Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Similar presentations


Presentation on theme: "GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania."— Presentation transcript:

1 GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania

2 GRID Introduction Each experiment has many machines to be used for different tasks: analysis, simulations etc. There are groups of people working on each task: the jobs sent by each group must be run only on the selected machines.

3 GRID Globus use the grid-mapfile to allow users the access of a machine. For each user there is an entry in the file with the X.509 user certificate subject and a local unix account to be mapped to. The management of the file for hundreds of users of differents groups is cumbersome.

4 GRID Outline User/group LDAP repository Globus gridmap-file management

5 GRID Repository INFN implemented a LDAP repository to store information about –users (identified by their X.509 certificate subject) –grouping of users The repository can be used to download selected certificates choosing a filtering policy (all, group, domain, etc.) The information uses standard objectclasses to permit easier integration of the system with existing software.

6 GRID Objectclasses The Objectclasses that best represent users in this context are: –person –organizationalPerson –inetOrgPerson –groupOfNames

7 GRID Objectclasses Grouping of users can be defined using the groupOfNames Objectclass. The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.

8 GRID This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.

9 GRID Maintaining the repository LDAP Managers –They have full access to the directory, create the directory layout and assign privileges to group managers and the CA manager

10 GRID Maintaining the repository CA Manager –Produces authentication information (certificates) and publishes this info in the repository with a tool (certpublish) –The email address contained in the certificate will be used to produce the DN as in the following example: Carlo.Rocca@ct.infn.it becomes Dn: mail=Carlo.Rocca@ct.infn.it,ou=people,dc=ct,dc=infn,dc=it,o=Grid

11 GRID Certpublish Certpublish syntax certpublish -in : DER Encoded Certificate to publish -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -help: This help

12 GRID Maintaining the repository Organizational Unit (“Group”) Managers –They are responsible of editing OU Groups, creating new ones and editing memberships. Many existing LDAP tools available for this purpose –Grouping can be used to produce gridmap files as well as for other administrative purposes (see later).

13 GRID Security Issues The group subtree must follow a restrictive security policy: –Accessible only from Globus hosts –TLS should be used for maintenance operation (cert publishing, group editing, operations where password are sent over the net) and for queries where possible. Access control lists to establish managers privileges on the DIT must be implemented. Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.

14 GRID Grid-mapfile management In a Grid environment it is fundamental that a group of hosts with common purposes shares the same access policy –Management of grid-mapfiles in the Globus model Two basic strategies –Same common (“group”) UID assigned to many different Grid users Simpler management Impossible to distinguish between different Grid users (e.g. Files created by different Grid users mapped to same UID) –Different local UID (possibly generated on the fly) assigned to every Grid user Much harder to automate

15 GRID Grid-mapfile management Globus doesn’t provide tools to handle a centralized management of grid-mapfiles INFN-GRID has implemented a system, based on this user/group repository, that simplifies gridmap- files management, allowing Globus administrators to update their grid-mapfile with consistent information. –Tool (certretrieve) used to connect to the repository and update periodically (e.g. cron job) the gridmap-file, using the preferred policy (all users, users of a specific group/domain,...)

16 GRID Certretrieve Certretrieve syntax certretrieve -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -groupDN groupDN: Returns only users in group -lcluser user: Local user to map certificates -CAfile filename: Checks certificate validity -CRL filename: Checks CRL -help: This help

17 GRID Example An example on how to retrieve certificate subjects is by the following command: certretrieve –groupDN “cn=muon,ou=CMS,dc=infn,dc=it,o=Grid” \ –lcluser cmsmuon This will retrieve certificate subjects of users in the CMS muon subgroup and map all of them to the cmsmuon local account


Download ppt "GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania."

Similar presentations


Ads by Google