1 / 10

User Management: Authentication & Authorization on the NorduGrid

User Management: Authentication & Authorization on the NorduGrid. Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki. The problem:. user: how can I use the Grid, how do I log in? cluster admin: who is coming from the Grid, how do I control Grid users?.

basil-johns
Download Presentation

User Management: Authentication & Authorization on the NorduGrid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. User Management:Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3rd NorduGrid Workshop, 23 May, 2002 Helsinki

  2. The problem: • user: • how can I use the Grid, how do I log in? • cluster admin: • who is coming from the Grid, how do I control Grid users?

  3. Authentication establishing the identity of a Grid entity: • Thrusted third-party Public Key Infrastructure • a user posesses a private key and a certificate • she has a copy of the public key of the thrusted third-parties • Grid Security Infrastructure of Globus provides a single sign on Authentication procedure • certificates: • subject name /O=Grid/O=NorduGrid/OU=quark.lu.se/CN= User Name • public key of the subject • the identity of the thrusted third-party • the digital signature of the third-party

  4. Certificate Authority The Thrusted Third Party Binds identities to key pairs: • “issues” 'X.509' certificates • maintains Certification Policy • revokes compromised certificates • extends expired certificates A user's first way to the NorduGrid: • “generate” and “submit” certificate request to the NorduGrid CA

  5. Authorization access control to the resources • the present model of the Globus: • If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user • the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do • sites should set these “grid” unix accounts carefully • each sites maintains its own list of mappings • in the future...

  6. local site policy: gridmapfile • if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” • site admins have the total control over their gridmapfile example: "/O=Grid/O=NorduGrid/OU=bu.se/CN=John Smith" griduser "/O=Grid/O=NorduGrid/OU=tu.se/CN=Steve Lucas" griduser "/O=Grid/O=NorduGrid/OU=lu.se/CN=Joe Welsh" griduser "/O=Grid/O=NorduGrid/OU=fu.se/CN=Peter Simpson" vip

  7. Virtual Organization a well-known scenario from the early stage of every testbed: • I am a new user, just received my certificate, how do I get into the gridmapfiles? • users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: • sites sharing their resources (participating in the same testbed) form a Virtual Organization: • should somehow synchronize their gridmapfiles • automatic updates of gridmapfiles • delegate the user selection process to VO managers

  8. The NorduGrid VO • database of the NorduGrid users • contains the Subject Names of the user's certificates • GSI enabled secure LDAP server • VO managers • User Groups • Group Managers • certificate-based authentication • static LDAP ACL's access to dn="ou=testbed1,dc=nordugrid,dc=org" by dn="^UID=/O=Grid/O=NorduGrid/OU=quark\\.lu\\.se/CN=Oxana Smirnova" write • periodically running script on sites which generates the gridmapfile from the database

  9. nordugridmap.conf • this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org alice #group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org cms # The testbed1 group of NorduGrid #group ldap://grid-vo.nordugrid.org/ou=testbed1,ou=People,dc=nordugrid,dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid*

  10. more info... http://grid-vo.nordugrid.org/NorduGridVO http://www.nordugrid.org/services.html

More Related