/[pdpsoft]/trunk/grid-mw-security/ees/thesis/grid.tex
ViewVC logotype

Diff of /trunk/grid-mw-security/ees/thesis/grid.tex

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 653 by aramv, Thu Aug 20 12:33:43 2009 UTC revision 654 by aramv, Thu Aug 20 14:09:25 2009 UTC
# Line 147  Support for these mechanisms has evolved Line 147  Support for these mechanisms has evolved
147  % VOMS AC  % VOMS AC
148  % DN, FQAN, CA, serial number, secret sauce.  % DN, FQAN, CA, serial number, secret sauce.
149    
150    \section{Grid computing use cases}
151    \begin{figure}[ht]
152    \centering
153    \includegraphics[width=\textwidth]{grid_job_diagram}
154    \caption[Grid job diagram]%
155    {A diagram showing the path a Grid job travels to reach its computing resources}
156    \end{figure}
157    
158    \begin{figure}[ht]
159    \centering
160    \includegraphics[width=\textwidth]{grid_pilot_job_diagram}
161    \caption[Grid pilot job diagram]%
162    {A diagram showing the path a Grid pilot job travels to reach its computing resources}
163    \end{figure}
164    
165  \section{Evolution of authorization mechanisms}  \section{Evolution of authorization mechanisms}
166    
167  \subsection{ADAM}  \subsection{ADAM}
168  ADAM stands for \textit{AmPS Data Analysis Method}, which as the name implies was first developed to process data generated by the AmPS \textit{Amsterdam Pulse Stretcher.  ADAM stands for \textit{AmPS Data Analysis Method}, which as the name implies was first developed to process data generated by the AmPS \textit{Amsterdam Pulse Stretcher}.
169  It was not designed as a security middleware, but it does have a pluggable architecture to extend its functionality.}.  It was not designed as a security middleware, but it does have a pluggable architecture to extend its functionality.
170  The core component was a framework that got raw data as input from the detectors and used specific plugins to perform detector specific analysis. \cite{adampage}  The core component was a framework that got raw data as input from the detectors and used specific plugins to perform detector specific analysis. \cite{adampage}
171    
172  \subsection{LCAS}  \subsection{LCAS}
173  LCAS is the \textit{Local Centre Authorization Service}.  LCAS is the \textit{Local Centre Authorization Service}.
174  This component makes binary ('yes' or 'no') authorization decisions at the site and resource level.  This component makes binary ('yes' or 'no') authorization decisions at the site and resource level.
175  In making this decision, it can use a variety of inputs: the 'grid' name of the user (the Subject Distinguished Name), any VO attributes the user has (like VOMS \cite{vomssite} FQANs), the name of the executable the user intends to execute.  In making this decision, it can use a variety of inputs: the 'Grid' name of the user (the User Certificate Subject, also known as the Distinguished Name), any VO attributes the user has (like VOMS \cite{vomssite} FQANs), the name of the executable the user intends to execute.
176  It supports basic black and white list functionality, but also more complex VOMS-based expressions, based on the GACL \cite{gaclsite:home} language.  It supports basic black and white list functionality, but also more complex VOMS-based expressions, based on the GACL \cite{gaclsite:home} language.
177    
178  The framework fetches the data stores it and through static means offers the RSL, DN, Globus GSS Credential \cite{rfc2743} and X.509 certificate chain to plugins by passing a structure that contains these values.  The framework fetches the data, stores it and through static means offers the RSL, DN \cite{rfc5280}, Globus GSS Credential \cite{rfc2743} and X.509 certificate chain to plugins by passing a structure that contains these values.
179  The plugins that LCAS executes must all report success e.g. the plugins must be true if logically AND-ed. \cite{nikhefwebsite:gridwikiindex}  The plugins that LCAS executes must all report success e.g. the plugins must be true if logically AND-ed. \cite{nikhefwebsite:gridwikiindex}
180    
181  \subsection{LCMAPS}  \subsection{LCMAPS}
 LCMAPS is the \textit{Local Credential Mapping Service}.  
 It takes care of translating grid credentials to Unix credentials local to the site.  
 Using the pool account mechanism \cite{gridmapdirsite}, extended to dynamic groups when needed, it takes case of ensuring that different individuals on the grid remain distinct unix accounts.  
 Using group mappings based on the user's VO attributes, isolation and scheduling priority decisions can be made.  
 It can also verify the validity and authenticity of the incoming grid credentials, just like when you would have established a TLS connection over a network.  
 This 'verify-proxy' plugin can also enforce life time constraints on the proxy.  
   
182  Unix (like) systems only understand Unix UID, GID and Secondary GID  Unix (like) systems only understand Unix UID, GID and Secondary GID
183  credentials. As the lingua franca is X.509 (with VOMS credentials), these  credentials. As the lingua franca is X.509 (with VOMS credentials), these
184  credentials will need to be translated to Unix credentials.  credentials will need to be translated to Unix credentials.
# Line 178  Based on the Unix credentials, batch sys Line 186  Based on the Unix credentials, batch sys
186  batch systems have never (yet) been Griddified to natively handle X.509  batch systems have never (yet) been Griddified to natively handle X.509
187  and/or VOMS credentials.  and/or VOMS credentials.
188    
189    LCMAPS is the \textit{Local Credential Mapping Service}.
190    It takes care of translating grid credentials to Unix credentials local to the site.
191    Using the pool account mechanism \cite{gridmapdirsite}, extended to dynamic groups when needed, it takes case of ensuring that different individuals on the grid remain distinct unix accounts.
192    Using group mappings based on the user's VO attributes, isolation and scheduling priority decisions can be made.
193    It can also verify the validity and authenticity of the incoming grid credentials, just like when you would have established a TLS connection over a network.
194    This 'verify-proxy' plugin can also enforce life time constraints on the proxy.
195    
196  The LCMAPS framework hosts a list of specific credential types in its core.  The LCMAPS framework hosts a list of specific credential types in its core.
197  These are offered to the plugins via an API. Each plugin has a specific task  These are offered to the plugins via an API. Each plugin has a specific task
198  to perform, like in the previous frameworks. The plugins are able to write  to perform, like in the previous frameworks. The plugins are able to write

Legend:
Removed from v.653  
changed lines
  Added in v.654

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28