Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp."— Presentation transcript:

1 NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp

2 NIKHEF Grid meeting – LCAS and LCMAPS – n° 2 Talk Outline u Introduction on AuthN & AuthZ in EDG n Why do we need VOMS, LCAS, LCMAPS … ? u Gridification architecture u LCAS n Architecture, plug-ins, examples u LCMAPS n Architecture, plug-ins n Policy languange (PDL) n examples u Job Repository u Status and Future Developments

3 NIKHEF Grid meeting – LCAS and LCMAPS – n° 3 AuthN & AuthZ in EDG (1) u GLOBUS n Authentication: Grid Security Infrastructure (GSI) s X509 certificates (PKI), Certificate Authorities s Mutual authentication s Single sign-on, proxy delegation n Authorization: grid-mapfile s Grid credentials (user’s Certificate) to local credentials (unix account) mapping s “Boolean” authorization s Information provided via VO-LDAP servers (EDG) s Managed “manually” by the resource admin (via mkgridmap, EDG) u Problems n No centralization n No scalability n Lack of flexibility  Problems addressed by VOMS, LCAS/LCMAPS

4 NIKHEF Grid meeting – LCAS and LCMAPS – n° 4 AuthN & AuthZ in EDG (2) u VOMS (VO Membership Service) n authorization at VO level n Each VO has its own VOMS n VO affiliation assertions embedded in proxy n Support for group membership, roles, capabilities n A user can be member of many VOs u LCAS/LCMAPS n Separated pure authZ (LCAS) from user account mapping (LCMAPS) n Flexible/dynamic assignment of local credentials n Resource manager remains in full control Query Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert

5 NIKHEF Grid meeting – LCAS and LCMAPS – n° 5 WP4 Gridification components Jobmanager Resource Broker (WP1) Resource Broker (WP1) LCAS allow list wallclocktime ban list VOMS/GACL - LCMAPS Policy WP4 non-gridification WP4 non-gridification Gridification component Non-WP4 subsystem Non-WP4 subsystem uid/gid other tokens SE RMS External to fabric Internal to fabric StorageElement (WP5) (Configuration Mgmt) JobRepository Enforce credentials Enforce credentials - (EDG-)Gatekeeper (EDG-)Gatekeeper CE Worker node Worker node farms plugins Resource request in RSL in VOMS-signed established Security context

6 NIKHEF Grid meeting – LCAS and LCMAPS – n° 6 AuthN, AuthZ control flow in GK Gatekeeper LCAS allowed timeslot banned policy C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert Job Manager fork+exec args, submit script LCMAPS open, learn, &run: … and return legacy uid LCAS authZ call out GSI AuthN accept GSI auth assist_gridmap Jobmanager-* Ye Olde Gatekeeper

7 NIKHEF Grid meeting – LCAS and LCMAPS – n° 7 LCAS u Local Centre Authorization Service (LCAS) u Handles authorization requests to local fabric n Authorization decisions based on proxy user certificate and job specification (RSL) n Supports grid-mapfile mechanism and/or GACL u Plug-in framework (hooks for external authorization plug-ins) Allowed users ( grid-mapfile or allowed_users.db ) Banned users ( ban_users.db ) Available timeslots ( timeslots.db ) n Plug-in for VOMS (to process Authorization data) s Uses VOMS API s authZ policy in GACL format (or grid-mapfile)  Convenience tool to convert grid-mapfile into GACL format: edg-lcas-voms2gacl

8 NIKHEF Grid meeting – LCAS and LCMAPS – n° 8 LCAS - ban_user.db # This file contains the globus user ids that are BANNED from this fabric "/O=dutchgrid/O=users/O=nikhef/CN=Jeffrey Templon"

