1 / 8

Site Authorization Service (SAZ) at Fermilab

Site Authorization Service (SAZ) at Fermilab. Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003. What is SAZ ?. Site AuthoriZation service Think of it as something like an NIS level abstraction above the individual password file on each system. Why is it needed ?.

ava-morrison
Download Presentation

Site Authorization Service (SAZ) at Fermilab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003

  2. What is SAZ ? • Site AuthoriZation service • Think of it as something like an NIS level abstraction above the individual password file on each system.

  3. Why is it needed ? • In the GTK2, authorization is dealt with via the gridmapfile and there is one per service. • Sites wish to impose sitewide policy centrally • Can streamline some maintenance (eg. CRL checking) • Allows for multiple layers of authorization

  4. What does SAZ look like ? SAZ User Reg. Db Interface Db Gridmapfile SAZ service Gatekeeper Admin Job Manager Job

  5. What does it do ? • The primary purpose for SAZ is to act as an authorization service for all Grid Resources on a site so that common policy can be enforced. • A secondary purpose is to centralize maintenance of Certificate Revocation Lists (CRLs) • The current version implements this in the gatekeeper via an LCAS (from the EDG suite of products) shared memory module.

  6. What more does it do ? • The service needs to get data about which DNs map to the same person. • The internal SAZ database is populated through two interfaces: user and admin. • Users can add or delete their own DN. • We use Kerberos authentication for that transaction. • They may add several different DNs to their entry • Administrators can add or delete any entry in the database.

  7. What is the status ? • Prototype has been tested with EDG gatekeeper. • Now being installed on CMS development testbed and soon on CDF/DO grids • Specification for site authorization callout has been agreed between Globus, EDG, Virginia Tech, and FNAL teams and will come with next update of Globus 2

  8. What is planned ? • Move to standard callout (testing code now) • Collaborate with EDG efforts to make common package of LCAS/VOMS/VO registration (this summer) • Move to web services (GTK 3) in the Fall

More Related