100 likes | 190 Views
Authorization Package for TB1. Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati. Structure. Each CA manages an LDAP Directory with the issued certificates. Each VO manages an LDAP Directory which contains its members:
E N D
Authorization Package for TB1 Authorization Working GroupThird DataGrid Project Conference3-5 October 2001, Frascati
Structure • Each CA manages an LDAP Directory with the issued certificates. • Each VO manages an LDAP Directory which contains its members: • each user belongs to one or more groups; • each user entry may contain: • a pointer to the certificate on the CA LDAP server; • the “Subject” field of the certificate (to speed up grid-mapfile generation); • a certificate attesting that the user agreed to the usage policy for TB1; • grid-mapfiles are generated from the VO Directories: • starting from the groups (users who don’t belong to a group are ignored); • according to users’ attributes (the certificate Subject, for the moment); • with different outputs, according to local requirements (e.g. McNab patch). October 3-5, Frascati
O=infn,C=it domainorganization organizationpkiCA personorganizationalPersoninetOrgPersonpkiUser personorganizationalPersoninetOrgPersonpkiUser CN=www.fi.infn.it CN=Mario Rossi CN=INFN CA Certification Authority LDAP Directory • Available CA LDAP Directories (30/9/01): • CESNET: tady.ten.cz • INFN: security.fi.infn.it • NICKEF: certificate.nikhef.nl October 3-5, Frascati
OU=people OU=group1 OU=group2 Authorization Certificate CN=Mario Rossi CN=John Smith CN=Franz Elmer LDAP Directory for “XYZ” VO DC=XYZ, DC=Datagrid organizationgroupOfNames organizationgroupOfNames personorganizationalPersoninetOrgPersonpkiUser Authentication Certificate Authentication Certificate Authentication Certificate October 3-5, Frascati
grid-mapfile generation: mkgridmap • perl script, to be run at appropriate intervals (1 day?) • produces a grid-mapfile from the entries in the VO LDAP Directories, according to the rules specified in a configuration file (mkgridmap.conf): • allow and deny directives may contain wildcards and the test is done on the user certificate subject • parsing stops at the first match; • if there is at least an allow, there is an implicit deny * at the end; • directives: • group<VO-group-URL> [<lcluser>]selects the VO Directories. <lcluser>, if specified, is the local username to be inserted in the grid-mapfile for the users belonging to the group • allow<pattern> users allowed in the grid-mapfile • deny<pattern>users banned from the grid-mapfile • default_lcluser<username>the local username in the grid-mapfile (e.g. default_lcluser . for McNab patch) If AUTO, the local username is generated by an external program (subject2user). • gmf_local <filename>local grid-mapfile to be inserted October 3-5, Frascati
grid-mapfile generation: mkgridmap.conf • Sample configuration file#### GROUP: group URL [lcluser] group ldap://ldap.vo1.org/cn=group1,dc=testbed2,dc=org tb2group ldap://ldap.vo1.org/cn=group3,dc=testbed6,dc=org groupldaps://ldap.vo2.org/cn=group2,dc=testbed4,dc=org tb4 #### ACL: deny|allow pattern_to_match deny *L=Parma* allow *O=INFN* allow *CESNET* deny *John*allow *dutchgrid* #### DEFAULT LOCAL USER default_lcluser testbed1 ##### GRID-MAPFILE-LOCALgmf_local /etc/grid-security/grid-mapfile-local October 3-5, Frascati
grid-mapfile generation: subject2user • External program called by mkgridmap when default_lcluser is AUTO. • It is called with the user certificate subject as argument. • It should write to the standard output the local username associated with the user certificate subject. • It allows local sites to customize the output of mkgridmap. October 3-5, Frascati
VO Directory Management • Initial Directory loading: • users: • from CAs LDAP servers; • from certificate files; • members of groups. • Directory update: • single user; • group membership • Consistency check between VO and CA Directories. • Replicas? • ACLs? October 3-5, Frascati
VO Directory Management October 3-5, Frascati
VO Directory Management October 3-5, Frascati