9 NIKHEF Grid meeting – LCAS and LCMAPS – n° 9 LCAS - timeslots.db # This file contains the time slots for which the fabric # is available for Grid jobs # Format: # minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2 # max range: [0-59] [0-23] [1-31] [1-12] [1970-...] [0-6] # # wday: # 0-6 = Sunday-Saturday # 5-3 = Friday-Wednesday # # '*' means the maximum range # - means from to maximum value # # The wall clock time should match at least one time slot for authorization # The wall clock time matches if: # (hour1:minute1) <= (hour:minute) <= (hour2:minute2) # AND (year1.month1.mday1) <= (year.month.mday) <= (year2.month2.mday2) # AND (wday1) <= (wday) <= (wday2) # # If the fabric is open on working days from 8:30-18:00 h, from 1 July 2002 till 15 January 2003 # the following line should be added: # 30-0 8-18 1-15 7-1 2002-2003 1-5 # If the fabric is open from 18:00-7:00 h, two time slots should be used: # 18:00-24:00 and 0:00-7:00 # # 0-0 18-24 * * * * # 0-0 0-7 * * * * # If the fabric is always open the following line should be uncommented: # minute1-minute2 hour1-hour2 mday1-mday2 month1-month2 year1-year2 wday1-wday2 * * * * * * 0-0 23-24 * * * *

10 NIKHEF Grid meeting – LCAS and LCMAPS – n° 10 LCAS - lcas.gacl /O=dutchgrid/O=users/O=nikhef/CN=Willem van Leeuwen iteam /iteam

11 NIKHEF Grid meeting – LCAS and LCMAPS – n° 11 LCMAPS u Local Credential MAPping Service u Backward compatible with existing systems (grid-mapfile, AFS) u Provides local credentials needed for jobs in fabric n Mapping based on user identity, VO affiliation, site-local policy n Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5 n Pool accounts, Pool groups u Support for multiple VOs per user (and thus multiple UNIX groups) u Plug-in framework n driven by comprehensive policy language: PDL n Extendible n Credential acquisition and enforcement plug-ins u Boundary conditions n Has to run in privileged mode n Has to run in process space of incoming connection (for fork jobs)

12 NIKHEF Grid meeting – LCAS and LCMAPS – n° 12 LCMAPS – control flow u User authenticates using (VOMS) proxy u LCMAPS library invoked n Acquire all relevant credentials n Enforce “external” credentials n Enforce credentials on current process tree at the end u Run job manager n Fork will be OK by default n Batch systems may need primary group explicitly n Batch systems will need updated (distributed) UNIX account info u Order and function: policy-based CREDs LCMAPS Credential Acquisition & Enforcement Job Mngr GK

13 NIKHEF Grid meeting – LCAS and LCMAPS – n° 13 LCMAPS – invocation and running LCMAPSPlugin MngrEvaluation Mngrany Plug-in Local init Load policy Load all Initialize all Introspect for API terminations from GK Evaluate policy Run plugin and report Initialize Run Terminate

14 NIKHEF Grid meeting – LCAS and LCMAPS – n° 14 LCMAPS - modules u Modules represent atomic functionality u VOMS acquisition modules: n Voms extract: extract VOMS info from proxy n Voms local group: from VOMS attributes assign GID n Voms pool group: from VOMS attributes assign GID from pool n Voms pool account: from VOMS attributes, DN and GIDs assign UID from pool u Standard acquisition modules: n Local account: from user DN assign local UID n pool account: from user DN assign UID from pool u Enforcement modules n POSIX enforcement: setreuid(), setregid() and setgroups() in gatekeeper process n LDAP enforcement: update distributed user database u In progress n Get AFS/Krb5 token based on user DN (gssklog)

15 NIKHEF Grid meeting – LCAS and LCMAPS – n° 15 LCMAPS – Policy Description Language # LCMAPS policy file/plugin definition # # default path path = /opt/edg/lib/lcmaps/modules # Plugin definitions: localaccount = "lcmaps_localaccount.mod" "-gridmapfile [...]" posix_enf = "lcmaps_posix_enf.mod" vomsextract = "lcmaps_voms.mod" "-vomsdir [...]" "-certdir [...]" vomslocalgroup = "lcmaps_voms_localgroup.mod" "-groupmapfile "[...]" "-mapmin 1" vomspoolgroup = "lcmaps_voms_poolgroup.mod" "-groupmapfile [...]" "-groupmapdir [...]" vomspoolaccount = "lcmaps_voms_poolaccount.mod" "-gridmapfile [...]" "-gridmapdir [...]" ldap_enf = "lcmaps_ldap_enf.mod" "[...]" # Policies: vomspolicy: localaccount -> posix_enf | vomsextract vomsextract -> vomslocalgroup vomslocalgroup -> vomspoolgroup vomspoolgroup -> vomspoolaccount | vomspoolaccount vomspoolaccount -> ldap_enf ldap_enf -> posix_enf VOMS extract Local Account POSIX Enforcement VOMS Local Group VOMS Pool Group LDAP Enforcement FALSE TRUE State machine approach: Start here VOMS Pool Account

