GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Slides:



Advertisements
Similar presentations
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Advertisements

ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Nassau Community College
Chapter 12: Additional Active Directory Server Roles
Directory services Unit objectives
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
The Directory A distributed database Distributed maintenance.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 7 Active Directory and Account Management.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.
Secure Networking Windows 2000 Distributed Security Services Sandeep Joshi Group 4.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
INFN “Grid Information Service” evaluation Giuseppe Lo Biondo - INFN Sez. Di Milano Giulietta Vita Finzi - INFN CNAF Padova June
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
© 2013 IBM Corporation LDAP Fundamentals & LDAP for CLM Bruce Besch IBM Rational Services.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Active Directories: Purpose and Structure Chrystom Ciganko IFMG352 Final Presentation.
11 IMPLEMENTING ACTIVE DIRECTORY Chapter 2. Chapter 2: IMPLEMENTING ACTIVE DIRECTORY2 REQUIREMENTS FOR ACTIVE DIRECTORY  Microsoft Windows Server 2003.
Guide to Operating Systems, 5th Edition
Overview of Active Directory Domain Services
CollegeSource Security Application &
Introduction to LDAP Frank A. Kuse.
Implementing Active Directory Domain Services
Data Virtualization Tutorial… LDAP Domains in CIS
Global Catalog and Flexible Single Master Operations (FSMO) Roles
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Administration
THE STEPS TO MANAGE THE GRID
Update on EDG Security (VOMS)
Chapter 27: System Security
Prepared by Wasim Ahmad Bhat
ACTIVE DIRECTORY An Overview.. By Karan Oberoi.
Presentation transcript:

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania

GRID Grid-mapfile management In a Grid environment is fundamental that a group of hosts with common purposes shares the same access policy. Using Globus Toolkit this can be realized editing the grid-mapfile on every Globus host, but this task can complicate the management of the grid-mapfile.

GRID Grid-mapfile management INFN-GRID has implemented a system that simplifies gridmap-files management, allowing Globus administrators to update their grid-mapfile with consistent information.

GRID Repository This has been done implementing a central repository of users information to be used for authentication and authorization in the Globus environment. This information is then used by Globus installation to build the users database (grid- mapfile) on Globus hosts periodically. The server provides only access policy, the final authentication is done by the Globus host.

GRID Repository Users are identified by their X.509 user certificate subject, that is mapped to a local unix account by the grid-mapfile. The main purpose of this repository is to provide user cerificates (subjects) and grouping of users to the Globus hosts.

GRID Repository The best choice for a repository of this information is a LDAP server that uses the Globus domain component based namespace (GIIS namespace). The information of the server must use standard objectclasses to permit easier integration of the system with existing software.

GRID Objectclasses The Objectclasses that best represent users in this context are: –person –organizationalPerson –inetOrgPerson –groupOfNames

GRID Objectclasses Grouping of users can be defined using the groupOfNames Objectclass. The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.

GRID This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.

GRID Maintaining the repository CA Manager –Produces authentication information (certificates) and publishes this info in the repository with a tool (certpublish) that accepts certificates and publishes them to the directory. –The address contained in the certificate will be used to produce the DN as in the following example: becomes Dn:

GRID Maintaining the repository Organizational Unit Managers –They are responsible of editing OU Groups, creating new ones and editing memberships. –Grouping can be used to produce gridmap files as well as for other administrative purposes.

GRID Maintaining the repository LDAP Managers –They have full access to the directory, create the directory layout and assign privileges to group managers and the CA manager

GRID Using the repository The repository info is used by Globus Administrators who can update periodically the gridmap-file using their preferred policy. A tool for Globus Administrator should be able to: –Connect to the server and download selected certificates choosing a filtering policy (all, group, domain, etc.) –Produce grid-mapfile lines.

GRID Security Issues The group subtree must follow a restrictive security policy: –Accessible only from Globus hosts –TLS should be used for maintenance operation (cert publishing, group editing, operations where password are sent over the net) and for queries where possible. Access control lists to establish managers privileges on the DIT must be implemented. Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.

GRID Tools Two tools have been developed –certpublish, that allows the CA managers to publish certificates –certretrieve, that allows Grid administrators to create grid-mapfiles automatically Group Managers can edit groups using many existing LDAP tools.

GRID Tools Certpublish syntax certpublish -in : Encoded Certificate to publish -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -help: This help

GRID Tools Certretrieve syntax certretrieve -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -groupDN groupDN: If present return only users in group -lcluser user: User to map certificates -help: This help

GRID Tools An example on how to retrieve certificate subjects is by the following command: certretrieve –groupDN “cn=gen,ou=CMS,dc=infn,dc=it,o=Grid” This will retrieve certificate subjects of users in the gen subgroup