Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
PDC Enabling Science Grid Security Research Olle Mulmo.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
WP4 Security Update For WP4: David Groep
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep
Demos!. Demo 1: Dropbox-like Behavior Syndicate producerconsumer.
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
WP4 Security and AA(A) issues For WP4: David Groep
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Grid User Management System Gabriele Carcassi HEPIX October 2004.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
EDG Security European DataGrid Project Security Coordination Group
DataGrid Fabric Management (WP4) Gridification of Large Farms, a very brief overview David Groep, NIKHEF
SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007.
Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.
User VOMS Java C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups, roles, capabilities Authentication Certificate Authorities.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Multics CysecLab Graduate School of Information Security KAIST.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Web Services Security Patterns Alex Mackman CM Group Ltd
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
Future Developments in EDG The European DataGrid Project Team
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
AuthN and AuthZ in StoRM A short guide
OGF PGI – EDGI Security Use Case and Requirements
Classic Storage Element
Grid Security.
The European DataGrid Project Team
R-GMA Security Principles and Plans
Update on EDG Security (VOMS)
WP4 Security Update For WP4: David Groep
Gridification progress report
Future Developments in the EU DataGrid
O. Otenko PERMIS Project Salford University © 2002
From Prototype to Production Grid
Information Providers
Grid Security Infrastructure
Preventing Privilege Escalation
Presentation transcript:

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS Policy-based authorization Plug-able framework Separate daemon LCMAPS: Local Credential MAPping Service Maps credentials and roles to local accounts and capabilities Support for AFS, Kerberos tokens Library implementation Enhances gridmapdir Requires modified Gatekeeper Improved error&status handling Getting a useful message to the user Job repository, FLIDS, FABNAT > EDG 2.x Gatekeeper LCAS config TLS auth ACL IPC timeslot LCAS client gridmap LCMAPS lib LCMAPS apply creds * config The “plain” Globus-provided gatekeeper accepts jobs from the outside world, verifies that the user certificate has been signed by a trusted certification authority, and subsequently calls “gss_assist_gridmapfile” to obtain local account information. The grid-mapfile has a two-fold role in this process: it defines the authorized users based on their certificate (proxy) subject name AND it gives the local uid to be used for this user. LCAS plugins are typically: a banned-user list (so as to quickly dispose of users that abuse the system), CPU budget and quota checks (based on the RMS information), and jobtype/class/role policies as expressed in more complex GridACLs. The LCAS system in implemented as a stand-alone daemon because many of these plugins are complex systems that are difficult to audit for secdurity leaks (the gatekeeper runs as root) LCMAPS will obtain any local credentials for the user’s current role: a UNIX uid/gid, requires AFS tokens, Kerberos tickets, etc. This system extends the current gridmapdir functionality with supprot for roles and role-specific mappings. The implementation of LCMAPS is a library, since the process of changing uid/gid and setting credentials requires in-process privileges. The mapping creaded by LCMAPS is commited in the job repository for later retrieval by, e.g., slashgrid. The job repository, FLIDS and FABNAT are scheduled for later releases. For the job repository, the current Globus-provided solution is adequate for the time being. Some acronyms: TLS – Transport Level Security (TLSv1 is equal to SSL v3) LCAS – Local Centre Authorization Service LCMAPS – Local Credential MAPping Service FLIDS – Fabric-Local Identity Service (local quasi-CA) FABNAT – Fabric Network Address Translation gateway IPC – Inter-Process Communication AFS – Andrew File System role2uid Jobmanager-* role2afs * And store in job repository

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.