1 / 7

Security Command Line Tools

Security Command Line Tools. C.Witzig, SWITCH christoph.witzig@switch.ch. A bit of history. Goal: A set of useful command line tools for site admins Not user authZ recommendation #3, OSG-EGEE coordination meeting Document at https://edms.cern.ch/document/931846 General remarks:

wind
Download Presentation

Security Command Line Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Command Line Tools C.Witzig, SWITCH christoph.witzig@switch.ch

  2. A bit of history • Goal: A set of useful command line tools for site admins • Not user • authZ recommendation #3, OSG-EGEE coordination meeting • Document at https://edms.cern.ch/document/931846 • General remarks: • Should be simple • Clearly differentiate between commands that • Make changes (with option --noaction) • Do only return information • API specs may have to be modified during implementation • Prioritization for EGEE done JRA1 AH Prague Nov 2008: pattern matching rules

  3. Cmds (1/4) • ca_manage: managing CA repository • medium priority • no time line • authz_check: given a credential, return authZ answer (permit/deny/undetermined) • priority high • to be implemented with new authZ service • Reason: non trivial amount of work JRA1 AH Prague Nov 2008: pattern matching rules

  4. Cmds (2/4) • cred_mapping: mapping of a credential to UID/GID(s) • Priority: high • Two implementation: • Simple: Script by M.Litmaath, that returns pool account info given the DN or vice-versa. ML is willing to expand it. • Full set with new authZ service • cred_cleanup: finding and removing credentials associated with crashed jobs • Priority: low • Time line: none JRA1 AH Prague Nov 2008: pattern matching rules

  5. Cmds (3/4) • wms_info: returning information about assignment of credentials to shares: • Priority: low • Time line: none • Reason: glite-wms-job-list-match • ban_user: banning a user/DN/FQAN • Priority: high • Time line: with the new authZ service • Reason: new authZ service is sufficiently close such that another effort is not justified JRA1 AH Prague Nov 2008: pattern matching rules

  6. Cmds (4/4) • task_removal: Given a credential find currently running jobs (and optionally remove them) • Priority: high • Two possible implementation: • Simple one based on cred_mapping (for only DN) • Full version with new authZ service • Note: 2 parts: authZ and batch system • NOTE: need “volunteer” to write batch system part. • check_connection: new - courtesy of J.Keijser • A script which verifies the openssl handshake to a service and returns success or failure with a meaningful reason • J.Keijer volunteered JRA1 AH Prague Nov 2008: pattern matching rules

  7. Conclusion • Banning tool and authZ check to be introduced with new authZ service • Cred_mapping and connection_check assigned (courtesy of ML and JK) • Volunteer needed for task_removal JRA1 AH Prague Nov 2008: pattern matching rules

More Related