16 NIKHEF Grid meeting – LCAS and LCMAPS – n° 16 LCMAPS – VOMS groupmapfile # Example groupmapfile: # Users with the exact VO-group info "/VO=fred/GROUP=fred/ROLE=husband" # will be added to the local group "fredje" "/VO=fred/GROUP=fred/ROLE=husband" fredje # All users from VO wilma will be added to the allocated pool group "pool[1-9]*" #"/VO=wilma/GROUP=*".pool # For the ITeam VO: "/VO=iteam/GROUP=/iteam*" iteam # For the wpsix VO: "/VO=WP6/GROUP=/WP6*" wpsix

17 NIKHEF Grid meeting – LCAS and LCMAPS – n° 17 LCMAPS – LDAP and AFS u LDAP enforcement plug-in n Updates a central LDAP user directory n Secure (as opposed to NIS) n more flexible u AFS plug-in n Gives local AFS access n Uses gssklog to obtain AFS token n Requires gssklog daemon to run on the AFS server n Mapping DN to AFS user maintained in gssklog mapfile

18 NIKHEF Grid meeting – LCAS and LCMAPS – n° 18 Job Repository – Intro. u What? n JB is a Relational Database userX509 JobVOMS Credentiallinks n The data consist of user info. with X509 certs, Job info., VOMS info., Credential info. and the links between these types of info. for every Job u Why? n Central repository, Logging, Accounting, Auditing u Where? n CE – Plug-in for LCMAPS n CE - Various scripts controlled by the Job Manager n The database has to be installed close to (or on) the CE.

19 NIKHEF Grid meeting – LCAS and LCMAPS – n° 19 Job Repository u How? n ODBC layer n Currently a MySQL backend n Multiple programs/scripts gathering information u Who? n Sys-admins (only) n A new tool for LCG needs to get the local GIDs from the VOMS info

20 NIKHEF Grid meeting – LCAS and LCMAPS – n° 20 Job Repository – The DB Layout Users User certificates Jobs* Job Status* Credentials (UID/GIDs) VOMS VOMS Issuer Issuer Certificates * Update needed outside the LCMAPS Plugin To get all info.

21 NIKHEF Grid meeting – LCAS and LCMAPS – n° 21 Status u LCAS and LCMAPS n Incorporated in EDG 2.1 n Deployed on application testbed since last week n AFS plug-in almost completed u Job Repository n LCMAPS plug-in nearing completion n Small changes needed to LCMAPS code for VOMS-to-GID tool u Documentation: n http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/ http://www.dutchgrid.nl/DataGrid/wp4/lcas/edg-lcas-1.1/ n http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16 http://www.dutchgrid.nl/DataGrid/wp4/lcmaps/edg-lcmaps-0.0.16

22 NIKHEF Grid meeting – LCAS and LCMAPS – n° 22 Future developments u LCAS, LCMAPS (and the JobRep?) will be part of EGEE u gridFTP will be patched to use LCAS and LCMAPS u LCAS will evolve into an authorization service and take on the use of XACML to express VO access control u DAGGR (?): Authorization Decision Service u LCAS and LCMAPS will also interface to the AuthZ call-outs in GT3

23 NIKHEF Grid meeting – LCAS and LCMAPS – n° 23 Introduction (1) u EDG security infrastructure based on X.509 certificates (PKI) u Authentication n 16 national certification authorities n Policies and procedures  mutual thrust n Users identified by certificates signed by their national CA u Authorization n Cannot decide Authorization for grid users only on local site basis n At least 2 entities involved s Resource Providers (e.g. Tiers in LCG framework) s Virtual Organizations (e.g. LHC experiments collaborations)

24 NIKHEF Grid meeting – LCAS and LCMAPS – n° 24 Introduction (2) u Authorization (cont.) n Resource granting established by agreements VO’s - RP’s. s VO’s administer user membership, roles and capabilities s RP’s evaluate authorization granted by VO to a user and map into local credentials to access resources n Trust/Authorization Manager for Java (e.g. Spitfire) n LCAS/LCMAPS for farms n SlashGrid for storage (Andrew’s talk) n Need tool to manage membership for large VO’s (10000 users) s Globus mechanism (grid-mapfile) not scalable n VO membership service (VOMS) s Extends existing grid security infrastructure architecture with embedded VO affiliation assertions s Permits authorization control on grid services for job submission, file and database access.

