User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki

23/5/ The problem: ● user: ● how can I use the Grid, how do I log in? ● cluster admin: ● who is coming from the Grid, how do I control Grid users?

23/5/ Authentication establishing the identity of a Grid entity: ● Thrusted third-party Public Key Infrastructure ● a user posesses a private key and a certificate ● she has a copy of the public key of the thrusted third-parties ● Grid Security Infrastructure of Globus provides a single sign on Authentication procedure ● certificates: ● subject name /O=Grid/O=NorduGrid/OU=quark.lu.se/CN= User Name ● public key of the subject ● the identity of the thrusted third-party ● the digital signature of the third-party

23/5/ Certificate Authority The Thrusted Third Party Binds identities to key pairs: ● “issues” 'X.509' certificates ● maintains Certification Policy ● revokes compromised certificates ● extends expired certificates A user's first way to the NorduGrid: ● “generate” and “submit” certificate request to the NorduGrid CA

23/5/ Authorization access control to the resources ● the present model of the Globus: ● If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user ● the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do ● sites should set these “grid” unix accounts carefully ● each sites maintains its own list of mappings ● in the future...

23/5/ local site policy: gridmapfile ● if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” ● site admins have the total control over their gridmapfile example: "/O=Grid/O=NorduGrid/OU=bu.se/CN=John Smith"griduser "/O=Grid/O=NorduGrid/OU=tu.se/CN=Steve Lucas"griduser "/O=Grid/O=NorduGrid/OU=lu.se/CN=Joe Welsh"griduser "/O=Grid/O=NorduGrid/OU=fu.se/CN=Peter Simpson"vip

23/5/ Virtual Organization a well-known scenario from the early stage of every testbed: ● I am a new user, just received my certificate, how do I get into the gridmapfiles? ● users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: ● sites sharing their resources (participating in the same testbed) form a Virtual Organization: ● should somehow synchronize their gridmapfiles ● automatic updates of gridmapfiles ● delegate the user selection process to VO managers

23/5/ The NorduGrid VO ● database of the NorduGrid users ● contains the Subject Names of the user's certificates ● GSI enabled secure LDAP server ● VO managers ● User Groups ● Group Managers ● certificate-based authentication ● static LDAP ACL's access to dn="ou=testbed1,dc=nordugrid,dc=org" by dn="^UID=/O=Grid/O=NorduGrid/OU=quark\\.lu\\.se/CN=Oxana Smirnova" write ● periodically running script on sites which generates the gridmapfile from the database

23/5/ nordugridmap.conf ● this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org alice #group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org cms # The testbed1 group of NorduGrid #group ldap://grid-vo.nordugrid.org/ou=testbed1,ou=People,dc=nordugrid,dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid*

23/5/ more info