1 / 4

OSG AuthZ Architecture

VO Services. VOMRS. VOMS. synch. synch. ID Mapping? Yes / No + UserName. CE. WN. SE. gLExec. SRM. Gatekeeper. Prima. gPlazma / Prima. Prima. Submit request with voms-proxy. Pilot SU Job (UID/GID). Submit Pilot OR Job (UID/GID). Storage. Legend. Batch System. AuthZ

jereni
Download Presentation

OSG AuthZ Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VO Services VOMRS VOMS synch synch ID Mapping? Yes / No + UserName CE WN SE gLExec SRM Gatekeeper Prima gPlazma / Prima Prima Submit request with voms-proxy Pilot SU Job (UID/GID) Submit Pilot OR Job (UID/GID) Storage Legend Batch System AuthZ Components VO Management Services OSG AuthZ Architecture VO Grid Site Site Services SAZ GUMS 3 2 7 6 Is Auth? Yes / No 1 register 4 get voms-proxy 5 10 Access Data (UID/GID) Schedule Pilot OR Job 8 8 9

  2. Delegated Proxy 1 file @ PEP file system. Generated when invoking the PEP services (submit job, transfer files, …) Version: 3 Serial Number: <Number> (e.g. 9712) Issuer: <User DN> Subject: <Proxy DN> (<User DN>/CN=Proxy) Validity Not Before: <date> Not After : <date> (short lived) Extensions: <Std. X509 Extensions> Extended Attributes: VO : <VO> subject : <User DN> issuer : <VOMS Cert. DN> attribute : /<VO>/<Group>/ Role=<Role>/Capability=NULL attribute : /<VO>/<Group>/<SubGroup> Role=<Role>/Capability=NULL … validity Other X509 Attributes “Delegated-Proxy Pub. Key” Signed by Proxy Priv Key Delegated-Proxy Priv. Key User Proxy 1 file @ user’s file system. Generated with voms-proxy-init or grid-proxy-init “Proxy Pub. Key” Encodes VO Attributes. Signed by User Priv Key Proxy Priv. Key (NOT incl. in delegated proxies) User Certificate 2 files @ user’s file system. Generated while requesting the certificate to the CA “User Certificate” (User Pub. Key) Signed by CA Priv. Key Version: 3 Serial Number: <Number> (e.g. 9712) Issuer: <CA DN> Subject: <User DN> Validity Not Before: <date> Not After : <date> (long lived) Extensions <Std. X509 Extensions> Other X509 Attributes User Priv. Key Credential Representations Notes Credentials Credential Attributes RFC3281 RFC3280

  3. Serial Number: <Number> Issuer: <User DN> Subject: <Proxy DN> Validity: <Dates> Extensions: Std. Extensions Other X509 Attributes Serial Number: <Number> Issuer: <User DN> Subject: <Proxy DN> Validity: <Dates> Extensions: Std. Extensions Extended Attributes: VO : <VO> subject : <User DN> issuer : <VOMS Cert. DN> attribute : <VO Attributes> validity: <Dates> Other X509 Attributes Proxy Priv. Key User Certificate Proxy Priv. Key User Certificate User Certificate User Priv. Key Obtaining VO Attributes grid-proxy-init OR voms-proxy-init VOMS voms-proxy-init

  4. Delegated Proxy Pub / Priv. Key Serial Number: <Number> Issuer: <User DN> Subject: <Proxy DN> Validity: <Dates> Extensions: Extended Attributes: VO : <VO> subject : <User DN> issuer : <VOMS Cert. DN> attribute : <VO Attributes> validity: <Dates> Other X509 Attributes Delegated Proxy Pub / Priv. Key SAML v1.1 + Obligations Serial Number: <Number> Issuer: <User DN> Subject: <Proxy DN> Validity: <Dates> Extensions: Extended Attributes: VO : <VO> subject : <User DN> issuer : <VOMS Cert. DN> attribute : <VO Attributes> validity: <Dates> Other X509 Attributes Map ID / Set Privileges Authenticate SAZ Protocol UID / GID Username Authentication Username (Obligation) User Certificate Delegated Proxy Pub / Priv. Key Serial Number: <Number> Issuer: <CA DN> Subject: <User DN> Validity: <Dates> Other X509 Attributes SAZ Prot. YES / NO Serial Number: <Number> Issuer: <User DN> Subject: <Proxy DN> Validity: <Dates> Extensions: Extended Attributes: VO : <VO> subject : <User DN> issuer : <VOMS Cert. DN> attribute : <VO Attributes> validity: <Dates> Other X509 Attributes Authorize Access Legend • The 2 PEP boxes represent the same entity • The 3 credential boxes represent the same credentials Serial Number: <Number> Issuer: <CA DN> Subject: <User DN> Validity: <Dates> Other X509 Attributes Attribute Usage Hostname Prima Local Accounts GUMS PEP (Gate1) PEP (Gate1) Access Authorized Privileges Set SAZ Local GSI Config SAZ Client

More Related