User Management Authentication Authorization on the Nordu

User Management: Authentication & Authorization on the Nordu. Grid Balázs Kónya, Anders. Wäänänen 3 rd Nordu. Grid Workshop, 23 May, 2002 Helsinki

The problem: ● user: ● ● how can I use the Grid, how do I log in? cluster admin: ● who is coming from the Grid, how do I control Grid users? 23/5/2002 balazs. konya@quark. lu. se 1

Authentication establishing the identity of a Grid entity: ● Thrusted third-party Public Key Infrastructure ● ● a user posesses a private key and a certificate she has a copy of the public key of the thrusted third-parties Grid Security Infrastructure of Globus provides a single sign on Authentication procedure certificates: ● ● 23/5/2002 subject name /O=Grid/O=Nordu. Grid/OU=quark. lu. se/CN= User Name public key of the subject the identity of the thrusted third-party the digital signature of the third-party balazs. konya@quark. lu. se 1

Certificate Authority The Thrusted Third Party Binds identities to key pairs: ● ● “issues” 'X. 509' certificates maintains Certification Policy revokes compromised certificates extends expired certificates A user's first way to the Nordu. Grid: ● “generate” and “submit” certificate request to the Nordu. Grid CA 23/5/2002 balazs. konya@quark. lu. se 1

Authorization access control to the resources ● the present model of the Globus: ● If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do ● sites should set these “grid” unix accounts carefully ● ● ● each sites maintains its own list of mappings in the future. . . 23/5/2002 balazs. konya@quark. lu. se 1

local site policy: gridmapfile if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” ● site admins have the total control over their gridmapfile example: ● "/O=Grid/O=Nordu. Grid/OU=bu. se/CN=John Smith" griduser "/O=Grid/O=Nordu. Grid/OU=tu. se/CN=Steve Lucas" griduser "/O=Grid/O=Nordu. Grid/OU=lu. se/CN=Joe Welsh" griduser "/O=Grid/O=Nordu. Grid/OU=fu. se/CN=Peter Simpson" vip 23/5/2002 balazs. konya@quark. lu. se 1

Virtual Organization a well-known scenario from the early stage of every testbed: ● I am a new user, just received my certificate, how do I get into the gridmapfiles? ● users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: ● sites sharing their resources (participating in the same testbed) form a Virtual Organization: should somehow synchronize their gridmapfiles ● automatic updates of gridmapfiles ● delegate the user selection process to VO managers ● 23/5/2002 balazs. konya@quark. lu. se 1

The Nordu. Grid VO ● database of the Nordu. Grid users ● ● ● contains the Subject Names of the user's certificates GSI enabled secure LDAP server VO managers User Groups Group Managers ● ● certificate-based authentication static LDAP ACL's access to dn="ou=testbed 1, dc=nordugrid, dc=org" by dn="^UID=/O=Grid/O=Nordu. Grid/OU=quark\. lu\. se/CN=Oxana Smirnova" write ● periodically running script on sites which generates the gridmapfile from the database 23/5/2002 balazs. konya@quark. lu. se 1

nordugridmap. conf ● this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap: //grid-vo. nikhef. nl: 389/o=alice, dc=eu-datagrid, dc=org alice #group ldap: //grid-vo. nikhef. nl: 389/o=cms, dc=eu-datagrid, dc=org cms # The testbed 1 group of Nordu. Grid #group ldap: //grid-vo. nordugrid. org/ou=testbed 1, ou=People, dc=nordugrid, dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid* 23/5/2002 balazs. konya@quark. lu. se 1

more info. . . http: //grid-vo. nordugrid. org/Nordu. Grid. VO http: //www. nordugrid. org/services. html 23/5/2002 balazs. konya@quark. lu. se 1