Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Published byImogen Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania."— Presentation transcript:

1 GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania

2 GRID Grid-mapfile management In a Grid environment is fundamental that a group of hosts with common purposes shares the same access policy. Using Globus Toolkit this can be realized editing the grid-mapfile on every Globus host, but...... this task can complicate the management of the grid-mapfile.

3 GRID Grid-mapfile management INFN-GRID has implemented a system that simplifies gridmap-files management, allowing Globus administrators to update their grid-mapfile with consistent information.

4 GRID Repository This has been done implementing a central repository of users information to be used for authentication and authorization in the Globus environment. This information is then used by Globus installation to build the users database (grid- mapfile) on Globus hosts periodically. The server provides only access policy, the final authentication is done by the Globus host.

5 GRID Repository Users are identified by their X.509 user certificate subject, that is mapped to a local unix account by the grid-mapfile. The main purpose of this repository is to provide user cerificates (subjects) and grouping of users to the Globus hosts.

6 GRID Repository The best choice for a repository of this information is a LDAP server that uses the Globus domain component based namespace (GIIS namespace). The information of the server must use standard objectclasses to permit easier integration of the system with existing software.

7 GRID Objectclasses The Objectclasses that best represent users in this context are: –person –organizationalPerson –inetOrgPerson –groupOfNames

8 GRID Objectclasses Grouping of users can be defined using the groupOfNames Objectclass. The “Member” is a multivalue attribute of groupOfNames Objectclass that contains a distinguished names list of users belonging to the group.

9 GRID This namespace allows for a clean access control list implementation and a directory partitioning based on a geographical model.

10 GRID Maintaining the repository CA Manager –Produces authentication information (certificates) and publishes this info in the repository with a tool (certpublish) that accepts certificates and publishes them to the directory. –The email address contained in the certificate will be used to produce the DN as in the following example: Carlo.Rocca@ct.infn.it becomes Dn: mail=Carlo.Rocca@ct.infn.it,ou=people,dc=ct,dc=infn,dc=it,o=Grid

11 GRID Maintaining the repository Organizational Unit Managers –They are responsible of editing OU Groups, creating new ones and editing memberships. –Grouping can be used to produce gridmap files as well as for other administrative purposes.

12 GRID Maintaining the repository LDAP Managers –They have full access to the directory, create the directory layout and assign privileges to group managers and the CA manager

13 GRID Using the repository The repository info is used by Globus Administrators who can update periodically the gridmap-file using their preferred policy. A tool for Globus Administrator should be able to: –Connect to the server and download selected certificates choosing a filtering policy (all, group, domain, etc.) –Produce grid-mapfile lines.

14 GRID Security Issues The group subtree must follow a restrictive security policy: –Accessible only from Globus hosts –TLS should be used for maintenance operation (cert publishing, group editing, operations where password are sent over the net) and for queries where possible. Access control lists to establish managers privileges on the DIT must be implemented. Until now no standard ACL schema exists, (standardization is ongoing), so the software specific ACL schema must be used.

15 GRID Tools Two tools have been developed –certpublish, that allows the CA managers to publish certificates –certretrieve, that allows Grid administrators to create grid-mapfiles automatically Group Managers can edit groups using many existing LDAP tools.

16 GRID Tools Certpublish syntax certpublish -in : Encoded Certificate to publish -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -help: This help

17 GRID Tools Certretrieve syntax certretrieve -host hostname: Name of the server -port integer: Port Number -base DN: Base for searches -DN DN: Bind DN -groupDN groupDN: If present return only users in group -lcluser user: User to map certificates -help: This help

18 GRID Tools An example on how to retrieve certificate subjects is by the following command: certretrieve –groupDN “cn=gen,ou=CMS,dc=infn,dc=it,o=Grid” This will retrieve certificate subjects of users in the gen subgroup

Download ppt "GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania."

Similar presentations

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.

ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Nassau Community College

Nassau Community College
Chapter 12: Additional Active Directory Server Roles

Chapter 12: Additional Active Directory Server Roles
Directory services Unit objectives

Directory services Unit objectives

Similar presentations

Ads by Google