130 likes | 146 Views
Learn about Site Authorization Service (SAZ) and Local Resource Authorization Service (LRAS) functionalities, components, deployment status, and more. Understand how these services control user access to resources and facilitate fine-grain management.
E N D
Site Authorization ServiceLocal Resource Authorization Service(VOX Project) Vijay Sekhri Tanya Levshina Fermilab
Talk Overview • Site Authorization Service • Functionality • Components • CLI examples • Status and deployment • Local Resource Authorization Service • Functionality • Components • GUI screenshots • Status • Summary User Registration/VO management/AuthZ workshop at CERN
Site Authorization Service Purpose: Site authorization service (SAZ) allows security authorities of the grid site to impose sitewide policy and to control access to the site. Stakeholder: • Fermilab Computing Facility (D. Skow) User Registration/VO management/AuthZ workshop at CERN
SAZ Functionality • Allows administrators to control user access to the site resources • Provides means to retrieve the information about users and their access • Authorizes user by • verifying user access status • by analyzing user certificate chain • Provides centralized maintenance of Certificate Revocation Lists (CRL) User Registration/VO management/AuthZ workshop at CERN
SAZ Components UI Client Select,Update,Insert and Delete query AI SERVER Kerberos Authentication SAZDB AI Client GSI Channel SAZ SERVER SAZClient Only Select query • SAZ Server • extracts DN from User cert chain and looks in SAZDB for authorization. • checks for CRL, signature verification and signing policy. • SAZ DB • stores user's principal, dn, status etc • SAZ Client • invoked as Globus gatekeeper plugins to communicate with SAZ server to check user. • passes User’s Cert Chain to SAZ Server for authorization. Client is authenticated using GSI. • Admin Server • allows admin to add, delete and list any DN and principal in SAZDB • user to add, delete or list any DN associated with his own principal in SAZDB • AI/UIClient • provides front end for the admin/user • admin can insert, delete, update any user DN’s, principals and status. Admin is authenticated by using Kerberos. • user UIClient can insert, delete any user’s DN that is assigned the same principal. He is authenticated by using Kerberos. User Registration/VO management/AuthZ workshop at CERN
CLI Examples • The UI Client allows to perform the following commands: • ls (lists dn, access status and principal of all users associated with the same principal) • ls <dn> (lists dn, access status and principal of the selected user) • add <dn> (adds the specified dn to the database, set the principal to the principal of the current user) • del <dn> (deletes the specified dn if it is associated with the same principal) • The AI Client allows to perform the following commands: • ls [dn] [principal](lists dn, access status and principal of selected users.The wildcard “%” can be used for selection.) • add dn principal(adds the specified dn and principal to the database) • del dn principal(deletes specified dn and principal from the database) • enable dn principal(allows specified dn and principal to access site resources. The wildcard “%” can be used for selection.) • disable dn principal(denies specified dn and principal to access site resources. The wildcard “%” can be used for selection.) User Registration/VO management/AuthZ workshop at CERN
SAZ Status and Deployment • All components are in Java, except SAZ Client (C) • SAZ beta version is released • (download http://tam01.fnal.gov:8080/src/FNAL/mysaz) • Installed at Fermi by security team • Successfully used on CMS grid deployment testbed for a month • Gathering the list of improvements/ new features from Fermilab security team • More work on documentation needs to be done User Registration/VO management/AuthZ workshop at CERN
Local Resource Authorization Service Purpose: Local Resource Administration Service (LRAS) associates the VO member with the local account and local resources based on the information provided by the user in the user proxy certificate. LRAS automates and facilitates the process of managing fine grain access to a local grid resource. Stakeholders: • US CMS • SDSS • Fermilab Mass Storage System (Enstore) User Registration/VO management/AuthZ workshop at CERN
LRAS Architecture Update Daemon VOMS EDG DB VO A Client API VOMS Admin API VOMS EDG DB VO B Synchronize LRAS DB with VOMS DBs GSI Channel Query:Is authorized ? What User account? What Abstract Resource Name? LRAS DB LRAS Server Manage user access, mapping to account and resources Admin GUI User Registration/VO management/AuthZ workshop at CERN
LRAS Components • LRAS Server: • a server that authorizes/denies the user's access to the local cluster and provides a mapping between the user proxy information and the abstract resource known to the server. • LRAS DB: • a database that contains the list of known VOs, the list of groups within the VO, available abstract resources, the list of users', their access status and mapping to UNIX id and the list of resources associated with each user. • LRAS Update Daemon: • The LRAS Update Daemon is a process that fetches the groups and member information from the multiple VOs and populates the LRAS database. The Update Daemon collects member information only for (VO, group) tuples that are identified by the LRP and have an assigned UNIX id. It is also responsible for keeping the LRAS DB in sync with the information it obtains from the VO. It uses the VOMS EDG admin API to communicate with VOMS. • LRAS Client API: • The API allows a client (e.g. gatekeeper, storage element) to connect with the LRAS Server and fetch the user's related information. • LRAS Admin GUI: • a graphical user interface that is used to facilitate LRPs to manage user access status, introduce new resources and map them to a particular user. User Registration/VO management/AuthZ workshop at CERN
Admin GUI Screenchots User Registration/VO management/AuthZ workshop at CERN
LRAS Status • All components are in Java, LRAS Client API also exists in C. • LRAS alpha version is released • (download http://tam01.fnal.gov:8080/src/FNAL/lras) • More testing is needed • More work on documentation needs to be done User Registration/VO management/AuthZ workshop at CERN
Summary • VOX Local Services (SAZ and LRAS) have been designed as general services for site controls. • Implementation specifics for Fermilab are collected in few points. • Both packages can be used anywhere where there are similar needs • We are very interested in feedback and looking for volunteers to try out the software • More info: http://www.uscms.org/s&c/VO • E-mail: vo-project@fnal.gov User Registration/VO management/AuthZ workshop at CERN