/[pdpsoft]/trunk/grid-mw-security/ees/thesis/grid_auth.tex
ViewVC logotype

Diff of /trunk/grid-mw-security/ees/thesis/grid_auth.tex

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 937 by aramv, Fri Oct 16 10:52:45 2009 UTC revision 938 by aramv, Fri Oct 16 13:54:56 2009 UTC
# Line 38  In this interaction the VOMS server acts Line 38  In this interaction the VOMS server acts
38  The Attribute Certificate also specifies the group, subgroup, roles and capabilities of the holder.  The Attribute Certificate also specifies the group, subgroup, roles and capabilities of the holder.
39  \glossary{name={AA}, description={Attribute Authority}}  \glossary{name={AA}, description={Attribute Authority}}
40  \glossary{name={AC}, description={Attribute Certificate}}  \glossary{name={AC}, description={Attribute Certificate}}
41  To create a VOMS AC, a VOMS service amends the user's proxy certificate with signed VOMS tokens, which can include \textit{Fully Qualified Attribute Name}s (FQANs) \cite{fqan}.  To create a VOMS AC, a VOMS service amends the user's proxy certificate with signed VOMS tokens, which include \textit{Fully Qualified Attribute Name}s (FQANs) \cite{fqan}.
42  \glossary{name={FQAN}, description={Fully Qualified Attribute Name}}  \glossary{name={FQAN}, description={Fully Qualified Attribute Name}}
43    
44  As an analogy, in this capacity the Grid certificate is like a passport that is used to obtain a membership card (AC) of a certain club (VO).  As an analogy, in this capacity the Grid certificate is like a passport that is used to obtain a membership card (AC) of a certain club (VO).
# Line 69  The role and associated capabilities a u Line 69  The role and associated capabilities a u
69    
70    
71  \subsection{Fully Qualified Attribute Names}  \subsection{Fully Qualified Attribute Names}
72  \textit{Fully Qualified Attribute Names} (FQANs) are properties attributed to a certificate.  \textit{Fully Qualified Attribute Names} (FQANs) are explicit and unambiguous strings that can describe the group and subgroup a user is associated with.
73  These can be given out by a VOMS service in an Attribute Certificate.  These can be given out by a VOMS service through an Attribute Certificate.
 It is a string that can describe the group and subgroup a user is associated with.  
74  Besides group affiliation, roles and capabilities can be attributed to the user.  Besides group affiliation, roles and capabilities can be attributed to the user.
75  By being affiliated with a certain group, a user can claim authorization at a grid service.  By being affiliated with a certain group, a user can claim authorization at a grid service.
 FQANs are explicit and unambiguous, specifying all required and optional fields.  
76  %In VOMS AC's komen FQANS voor  %In VOMS AC's komen FQANS voor
77  %FQAN is 1 string die beschrijving geeft van de VO groepen, subgroepen, rollen en capabilities  %FQAN is 1 string die beschrijving geeft van de VO groepen, subgroepen, rollen en capabilities
78  % binnen iedere groep kun je aparte rollen aanwijzen  % binnen iedere groep kun je aparte rollen aanwijzen
# Line 117  Many different organizations worldwide d Line 115  Many different organizations worldwide d
115  % Door Delegation of credentials from your certificate to a WMS zodat die service functioneert als een agent.  % Door Delegation of credentials from your certificate to a WMS zodat die service functioneert als een agent.
116  % Alleen de private key van de delegation blijft over op de WMS. Je eigen private key van je op jouw naam staande certificate wordt niet overdragen aan de agent.  % Alleen de private key van de delegation blijft over op de WMS. Je eigen private key van je op jouw naam staande certificate wordt niet overdragen aan de agent.
117  % Het proxy certificate is cryptografisch verbonden, omdat jij de signer bent.  % Het proxy certificate is cryptografisch verbonden, omdat jij de signer bent.
