AuthN and AuthZ in StoRM A short guide

A simple access scenario 1 A Grid User with a valid proxy certificates wants to read a file pointed by SURL. So she performs a srmPrepareToGet (srmPtG) call. StoRM-Tutorial for supporter, IGI, Bologna, Italy

A simple access scenario 2 StoRM verifies if the identified User with the FQANs is authorized to perform srmPtG (read operation) on that SURL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

A simple access scenario 3 StoRM retrieves the local mapping for the grid user. The Mapping configuration is the same used by the Computing Element. StoRM-Tutorial for supporter, IGI, Bologna, Italy

A simple access scenario 4 StoRM set up an ACL entry to the physical file corresponding to the required SURL. This entry could be removed when the pin expires or when the file will be released by the user. StoRM-Tutorial for supporter, IGI, Bologna, Italy

A simple access scenario 5 The Grid User submits a job to the Computing Element close to the SE holding the wished SURL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

A simple access scenario 6 The user job can access to the file directly (file://), because the job is running with the same local credential previously added by StoRM in the ACL. StoRM-Tutorial for supporter, IGI, Bologna, Italy

Security layers A stop can occurs at every level! StoRM-Tutorial for supporter, IGI, Bologna, Italy

Authentication of requestors 1 Authentication of requestors The requestor MUST have a valid proxy certificate It is not expired The proxy certificate MUST to be issued by a trusted CA The CA public certificate must be installed on StoRM FrontEnd hosts The user holds a certificate that hasn’t been revoked The user is not banned! Check the Certificate Revocation Lists (CRLs) Stored in the directory: /etc/grid-security/certificates CRL is a file {CA_hash}.r0  StoRM-Tutorial for supporter, IGI, Bologna, Italy

Trusted Grid CAs for EGI and LCG sites 1 Trusted Grid CAs for EGI and LCG sites The trusted CAs are distributed via RPM available in the YUM repo “EGI-trustanchors.repo”: The meta-package lcg-CA should be installed and updated: # yum clean cache metadata # yum update lcg-CA StoRM-Tutorial for supporter, IGI, Bologna, Italy

Trusted Grid CA installed 1 Trusted Grid CA installed Information about the trusted Certification Authorities are stored in: /etc/grid-security/certificates/ StoRM-Tutorial for supporter, IGI, Bologna, Italy

VOMS awareness: LSC files 1 VOMS awareness: LSC files StoRM is a VOMS-aware service It verifies the trusting VOMS server by checking the correspondence in the certificate subject and what is stored in the LSC (“LiSt of Certificates”) files For each supported VO, for each of its VOMS servers there needs to be an LSC file in the directory: $X509_VOMS_DIR/${VO} by default: /etc/grid-security/vomsdir/${VO} StoRM-Tutorial for supporter, IGI, Bologna, Italy

2 Approachable rules Approachable rules define which users (or which class of users) can approach a certain Storare Area identified by the Virtual FS name in namespace.xml StoRM-Tutorial for supporter, IGI, Bologna, Italy

Approachable rules: Grammar 2 Approachable rules: Grammar StoRM-Tutorial for supporter, IGI, Bologna, Italy

Approachable rules: Grammar 2 Approachable rules: Grammar <dn>*</dn> means that everybody can access the storage Area. It is possible use regular expression on DN fields to define more complex approachable rules. <vo-name>*</vo-name> means that everybody belonging to a VO access the storage Area. users without VOMS extension aren’t recognized as belonging to VOs then they will not be allowed to approach the SA. removing this line imply that the Storage Area is approachable to users without VOMS extensions. StoRM-Tutorial for supporter, IGI, Bologna, Italy

Approachable rules: Examples 2 Approachable rules: Examples <dn>C=IT<dn> means that only Italian users can approach the Storage Area. <vo-name>dteam</vo-name> means that only users belonging to the VO dteam will be allowed to access the Storage Area. This entry can be a list of comma separeted VO-name. StoRM-Tutorial for supporter, IGI, Bologna, Italy

Approachable rules: QUIZ !! 2 Approachable rules: QUIZ !! StoRM-Tutorial for supporter, IGI, Bologna, Italy

Storage Area protection: path-authz.db 2 Storage Area protection: path-authz.db ‘path-authz.db’ is a file containing authorization policies. The policies are defined via ACL (Access Control List), that is an ordered list of ACE (Access Control Entry) Every ACE is expressed as: <user-class, path,permission,ace-type> The evaluation algorithm is the same of NFSv4.1 # cat /etc/storm/backend-server/path-authz.db StoRM-Tutorial for supporter, IGI, Bologna, Italy

3 Grid User mapping The grid user mapping occurs at BE side using the LCMAPS library /etc/storm/backend-server/lcmaps.db The mapping policy is: Map the primary group, based on VOMS credentials, if this is successful, continue trying to allocate a pool account based on VOMS credentials. If any of the steps fails, it tries to map a poolaccount following the normal /etc/grid-security/grid- mapfile. If even that fails tries to map a local account (necessary for *sgm users) StoRM-Tutorial for supporter, IGI, Bologna, Italy

3 Grid User mapping Primary Group: vomslocalgroup The mapping is based on file: /etc/grid-security/groupmapfile StoRM-Tutorial for supporter, IGI, Bologna, Italy