25 NIKHEF Grid meeting – LCAS and LCMAPS – n° 25 Authorization requirements u Architecture n centralized and scalable (for an Auth policy VO based) u Attributes support n group membership (subgroup, multiple inheritance,..) n Roles (admin, student,..), capabilities (free form string),.. n Temporal bounds u Resource Provider n keep full control on access rights n traceability user level (not VO level) u Security issues n Auth Server must not be a Single point of failure n Auth communications must be trusted, secured and reserved

26 NIKHEF Grid meeting – LCAS and LCMAPS – n° 26 Globus Authorization Mechanism u grid-mapfile n Grid credentials (user’s Certificate) to local credentials (unix account) mapping n “Boolean” authorization n Information provided via VO-LDAP servers n Managed “manually” by the resource admin (via mkgridmap) u No centralization u No scalability u Lack of flexibility "/C=IT/O=INFN/L=Parma/CN=Roberto Alfieri/Email=roberto.alfieri@pr.infn.it" alfieri "/C=IT/O=INFN/L=Parma/CN=Fabio Spataro/Email=fabio.spataro@pr.infn.it" spataro

27 NIKHEF Grid meeting – LCAS and LCMAPS – n° 27 VO-LDAP Architecture mkgridmap grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local users ban list Adopted by DataGrid Testbed0 (2001/02) DataGrid Testbed1 (2003) DataTAG Testbed (2003)

28 NIKHEF Grid meeting – LCAS and LCMAPS – n° 28 The Virtual Organization Membership Service u The Virtual Organization Membership Service (VOMS) n Developed by European Datagrid and Datatag collaborations to solve current LDAP VO servers limitations n Grants authorization data to users at VO level s Each VO has its own VOMS s Support for group membership (subgroup, multiple inheritance,..), “forced” groups (i.e. for negative permissions), roles (admin, student,..) and capabilities (free form string) n Essentially a front-end to an RDBMS s User client – queries the server for authorization info s User server – returns authorization info to the client s administration client – used by VO administrators for management s administration server – executes client update operations on db s transition tool – interface to mkgridmap++ (see below) n All client-server communications are secured and authenticated n Authorization info is processed by the gatekeeper s full functionality of VOMS achieved via LCAS/LCMAPS plug-ins (see below)

29 NIKHEF Grid meeting – LCAS and LCMAPS – n° 29 VOMS overview soap DB JDBC GSI https Tomcat & java-sec axis VOMS impl servlet vomsd Perl CLI Java GUI browser voms-proxy-init mkgridmap Apache & mod_ssl voms-httpd DBI http

30 NIKHEF Grid meeting – LCAS and LCMAPS – n° 30 DB Structure (simplified) users uid dn ca … … acl aclid principal operation allow/deny groups gid dn aclid m m user group role capability roles rid dn capabilities cid dn CA caid dn

31 NIKHEF Grid meeting – LCAS and LCMAPS – n° 31 VOMS Operations Query Authentication Request Auth DB C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo- cert 1. Mutual authentication Client-Server n Secure communication channel via standard Globus API 2. Client sends request to Server 3. Server checks correctness of request 4. Server sends back the required info (signed by itself) in a “Pseudo-Certificate” 5. Client checks the validity of the info received 6. Client repeats process for other VOMS’s 7. Client creates proxy certificates containing all the info received into a (non critical) extension 8. Client may add user-supplied auth. info (kerberos tickets, etc…)

