User Management: Authentication

1
User ManagementAuthentication Authorization
on the NorduGrid

• Balázs Kónya, AndersWäänänen
• 3rd NorduGrid Workshop,
• 23 May, 2002 Helsinki

2
The problem

• user
• how can I use the Grid, how do I log in?
• cluster admin
• who is coming from the Grid, how do I control
  Grid users?

3
Authentication

• establishing the identity of a Grid entity
• Thrusted third-party Public Key Infrastructure
• a user posesses a private key and a certificate
• she has a copy of the public key of the thrusted
  third-parties
• Grid Security Infrastructure of Globus provides a
  single sign on Authentication procedure
• certificates
• subject name
• /OGrid/ONorduGrid/OUquark.lu.se/CN User Name
• public key of the subject
• the identity of the thrusted third-party
• the digital signature of the third-party

4
Certificate Authority

• The Thrusted Third Party
• Binds identities to key pairs
• issues 'X.509' certificates
• maintains Certification Policy
• revokes compromised certificates
• extends expired certificates
• A user's first way to the NorduGrid
• generate and submit certificate request to
  the NorduGrid CA

5
Authorization

• access control to the resources
• the present model of the Globus
• If a site wants to give access to a Grid user
  then it is done by mapping the Grid user to a
  local unix user
• the Grid user has all the rights of the mapped
  local unix user, and can do anything what a unix
  user is allowed to do
• sites should set these grid unix accounts
  carefully
• each sites maintains its own list of mappings
• in the future...

6
local site policy gridmapfile

• if a Grid user is in the gridmapfile then she has
  access to the site provided her certificate is
  recognized
• site admins have the total control over their
  gridmapfile
• example
• "/OGrid/ONorduGrid/OUbu.se/CNJohn
  Smith" griduser
• "/OGrid/ONorduGrid/OUtu.se/CNSteve
  Lucas" griduser
• "/OGrid/ONorduGrid/OUlu.se/CNJoe
  Welsh" griduser
• "/OGrid/ONorduGrid/OUfu.se/CNPeter
  Simpson" vip

7
Virtual Organization

• a well-known scenario from the early stage of
  every testbed
• I am a new user, just received my certificate,
  how do I get into the gridmapfiles?
• users were individually connecting site
  administrators asking them to list their subject
  names in the site's gridmapfile
• solution
• sites sharing their resources (participating in
  the same testbed) form a Virtual Organization
• should somehow synchronize their gridmapfiles
• automatic updates of gridmapfiles
• delegate the user selection process to VO managers

8
The NorduGrid VO

• database of the NorduGrid users
• contains the Subject Names of the user's
  certificates
• GSI enabled secure LDAP server
• VO managers
• User Groups
• Group Managers
• certificate-based authentication
• static LDAP ACL's
• access to dn"outestbed1,dcnordugrid,dcorg"
  by dn"UID/OGrid/ONorduGrid/OUquark\\.lu
  \\.se/CNOxana Smirnova" write
• periodically running script on sites which
  generates the gridmapfile from the database

9
nordugridmap.conf

• this is the place where site managers establish
  their local policy

GRID-MAPFILE gmf /etc/grid-security/grid-map
file GRID-MAPFILE-LOCAL gmf_local
/etc/grid-security/local-grid-mapfile
Datagrid VO Groups and their user mappings group
ldap//grid-vo.nikhef.nl389/oalice,dceu-datagri
d,dcorg alice group ldap//grid-vo.nikhef.nl38
9/ocms,dceu-datagrid,dcorg cms The testbed1
group of NorduGrid group ldap//grid-vo.nordugrid
.org/outestbed1,ouPeople,dcnordugrid,dcorg
denyallow pattern_to_match deny
infn allow dutchgrid
10
more info...

• http//grid-vo.nordugrid.org/NorduGridVO
• http//www.nordugrid.org/services.html