118  Support for these mechanisms has evolved over the past decade, and gradually got more flexible over the years.  Support for these mechanisms has evolved over the past decade, and gradually got more flexible.
119  % Het gebruik van de authenticatie technieken heeft relatie tot volwassenheid en evolutie van authenticatie technieken en de use cases (refereer naar delegation). Open standaarden zijn vereist.  % Het gebruik van de authenticatie technieken heeft relatie tot volwassenheid en evolutie van authenticatie technieken en de use cases (refereer naar delegation). Open standaarden zijn vereist.
120    
121  % End-to-end security: dat je de chain van de worker node kunt terugleiden naar de persoon die de job submitte.  % End-to-end security: dat je de chain van de worker node kunt terugleiden naar de persoon die de job submitte.
# Line 166  Different types of credentials that can Line 164  Different types of credentials that can
164  }  }
165    
166  \item[VOMS attributes]{  \item[VOMS attributes]{
167  The DN information is used to query a certain VOMS server associated with the project, which returns an \textit{Attribute Certificate} \cite{rfc3281} in which each field and the whole certificate are signed by the VOMS server.  The DN information is used to query a certain VOMS server associated with the project, which returns an \textit{Attribute Certificate} \cite{rfc3281} in which each field and the Attribute Certificate as a whole are signed by the VOMS server.
168  }  }
169    
170  % Op basis van de info in het certificaat (je DN) en VOMS credentials (FQAN) worden user geauthoriseerd.  % Op basis van de info in het certificaat (je DN) en VOMS credentials (FQAN) worden user geauthoriseerd.
# Line 176  The DN information is used to query a ce Line 174  The DN information is used to query a ce
174  % Voorbeelden van VOMS rollen: VO-admins, software updaters / installateurs (Software area directories), production managers (verantwoordelijke voor het processen van de data en monte carlo productie).  % Voorbeelden van VOMS rollen: VO-admins, software updaters / installateurs (Software area directories), production managers (verantwoordelijke voor het processen van de data en monte carlo productie).
175  \item[SAML statements] % Zie je terug in Shibolleth. Altijd terug te leiden naar X.509 certificates. Andere niet-standaard authenticatiemethoden. Komt meer uit de web-hoek.  \item[SAML statements] % Zie je terug in Shibolleth. Altijd terug te leiden naar X.509 certificates. Andere niet-standaard authenticatiemethoden. Komt meer uit de web-hoek.
176    
177  {The \textit{Security Assessment Markup Language}.  {The \textit{Security Assessment Markup Language} \cite{saml} is an XML standard for exchanging authentication and authorization data between security domains.
178  XML standard for exchanging authentication and authorization data between security domains.  Grid services try to translate SAML information back to an X.509 certificate, as it remains the 'lingua Franca'.
 Grid services try to translate SAML information back to an X.509 certificate, as it remains the 'lingua Franca' despite SAML (which aims to be an open standard).  
179  }  }
180  \glossary{name={SAML}, description={Security Assessment Markup Language}}  \glossary{name={SAML}, description={Security Assessment Markup Language}}
181  % Bedoeld om een claim te geven over identiteit  % Bedoeld om een claim te geven over identiteit
# Line 277  It can be used to define rules based on Line 274  It can be used to define rules based on
274  %By the virtue of the pilot job framework use case a Worker Node has now become a new entry point to the cluster.  %By the virtue of the pilot job framework use case a Worker Node has now become a new entry point to the cluster.
275  % reference naar suEXEC  % reference naar suEXEC
276  gLExec is a pluggable suEXEC-like \cite{suexec} wrapper program that requests a mapping between Grid credentials and Unix user accounts and groups.  gLExec is a pluggable suEXEC-like \cite{suexec} wrapper program that requests a mapping between Grid credentials and Unix user accounts and groups.
