Download presentation
Presentation is loading. Please wait.
Published byBrooke Lamb Modified over 9 years ago
1
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki
2
23/5/2002 1 balazs.konya@quark.lu.se The problem: ● user: ● how can I use the Grid, how do I log in? ● cluster admin: ● who is coming from the Grid, how do I control Grid users?
3
23/5/2002 1 balazs.konya@quark.lu.se Authentication establishing the identity of a Grid entity: ● Thrusted third-party Public Key Infrastructure ● a user posesses a private key and a certificate ● she has a copy of the public key of the thrusted third-parties ● Grid Security Infrastructure of Globus provides a single sign on Authentication procedure ● certificates: ● subject name /O=Grid/O=NorduGrid/OU=quark.lu.se/CN= User Name ● public key of the subject ● the identity of the thrusted third-party ● the digital signature of the third-party
4
23/5/2002 1 balazs.konya@quark.lu.se Certificate Authority The Thrusted Third Party Binds identities to key pairs: ● “issues” 'X.509' certificates ● maintains Certification Policy ● revokes compromised certificates ● extends expired certificates A user's first way to the NorduGrid: ● “generate” and “submit” certificate request to the NorduGrid CA
5
23/5/2002 1 balazs.konya@quark.lu.se Authorization access control to the resources ● the present model of the Globus: ● If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user ● the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do ● sites should set these “grid” unix accounts carefully ● each sites maintains its own list of mappings ● in the future...
6
23/5/2002 1 balazs.konya@quark.lu.se local site policy: gridmapfile ● if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” ● site admins have the total control over their gridmapfile example: "/O=Grid/O=NorduGrid/OU=bu.se/CN=John Smith"griduser "/O=Grid/O=NorduGrid/OU=tu.se/CN=Steve Lucas"griduser "/O=Grid/O=NorduGrid/OU=lu.se/CN=Joe Welsh"griduser "/O=Grid/O=NorduGrid/OU=fu.se/CN=Peter Simpson"vip
7
23/5/2002 1 balazs.konya@quark.lu.se Virtual Organization a well-known scenario from the early stage of every testbed: ● I am a new user, just received my certificate, how do I get into the gridmapfiles? ● users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: ● sites sharing their resources (participating in the same testbed) form a Virtual Organization: ● should somehow synchronize their gridmapfiles ● automatic updates of gridmapfiles ● delegate the user selection process to VO managers
8
23/5/2002 1 balazs.konya@quark.lu.se The NorduGrid VO ● database of the NorduGrid users ● contains the Subject Names of the user's certificates ● GSI enabled secure LDAP server ● VO managers ● User Groups ● Group Managers ● certificate-based authentication ● static LDAP ACL's access to dn="ou=testbed1,dc=nordugrid,dc=org" by dn="^UID=/O=Grid/O=NorduGrid/OU=quark\\.lu\\.se/CN=Oxana Smirnova" write ● periodically running script on sites which generates the gridmapfile from the database
9
23/5/2002 1 balazs.konya@quark.lu.se nordugridmap.conf ● this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org alice #group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org cms # The testbed1 group of NorduGrid #group ldap://grid-vo.nordugrid.org/ou=testbed1,ou=People,dc=nordugrid,dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid*
10
23/5/2002 1 balazs.konya@quark.lu.se more info... http://grid-vo.nordugrid.org/NorduGridVO http://www.nordugrid.org/services.html
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.