32 NIKHEF Grid meeting – LCAS and LCMAPS – n° 32 Pseudo-Certificate Format /C=IT/O=INFN/L=CNAF/CN=Vincenzo Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C= IT/O=INFN/CN=INFN CA Ciaschini/Email=Vincenzo.Ciaschini@cnaf.infn.it /C=IT/O=INFN/OU=gatekeeper/L=PR /CN=gridce.pr.infn.it/Email=alfieri@pr.infn.it /C=IT/O=INFN/CN=INFN CA VO: CMS URI: http://vomscms.cern.ch TIME1: 020710134823Z TIME2: 020711134822Z GROUP: montecarlo ROLE: administrator CAP: “100 GB disk” SIGNATURE:.........L...B]....3H.......=".h.r...;C'..S......o.g.=.n8S'x..\..A~.t5....90'Q.V.I..../.Z*V*{.e.RP.....X.r.......qEbb...A... u The pseudo-cert is inserted in a non- critical extension of the user’s proxy n 1.3.6.1.4.1.8005.100.100.1 u It will become an Attribute Certificate u One for each VOMS Server contacted user’s identity server identity user’s info

33 NIKHEF Grid meeting – LCAS and LCMAPS – n° 33 Authorization User VOMSservice authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire service dn dn + attrs Fine-grained e.g. RepMeC Coarse-grained e.g. CE, Gatekeeper Fine-grained e.g. SE, /grid Java C authenticate ACL

34 NIKHEF Grid meeting – LCAS and LCMAPS – n° 34 Spitfire u Provides uniform access to various implementations of database back ends via a grid-enabled front end n SOAP interface n JDBC interface to RDBMS u TrustManager: certificate validator for Java services n Permits (mutual) secure client-server authentication n Supports X509 certificates and CRL’s u Support for connections via HTTP(S) using GSI certificate for authentication u Role-based authorization n Support for Authorization info provided by VOMS

35 NIKHEF Grid meeting – LCAS and LCMAPS – n° 35 Local Site Authorization Services u Local Centre Authorization Service (LCAS) n Handles authorization requests to local fabric s Authorization decisions based on proxy user certificate and job specification s Supports grid-mapfile mechanism n Plug-in framework (hooks for external authorization plug-ins) s Allowed users (grid-mapfile or allowed_users.db) s Banned users (ban_users.db) s Available timeslots (timeslots.db) s Plugin for VOMS (to process Authorization data) u Local Credential Mapping Service (LCMAPS) n Provides local credentials needed for jobs in fabric n Plug-in framework, driven by comprehensive policy language n Mapping based on user identity, VO affiliation, site-local policy n Supports standard UNIX credentials (incl. pool accounts), AFS tokens, Krb5

36 NIKHEF Grid meeting – LCAS and LCMAPS – n° 36 LCMAPS – requirements u Backward compatible with existing systems (grid-mapfile, k5cert) u Support for multiple VOs per user (and thus multiple UNIX groups) u Mimimum system administration n Poolaccounts n Pool”groups” n Understandable configuration u Extendible u Boundary conditions n Has to run in privileged mode n Has to run in process space of incoming connection (for fork jobs)

37 NIKHEF Grid meeting – LCAS and LCMAPS – n° 37 LCMAPS – plugin introspect u Framework is “resistent” to new module functionality and v.v. u Invocation and arguments list for modules discovered via the ”introspection API” u Various modules can support different interfaces u Modules from multiple generation can be “mixed” u An “old” framework will work with “bleeding-edge” modules u See apidoc for more details…

38 NIKHEF Grid meeting – LCAS and LCMAPS – n° 38 LCMAPS – modules u Modules represent atomic functionality u VOMS from role info and local mapfile assign gid (A) u PoolAccounts from username assign unique uid (A) u PoolGroups from (VOMS) groupname assign unique gid (A) u LocalAccount from username assign local existing unique uid (A) u AFS/Krb5 get token based on user DN info (A) u POSIX process setuid() and setegid() (E) u POSIX LDAP update distributed user database (E) u Krb5 run job via k5cert (E) u …

39 NIKHEF Grid meeting – LCAS and LCMAPS – n° 39 LCMAPS – policy evaluation u State machine approach (superset of boolean expressions) u Policy description file: VOMS-group LocalAccount PoolAccount LDAPPOSIX FALSE TRUE path = /opt/edg/lib/lcmaps/modules localaccount ="lcmaps_localaccount.mod \ -gridmapfile /etc/grid-security/grid-mapfile" poolaccount = "lcmaps_poolaccount.mod -gridmapfile /etc/grid-security/grid-mapfile" posix_enf = "lcmaps_posix.mod -maxuid 1 -maxpgid 1 -maxsgid 32" voms = "lcmaps_voms.mod -vomsdir /etc/grid-security/certificates \ -certdir /etc/grid-security/certificates" standard: voms -> poolaccount | localaccount localaccount -> posix_enf poolaccount -> posix_enf

