http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/VO/ –grid-mapfile generation: http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/edg-mkgridmap/ Developers’ mailing list: sec-grid@infn.it Authorization WG mailing list:.....

4 WP6 Meeting5 March 2002, Paris3 CA Directory Management Tools: –pem2ldif.pl: initial loading; –crtUpd.pl: insertion of certificates; –crlUpd.pl: insertion of CRLs; –delUser.pl: removal of users. Available DataGrid CA Directories (1/3/02): CESNET: ldap://tady.ten.cz INFN: ldap://security.fi.infn.it NICKEF: ldap://certificate.nikhef.nl

5 WP6 Meeting5 March 2002, Paris4 grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory “Authorization Directory” CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

6 WP6 Meeting5 March 2002, Paris5 VO Directory Management 1/2 Insertion of users: –from CAs LDAP servers: vop.pl 1.VO manager specifies CA and VO Directories 2.users’ entries are read from the specified CA Directory; 3.validity of users’ certificates is checked; 4.VO manager selects the users to be inserted. –from certificate files: cert2ldif.pl reads user certificate; produces an LDIF file for the insertion of the user. Consistency check between VO and CA Directories: chkusers.pl

7 WP6 Meeting5 March 2002, Paris6 VO Directory Management 2/2 Creation of groups: creategroup.pl Population of groups: group.pl 1.VO Manager indicates the group; 2.the list of all the users and of those already in the group are shown; 3.VO manager selects the users to be inserted in the group.

8 WP6 Meeting5 March 2002, Paris7 grid-mapfile generation: mkgridmap perl script, to be run at appropriate intervals by the local site manager. Produces a grid-mapfile from the entries in the VO Directories, according to the directives specified in a configuration file: mkgridmap.conf. Mapping between Certificate Subjects and local user names is customizable by the local site managers.

9 WP6 Meeting5 March 2002, Paris8 mkgridmap.conf directives group [ ] selects the VO Directories., if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group. allow ( deny ) users allowed (banned) in the grid-mapfile: – may contain wildcards; –the test is done on the user certificate subject; –parsing stops at the first match; –if there is at least an allow, there is an implicit deny * at the end. auth the user is inserted only if there is an entry on the Auth Server with the same Certificate Subject. default_lcluser the local username in the grid-mapfile (e.g. “. ” for McNab patch) If AUTO, the local username is generated by an external program (subject2user). gmf_local is a local grid-mapfile to be inserted.

10 WP6 Meeting5 March 2002, Paris9 Sample mkgridmap.conf #### GROUP: group URI [lcluser] group ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org group ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org group ldap://grid-vo.nikhef.nl/ou=testbed1,o=cms,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou=testbed1,o=lhcb,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou=testbed1,o=earthob,dc=eu-datagrid,dc=org #group ldap://grid-vo.nikhef.nl/ou= testbed1,o=biology,dc=eu-datagrid,dc=org group ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org #group ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it #### Optional - DEFAULT LOCAL USER: default_lcluser lcluser default_lcluser AUTO #### Optional - AUTHORIZED VO: auth URI auth ldap://marianne2.in2p3.fr/ou=people,o=testbed,dc=eu-datagrid,dc=org #### Optional - ACL: deny|allow pattern_to_match deny *INFN* #### Optional - GRID-MAPFILE-LOCAL #gmf_local /opt/edg/etc/grid-mapfile-local

11 WP6 Meeting5 March 2002, Paris10 grid-mapfile customization: subject2user External program called by mkgridmap when default_lcluser or lcluser is AUTO. It allows local sites to customize the output of mkgridmap: –it is called with the user certificate subject as argument. –it must write to the standard output the local username associated with the user certificate subject. The version supplied maps cn=Name Surname to nsurname (e.g. cn=Pinco Pallino to ppallino).

12 WP6 Meeting5 March 2002, Paris11 Pool of Accounts With mkgridmap and mkgridpool it’s possible to create a fixed matching between certificate subjects and local usernames belonging to a pool of accounts. –default_lcluser or lcluser is + in mkgridmap.conf –It doesn’t need a patch to the Globus code, but may cause the creation of a large number of unused accounts. The pool of usernames (e.g. user001, user002, …) is managed by mkgridpool. –Perl script, to be run by the local site manager, or by mkgridmap, to create or delete a pool of users. –mkgridpool –add/del creates/deletes a pool of users. –For each username an empty file in /etc/grid-security/mkgridpool is created with the same name as the user. When a username is mapped, mkgridmap creates a link to it, with the same name as the subject certificate (as in the gridmapdir patch).

13 WP6 Meeting5 March 2002, Paris12 Future Plans Evaluation of CAS and PERMIS –interaction with WP1 & WP4 Better VO Directory management; Support of replicas of VO Directories; Support for users’ attributes in the VO Directories: –e.g. the AUP signing information (with expiration date...)

Download ppt "Authorization Working Group Report WP6 Meeting 5 March 2002, Paris."

Similar presentations

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.

Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.

BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file www.gridpp.ac.uk grid “ping”

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.

Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.

Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.

Similar presentations

Ads by Google