GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Slides:



Advertisements
Similar presentations
MyProxy: A Multi-Purpose Grid Authentication Service
Advertisements

ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
Security Mechanisms The European DataGrid Project Team
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Directory services Unit objectives
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
WINDOWS SERVICES. Introduction You often need programs that run continuously in the background Examples: – servers –Print spooler You often need.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
The Directory A distributed database Distributed maintenance.
A. Cavalli - F. Semeria INFN Experience With Globus GIS 1 A. Cavalli - F. Semeria INFN First INFN Grid Workshop Catania, 9-11 April 2001 INFN Experience.
Extending OpenLDAP Luke Howard PADL Software Pty Ltd Copyright © 2003 PADL Software Pty Ltd. All rights reserved. PADL is a registered trademark of PADL.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 7 Active Directory and Account Management.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.
Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,
Secure Networking Windows 2000 Distributed Security Services Sandeep Joshi Group 4.
Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
INFN “Grid Information Service” evaluation Giuseppe Lo Biondo - INFN Sez. Di Milano Giulietta Vita Finzi - INFN CNAF Padova June
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
© 2013 IBM Corporation LDAP Fundamentals & LDAP for CLM Bruce Besch IBM Rational Services.
Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Guide to Operating Systems, 5th Edition
CollegeSource Security Application &
Classic Storage Element
Introduction to LDAP Frank A. Kuse.
Data Virtualization Tutorial… LDAP Domains in CIS
ACTIVE DIRECTORY ADMINISTRATION
Active Directory Administration
Update on EDG Security (VOMS)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Introduction to Name and Directory Services
Implementing and Managing Group and Computer Accounts
ACTIVE DIRECTORY An Overview.. By Karan Oberoi.
Presentation transcript:

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania

GRID Introduction Each experiment has many machines to be used for different tasks: analysis, simulations etc. There are groups of people working on each task: the jobs sent by each group must be run only on the selected machines.

GRID Globus use the grid-mapfile to allow users the access of a machine. For each user there is an entry in the file with the X.509 user certificate subject and a local unix account to be mapped to. The management of the file for hundreds of users of differents groups is cumbersome.

GRID Outline User/group LDAP repository Globus gridmap-file management

GRID Repository INFN implemented a LDAP repository to store information about –users (identified by their X.509 certificate subject) –grouping of users The repository can be used to download selected certificates choosing a filtering policy (all, group, domain, etc.) The information uses standard objectclasses to permit easier integration of the system with existing software.

GRID Objectclasses The Objectclasses that best represent users in this context are: –person –organizationalPerson –inetOrgPerson –groupOfNames

GRID Objectclasses Grouping of users can be defined using the groupOfNames Objectclass. The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.

GRID This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.

GRID Maintaining the repository LDAP Managers –They have full access to the directory, create the directory layout and assign privileges to group managers and the CA manager

GRID Maintaining the repository CA Manager –Produces authentication information (certificates) and publishes this info in the repository with a tool (certpublish) –The address contained in the certificate will be used to produce the DN as in the following example: becomes Dn:

GRID Certpublish Certpublish syntax certpublish -in : DER Encoded Certificate to publish -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -help: This help

GRID Maintaining the repository Organizational Unit (“Group”) Managers –They are responsible of editing OU Groups, creating new ones and editing memberships. Many existing LDAP tools available for this purpose –Grouping can be used to produce gridmap files as well as for other administrative purposes (see later).

GRID Security Issues The group subtree must follow a restrictive security policy: –Accessible only from Globus hosts –TLS should be used for maintenance operation (cert publishing, group editing, operations where password are sent over the net) and for queries where possible. Access control lists to establish managers privileges on the DIT must be implemented. Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.

GRID Grid-mapfile management In a Grid environment it is fundamental that a group of hosts with common purposes shares the same access policy –Management of grid-mapfiles in the Globus model Two basic strategies –Same common (“group”) UID assigned to many different Grid users Simpler management Impossible to distinguish between different Grid users (e.g. Files created by different Grid users mapped to same UID) –Different local UID (possibly generated on the fly) assigned to every Grid user Much harder to automate

GRID Grid-mapfile management Globus doesn’t provide tools to handle a centralized management of grid-mapfiles INFN-GRID has implemented a system, based on this user/group repository, that simplifies gridmap- files management, allowing Globus administrators to update their grid-mapfile with consistent information. –Tool (certretrieve) used to connect to the repository and update periodically (e.g. cron job) the gridmap-file, using the preferred policy (all users, users of a specific group/domain,...)

GRID Certretrieve Certretrieve syntax certretrieve -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -groupDN groupDN: Returns only users in group -lcluser user: Local user to map certificates -CAfile filename: Checks certificate validity -CRL filename: Checks CRL -help: This help

GRID Example An example on how to retrieve certificate subjects is by the following command: certretrieve –groupDN “cn=muon,ou=CMS,dc=infn,dc=it,o=Grid” \ –lcluser cmsmuon This will retrieve certificate subjects of users in the CMS muon subgroup and map all of them to the cmsmuon local account

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.