User Management: Authentication & Authorization on the NorduGrid

User Management:Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3rd NorduGrid Workshop, 23 May, 2002 Helsinki

The problem: • user: • how can I use the Grid, how do I log in? • cluster admin: • who is coming from the Grid, how do I control Grid users?

Authentication establishing the identity of a Grid entity: • Thrusted third-party Public Key Infrastructure • a user posesses a private key and a certificate • she has a copy of the public key of the thrusted third-parties • Grid Security Infrastructure of Globus provides a single sign on Authentication procedure • certificates: • subject name /O=Grid/O=NorduGrid/OU=quark.lu.se/CN= User Name • public key of the subject • the identity of the thrusted third-party • the digital signature of the third-party

Certificate Authority The Thrusted Third Party Binds identities to key pairs: • “issues” 'X.509' certificates • maintains Certification Policy • revokes compromised certificates • extends expired certificates A user's first way to the NorduGrid: • “generate” and “submit” certificate request to the NorduGrid CA

Authorization access control to the resources • the present model of the Globus: • If a site wants to give access to a Grid user then it is done by “mapping” the Grid user to a local unix user • the Grid user has all the rights of the mapped local unix user, and can do anything what a unix user is allowed to do • sites should set these “grid” unix accounts carefully • each sites maintains its own list of mappings • in the future...

local site policy: gridmapfile • if a Grid user is in the gridmapfile then she has access to the site provided her certificate is “recognized” • site admins have the total control over their gridmapfile example: "/O=Grid/O=NorduGrid/OU=bu.se/CN=John Smith" griduser "/O=Grid/O=NorduGrid/OU=tu.se/CN=Steve Lucas" griduser "/O=Grid/O=NorduGrid/OU=lu.se/CN=Joe Welsh" griduser "/O=Grid/O=NorduGrid/OU=fu.se/CN=Peter Simpson" vip

Virtual Organization a well-known scenario from the early stage of every testbed: • I am a new user, just received my certificate, how do I get into the gridmapfiles? • users were individually connecting site administrators asking them to list their subject names in the site's gridmapfile solution: • sites sharing their resources (participating in the same testbed) form a Virtual Organization: • should somehow synchronize their gridmapfiles • automatic updates of gridmapfiles • delegate the user selection process to VO managers

The NorduGrid VO • database of the NorduGrid users • contains the Subject Names of the user's certificates • GSI enabled secure LDAP server • VO managers • User Groups • Group Managers • certificate-based authentication • static LDAP ACL's access to dn="ou=testbed1,dc=nordugrid,dc=org" by dn="^UID=/O=Grid/O=NorduGrid/OU=quark\\.lu\\.se/CN=Oxana Smirnova" write • periodically running script on sites which generates the gridmapfile from the database

nordugridmap.conf • this is the place where site managers establish their local policy ### GRID-MAPFILE #gmf /etc/grid-security/grid-mapfile ### GRID-MAPFILE-LOCAL gmf_local /etc/grid-security/local-grid-mapfile ### Datagrid VO Groups and their user mappings #group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org alice #group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org cms # The testbed1 group of NorduGrid #group ldap://grid-vo.nordugrid.org/ou=testbed1,ou=People,dc=nordugrid,dc=org ### deny|allow pattern_to_match #deny *infn* #allow *dutchgrid*

more info... http://grid-vo.nordugrid.org/NorduGridVO http://www.nordugrid.org/services.html

User Management: Authentication & Authorization on the NorduGrid