Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Published byNathaniel Bradley Modified over 6 years ago

Similar presentations

Presentation on theme: "Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS"— Presentation transcript:

1 Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
Policy-based authorization Plug-able framework Separate daemon LCMAPS: Local Credential MAPping Service Maps credentials and roles to local accounts and capabilities Support for AFS, Kerberos tokens Library implementation Enhances gridmapdir Requires modified Gatekeeper Improved error&status handling Getting a useful message to the user Job repository, FLIDS, FABNAT > EDG 2.x Gatekeeper LCAS config TLS auth ACL IPC timeslot LCAS client gridmap LCMAPS lib LCMAPS apply creds * config The “plain” Globus-provided gatekeeper accepts jobs from the outside world, verifies that the user certificate has been signed by a trusted certification authority, and subsequently calls “gss_assist_gridmapfile” to obtain local account information. The grid-mapfile has a two-fold role in this process: it defines the authorized users based on their certificate (proxy) subject name AND it gives the local uid to be used for this user. LCAS plugins are typically: a banned-user list (so as to quickly dispose of users that abuse the system), CPU budget and quota checks (based on the RMS information), and jobtype/class/role policies as expressed in more complex GridACLs. The LCAS system in implemented as a stand-alone daemon because many of these plugins are complex systems that are difficult to audit for secdurity leaks (the gatekeeper runs as root) LCMAPS will obtain any local credentials for the user’s current role: a UNIX uid/gid, requires AFS tokens, Kerberos tickets, etc. This system extends the current gridmapdir functionality with supprot for roles and role-specific mappings. The implementation of LCMAPS is a library, since the process of changing uid/gid and setting credentials requires in-process privileges. The mapping creaded by LCMAPS is commited in the job repository for later retrieval by, e.g., slashgrid. The job repository, FLIDS and FABNAT are scheduled for later releases. For the job repository, the current Globus-provided solution is adequate for the time being. Some acronyms: TLS – Transport Level Security (TLSv1 is equal to SSL v3) LCAS – Local Centre Authorization Service LCMAPS – Local Credential MAPping Service FLIDS – Fabric-Local Identity Service (local quasi-CA) FABNAT – Fabric Network Address Translation gateway IPC – Inter-Process Communication AFS – Andrew File System role2uid Jobmanager-* role2afs * And store in job repository

Download ppt "Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS"

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
PDC Enabling Science Grid Security Research Olle Mulmo.

PDC Enabling Science Grid Security Research Olle Mulmo.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep

WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep
2001.04.02 / David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
WP4 Security Update For WP4: David Groep

WP4 Security Update For WP4: David Groep
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep

WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep

Similar presentations

Ads by Google