40 NIKHEF Grid meeting – LCAS and LCMAPS – n° 40 LCMAPS – enabling new functionality u Local UNIX groups based on VOMS group membership and roles u More than one VO/group per grid user u No pre-allocation of pool accounts to specific groups u New mechanisms: n groups-on-demand n Central user directories (nss_LDAP, pam-ldap) u Why do we (still) need LCAS: n Centralized decisions on authorized users (like at FNAL) n Coordinated access control across multiple CEs n (and save on expensive account allocation mechanisms in LCMAPS)

41 NIKHEF Grid meeting – LCAS and LCMAPS – n° 41 Status and Future Works LCAS was in release 1.4.x and is currently used VOMS release delayed till after 2.0.0 Unit deployment VOMS (Client/server, Admin, mkgridmap++) in Feb. ‘03 LCMAPS release foreseen for $DATE (see status talk ) Work in progress u VOMS n Certificates will be substituted by true Attribute Certificates (RFC3281) n Support for time cyclic/bound permissions and roles n Database Replication u LCAS/LCMAPS n Framework ready, evolution manager ready, doc & apidoc available n Completed plug-ins: localaccount, poolaccount, POSIX n In development (various stages): VOMS, AFS/Krb5, PoolGroups, LDAP

42 NIKHEF Grid meeting – LCAS and LCMAPS – n° 42 mkgridmap++ u Need for a tool for the transition to LCAS/LCMAPS mechanism u VOMS and VO-LDAP can and MUST coexist n VOMS can also be used for grid-mapfile generation. n New directive in the config file u New feature n Authenticated access to VOMS (not LDAP) servers based on https protocol to restrict the clients allowed to download the list of the VO members mkgridmap++ group ldap://… group https://…. grid-mapfile VO-LDAP VOMS CE restricted access

43 NIKHEF Grid meeting – LCAS and LCMAPS – n° 43 More Informations EDG Security Coordination Group Web site http://hep-project-gris-scg.web.cern.ch/http://hep-project-gris-scg.web.cern.ch/ VOMS Web site http://grid-auth.infn.it/http://grid-auth.infn.it/ CVS site http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/http://cvs.infn.it/cgi-bin/cvsweb.cgi/Auth/ Developers’ mailing list sec-grid@infn.itsec-grid@infn.it LCAS-LCMAPS Web site http://www.dutchgrid.nl/DataGrid/wp4/http://www.dutchgrid.nl/DataGrid/wp4/ CVS site http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcas/ http://datagrid.in2p3.fr/cgi-bin/cvsweb.cgi/fabric_mgt/gridification/lcmaps/ Maillist hep-proj-grid-fabric-gridify@cern.chhep-proj-grid-fabric-gridify@cern.ch Spitfire Web site http://spitfire.web.cern.ch/Spitfire/http://spitfire.web.cern.ch/Spitfire/

44 NIKHEF Grid meeting – LCAS and LCMAPS – n° 44 Related Works u CAS (Globus Team) n Proxy generated by CAS server, not by user (difficult traceability) n Proxy not backward compatible n Attributes are permissions (resources access controlled by VO) u Permis (Salford Univ., England) n AC’s stored in a repository at the local site n Good policy engine n VOMS complementary (flexible VOMS AC + PERMIS pol. engine) u Akenti (US Gov.) n Target Web sites, not easy migration in a VO environment

Download ppt "NIKHEF grid meeting 1 December 2003 LCAS and LCMAPS David Groep, Oscar Koeroo, Wim Som de Cerff, Martijn Steenbakkers, Gerben Venekamp."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.

DataGrid is a project funded by the European Union EDG Conference Barcelona 2003 – Title – n° 1 VOMS and LCMAPS on Global Permissions and Local Credentials.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep

WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.

DataGrid is a project funded by the European Union HEPiX Conference Amsterdam 2003 Grid Security for Site Authorization in EDG VOMS, Java Security and.
WP4 Security Update For WP4: David Groep

WP4 Security Update For WP4: David Groep
WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep

WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team

Similar presentations

Ads by Google