Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Published byBrooke Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki."— Presentation transcript:

1 User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki

2 23/5/2002 1 balazs.konya@quark.lu.se The problem: ● user: ● how can I use the Grid, how do I log in? ● cluster admin: ● who is coming from the Grid, how do I control Grid users?

3 23/5/2002 1 balazs.konya@quark.lu.se Authentication establishing the identity of a Grid entity: ● Thrusted third-party Public Key Infrastructure ● a user posesses a private key and a certificate ● she has a copy of the public key of the thrusted third-parties ● Grid Security Infrastructure of Globus provides a single sign on Authentication procedure ● certificates: ● subject name /O=Grid/O=NorduGrid/OU=quark.lu.se/CN= User Name ● public key of the subject ● the identity of the thrusted third-party ● the digital signature of the third-party

4 23/5/2002 1 balazs.konya@quark.lu.se Certificate Authority The Thrusted Third Party Binds identities to key pairs: ● “issues” 'X.509' certificates ● maintains Certification Policy ● revokes compromised certificates ● extends expired certificates A user's first way to the NorduGrid: ● “generate” and “submit” certificate request to the NorduGrid CA

5 23/5/2002 1 balazs.konya@quark.lu.se Authorization access control to the resources ● the present model of the Globus: ● If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user ● the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do ● sites should set these “grid” unix accounts carefully ● each sites maintains its own list of mappings ● in the future...

6 23/5/2002 1 balazs.konya@quark.lu.se local site policy: gridmapfile ● if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” ● site admins have the total control over their gridmapfile example: "/O=Grid/O=NorduGrid/OU=bu.se/CN=John Smith"griduser "/O=Grid/O=NorduGrid/OU=tu.se/CN=Steve Lucas"griduser "/O=Grid/O=NorduGrid/OU=lu.se/CN=Joe Welsh"griduser "/O=Grid/O=NorduGrid/OU=fu.se/CN=Peter Simpson"vip

7 23/5/2002 1 balazs.konya@quark.lu.se Virtual Organization a well-known scenario from the early stage of every testbed: ● I am a new user, just received my certificate, how do I get into the gridmapfiles? ● users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: ● sites sharing their resources (participating in the same testbed) form a Virtual Organization: ● should somehow synchronize their gridmapfiles ● automatic updates of gridmapfiles ● delegate the user selection process to VO managers

8 23/5/2002 1 balazs.konya@quark.lu.se The NorduGrid VO ● database of the NorduGrid users ● contains the Subject Names of the user's certificates ● GSI enabled secure LDAP server ● VO managers ● User Groups ● Group Managers ● certificate-based authentication ● static LDAP ACL's access to dn="ou=testbed1,dc=nordugrid,dc=org" by dn="^UID=/O=Grid/O=NorduGrid/OU=quark\\.lu\\.se/CN=Oxana Smirnova" write ● periodically running script on sites which generates the gridmapfile from the database

9 23/5/2002 1 balazs.konya@quark.lu.se nordugridmap.conf ● this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org alice #group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org cms # The testbed1 group of NorduGrid #group ldap://grid-vo.nordugrid.org/ou=testbed1,ou=People,dc=nordugrid,dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid*

10 23/5/2002 1 balazs.konya@quark.lu.se more info... http://grid-vo.nordugrid.org/NorduGridVO http://www.nordugrid.org/services.html

Download ppt "User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.

Authentication and Authorization The Grid Security Infrastructure and its implementation in DutchGrid and DataGrid Test Bed 1 David Groep, NIKHEF.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.

AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Similar presentations

Ads by Google