180 likes | 194 Views
Simplify grid-mapfile management in a Grid environment by implementing a centralized repository of user information for authentication and authorization in the Globus environment.
E N D
Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania
Grid-mapfile management • In a Grid environment is fundamental that a group of hosts with common purposes shares the same access policy. • Using Globus Toolkit this can be realized editing the grid-mapfile on every Globus host, but...... this task can complicate the management of the grid-mapfile.
Grid-mapfile management • INFN-GRID has implemented a system that simplifies gridmap-files management, allowing Globus administrators to update their grid-mapfile with consistent information.
Repository • This has been done implementing a central repository of users information to be used for authentication and authorization in the Globus environment. • This information is then used by Globus installation to build the users database (grid-mapfile) on Globus hosts periodically. • The server provides only access policy, the final authentication is done by the Globus host.
Repository • Users are identified by their X.509 user certificate subject, that is mapped to a local unix account by the grid-mapfile. • The main purpose of this repository is to provide user cerificates (subjects) and grouping of users to the Globus hosts.
Repository • The best choice for a repository of this information is a LDAP server that uses the Globus domain component based namespace (GIIS namespace). • The information of the server must use standard objectclasses to permit easier integration of the system with existing software.
Objectclasses • The Objectclasses that best represent users in this context are: • person • organizationalPerson • inetOrgPerson • groupOfNames
Objectclasses • Grouping of users can be defined using the groupOfNames Objectclass. • The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.
This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.
Maintaining the repository • CA Manager • Produces authentication information (certificates) and publishes this info in the repository with a tool (certpublish) that accepts certificates and publishes them to the directory. • The email address contained in the certificate will be used to produce the DN as in the following example: Carlo.Rocca@ct.infn.it becomes Dn: mail=Carlo.Rocca@ct.infn.it,ou=people,dc=ct,dc=infn,dc=it,o=Grid
Maintaining the repository • Organizational Unit Managers • They are responsible of editing OU Groups, creating new ones and editing memberships. • Grouping can be used to produce gridmap files as well as for other administrative purposes.
Maintaining the repository • LDAP Managers • They have full access to the directory, create the directory layout and assign privileges to group managers and the CA manager
Using the repository • The repository info is used by Globus Administrators who can update periodically the gridmap-file using their preferred policy. • A tool for Globus Administrator should be able to: • Connect to the server and download selected certificates choosing a filtering policy (all, group, domain, etc.) • Produce grid-mapfile lines.
Security Issues • The group subtree must follow a restrictive security policy: • Accessible only from Globus hosts • TLS should be used for maintenance operation (cert publishing, group editing, operations where password are sent over the net) and for queries where possible. • Access control lists to establish managers privileges on the DIT must be implemented. Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.
Tools • Two tools have been developed • certpublish, that allows the CA managers to publish certificates • certretrieve, that allows Grid administrators to create grid-mapfiles automatically • Group Managers can edit groups using many existing LDAP tools.
Tools Certpublish syntax certpublish -in <filename> : Encoded Certificate to publish -host hostname : Name of the server -port integer : Port Number -base DN : Base for searches -DN DN : Bind DN -help : This help
Tools Certretrieve syntax certretrieve -host hostname : Name of the server -port integer : Port Number -base DN : Base for searches -DN DN : Bind DN -groupDN groupDN : If present return only users in group -lcluser user : User to map certificates -help : This help
Tools • An example on how to retrieve certificate subjects is by the following command: certretrieve –groupDN “cn=gen,ou=CMS,dc=infn,dc=it,o=Grid” This will retrieve certificate subjects of users in the gen subgroup