1 / 10

Authorization Package for TB1

Authorization Package for TB1. Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati. Structure. Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory which contains its members:

kara
Download Presentation

Authorization Package for TB1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Authorization Package for TB1 Authorization Working GroupThird DataGrid Project Conference3-5 October 2001, Frascati

  2. Structure • Each CA manages an LDAP Directory with the issued certificates. • Each VO manages an LDAP Directory which contains its members: • each user belongs to one or more groups; • each user entry may contain: • a pointer to the certificate on the CA LDAP server; • the “Subject” field of the certificate (to speed up grid-mapfile generation); • a certificate attesting that the user agreed to the usage policy for TB1; • grid-mapfiles are generated from the VO Directories: • starting from the groups (users who don’t belong to a group are ignored); • according to users’ attributes (the certificate Subject, for the moment); • with different outputs, according to local requirements (e.g. McNab patch). October 3-5, Frascati

  3. O=infn,C=it domainorganization organizationpkiCA personorganizationalPersoninetOrgPersonpkiUser personorganizationalPersoninetOrgPersonpkiUser CN=www.fi.infn.it CN=Mario Rossi CN=INFN CA Certification Authority LDAP Directory • Available CA LDAP Directories (30/9/01): • CESNET: tady.ten.cz • INFN: security.fi.infn.it • NICKEF: certificate.nikhef.nl October 3-5, Frascati

  4. OU=people OU=group1 OU=group2 Authorization Certificate CN=Mario Rossi CN=John Smith CN=Franz Elmer LDAP Directory for “XYZ” VO DC=XYZ, DC=Datagrid organizationgroupOfNames organizationgroupOfNames personorganizationalPersoninetOrgPersonpkiUser Authentication Certificate Authentication Certificate Authentication Certificate October 3-5, Frascati

  5. grid-mapfile generation: mkgridmap • perl script, to be run at appropriate intervals (1 day?) • produces a grid-mapfile from the entries in the VO LDAP Directories, according to the rules specified in a configuration file (mkgridmap.conf): • allow and deny directives may contain wildcards and the test is done on the user certificate subject • parsing stops at the first match; • if there is at least an allow, there is an implicit deny * at the end; • directives: • group<VO-group-URL> [<lcluser>]selects the VO Directories. <lcluser>, if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group • allow<pattern> users allowed in the grid-mapfile • deny<pattern>users banned from the grid-mapfile • default_lcluser<username>the local username in the grid-mapfile (e.g. default_lcluser . for McNab patch) If AUTO, the local username is generated by an external program (subject2user). • gmf_local <filename>local grid-mapfile to be inserted October 3-5, Frascati

  6. grid-mapfile generation: mkgridmap.conf • Sample configuration file#### GROUP: group URL [lcluser] group ldap://ldap.vo1.org/cn=group1,dc=testbed2,dc=org tb2group ldap://ldap.vo1.org/cn=group3,dc=testbed6,dc=org groupldaps://ldap.vo2.org/cn=group2,dc=testbed4,dc=org tb4 #### ACL: deny|allow pattern_to_match deny *L=Parma* allow *O=INFN* allow *CESNET* deny *John*allow *dutchgrid* #### DEFAULT LOCAL USER default_lcluser testbed1 ##### GRID-MAPFILE-LOCALgmf_local /etc/grid-security/grid-mapfile-local October 3-5, Frascati

  7. grid-mapfile generation: subject2user • External program called by mkgridmap when default_lcluser is AUTO. • It is called with the user certificate subject as argument. • It should write to the standard output the local username associated with the user certificate subject. • It allows local sites to customize the output of mkgridmap. October 3-5, Frascati

  8. VO Directory Management • Initial Directory loading: • users: • from CAs LDAP servers; • from certificate files; • members of groups. • Directory update: • single user; • group membership • Consistency check between VO and CA Directories. • Replicas? • ACLs? October 3-5, Frascati

  9. VO Directory Management October 3-5, Frascati

  10. VO Directory Management October 3-5, Frascati

More Related