1 / 10

VOMS From user to resource

VOMS From user to resource. Oscar Koeroo JRA3. Content. The Root of Trust Review on LCG <2.4 VO LDAP Grid-mapfile Short overview on the services using a grid-mapfile (Expected) Changes in LCG 2.5. The Root of Trust.

Download Presentation

VOMS From user to resource

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VOMSFrom user to resource Oscar Koeroo JRA3

  2. Content • The Root of Trust • Review on LCG <2.4 • VO LDAP • Grid-mapfile • Short overview on the services using a grid-mapfile • (Expected) Changes in LCG 2.5 VOMS - From user to resource - (22-04-2005)

  3. The Root of Trust • We base our trust on the CAs signing certificates to trustworthy people and machines: • The EUGridPMA (EU Grid Policy Management Authority) is a collaboration of accredited CAs • An accredited CA must follow the minimum guidelines described in document (link to doc) • Each accredited CA represents their national academic and scientific research region • If there is no accredited CA available CNRS in France can serve as a Catch-All CA • LCG, TeraGrid, DEISA, OSG and other are collaborating in the trust relationships VOMS - From user to resource - (22-04-2005)

  4. LCG <2.4 - VO LDAP server • Everybody is in a VO • No hierarchy • No differentiation between users • Only schema extensions (which don’t have effect on a resource) • The protocol is public with LDAP • Everybody can see who is registered in a VO • It’s plain text protocol • mkgridmap creates the grid-mapfiles by reading the VO LDAP directories VOMS - From user to resource - (22-04-2005)

  5. LCG <2.4 – Grid-mapfile • Grid-mapfile is used to express authorized users • The LDAP directory is retrieved for each VO LDAP server and results in a list of DNs • With an ‘authz’ VO this list is ANDed • Each line in the file contains a DN followed by a local Unix account name or a pool account name • The grid-mapfile mechanism is used on the most major infrastructural Grid service machines: • Resource Broker (RB) • Computing Element (CE) • Storage Element (SE) • other Grid service that need to authorize users VOMS - From user to resource - (22-04-2005)

  6. LCG <2.4 – The Services • All major services will perform mutual authentication based on GSI • Mutual authentication between user and connected service is endorsed • Both the certificate of the user and the connected service will present his certificate to each other to validate each other’s certificate • The entire chain of certificates which have been presented to each other must be valid at each stage of the chain and much be trustworthy • This means that you are able to use proxy certificates to authenticate yourself • This also mean that you are able to authenticate yourself with a delegated proxy. VOMS - From user to resource - (22-04-2005)

  7. LCG <2.4 – The Services: RB • On a Resource Broker the grid-mapfile is used to: • Authorize a user if he is allowed to make use of this RB • Allows the RB to know to which VO a user belongs and thus being able to select a more accurate set of resources for a user’s submitted job • When a user submits a job to the RB it claims the affiliated VO, this is verified at the RB VOMS - From user to resource - (22-04-2005)

  8. LCG <2.4 – The Services: CE • CE: The gatekeeper uses LCAS and LCMAPS to authorize users and do user mapping (user identity switching) • LCAS: Authorize user comparing the DNs in the grid-mapfile to indicate that they are authorized or compare them in a blacklist to keep them out of the site (other plug-ins are available) • LCMAPS: does the actual user mapping; looks in to the grid-mapfile and will search for the DN and will invoke the identity switching to a: • local (unix) account • pool (unix) account • Both frameworks have more plug-ins available to do more, but at this stage they were not used VOMS - From user to resource - (22-04-2005)

  9. LCG <2.4 – The Services: SE • The SE using the gridFTP will authorize users and do user mapping (user identity switching) • The gridFTP server uses the grid-mapfile with a plain and simple version of identity switching with local/poolaccount mechanism • The SE can store files with the Unix file permissions of the poolaccount that has been used. • It’s a common setup to affiliate each poolaccount to its corresponding Unix group that represents the VO • The whole VO can now read that file due to the effective Unix file permissions • The catalogs are world readable due to the fact that it are non-secured LDAP directories • Any user could retrieve all stored metadata about all the files in a catalog VOMS - From user to resource - (22-04-2005)

  10. LCG 2.4 VOMS - From user to resource - (22-04-2005)

More Related