277  It can enforce this mapping to wrapped executables by modifying its \textit{uid} and \textit{gid}s before passing execution to the wrapped binary.  It can enforce this mapping to wrapped executables by modifying the \textit{uid} and \textit{gid}s of the executing process to the ones the user is mapped to, before passing execution to the wrapped binary.
278  gLExec will authenticate credentials using a callout to LCAS and LCMAPS.  gLExec will authenticate credentials using a callout to LCAS and LCMAPS.
279  It can act as both a light-weight 'gatekeeper' on the Compute Element or be used on the Worker Node for late-binding (pilot job) use cases. Please see appendix \ref{use_cases} for a description of possible use cases.  It can act as both a light-weight 'gatekeeper' on the Compute Element or be used on the Worker Node for late-binding (pilot job) use cases. Please see appendix \ref{use_cases} for a description of possible use cases.
280  Through the SCAS client in LCMAPS, a central mapping and authorization service like SCAS (or any interoperable SAML2XACML2 service) can be used. \cite{nikhefwebsite:gridwikiglexec}  Through the SCAS client in LCMAPS, a central mapping and authorization service like SCAS (or any interoperable SAML2XACML2 service) can be used. \cite{nikhefwebsite:gridwikiglexec}
# Line 311  The plug-ins that LCAS executes must all Line 308  The plug-ins that LCAS executes must all
308    
309  \begin{description}  \begin{description}
310  %\item[Gridlist]{A plug-in that maps allowed users to pool accounts using the gridmapfile \cite{gridmapfile}}  %\item[Gridlist]{A plug-in that maps allowed users to pool accounts using the gridmapfile \cite{gridmapfile}}
311  \item[Timeslots]{A plug-in that makes authorization decisions based on available time slots \cite{timeslots}}  \item[Timeslots]{A plug-in that makes authorization decisions based on the time of day a job request is received \cite{timeslots}}
312  \item[Userban]{A plug-in that checks a file that contains a list of Subject DNs of users to be banned from the site \cite{userban}}  \item[Userban]{A plug-in that checks a file that contains a list of Subject DNs of users to be banned from the site \cite{userban}}
313  \item[Userallow]{A plug-in that checks a file that contains a list of Subject DNs of users to be allowed to the site. \cite{userallow}}  \item[Userallow]{A plug-in that checks a file that contains a list of Subject DNs of users to be allowed to the site. \cite{userallow}}
314  \item[Check executable]{A plug-in that checks if the executable requested is whitelisted by the service. \cite{userallow}}  \item[Check executable]{A plug-in that checks if the executable requested is whitelisted by the service. \cite{userallow}}
315    \item[LCAS VOMS]{Works like the userallow plug-in, execpt it verifies the FQANs present in a proxy certificate instead of the Subject DN. These were added to the certificate by a VOMS service. With this plug-in, more complex policies for authorization can also be expressed in the GACL \cite{gaclsite:home} language.}
316  \end{description}  \end{description}
317    
318  \glossary{name={RSL}, description={Resource Specification Language}}  \glossary{name={RSL}, description={Resource Specification Language}}
# Line 393  The SCAS is specifically tailored to sol Line 391  The SCAS is specifically tailored to sol
391    
392    
393    
394  % TODO cite OASIS standard saml2-xacml2 .  % cite OASIS standard saml2-xacml2 .
395  The SCAS will authorize the pilot job framework production manager and it will authorize the payload user using the LCAS framework.  The SCAS will authorize the pilot job framework production manager and it will authorize the payload user using the LCAS framework.
396  Upon successful authorization the user credentials of the payload will be mapped to Unix credentials by LCMAPS and returned in a SAML2-XACML2 response.  Upon successful authorization the user credentials of the payload will be mapped to Unix credentials by LCMAPS and returned in a SAML2-XACML2 \cite{authzinterop} response.
397  In such response there is a binary authorization statement given and optionally XACML obligations can be returned.  In such response there is a binary authorization statement given and optionally XACML obligations can be returned.
398    
399  Obligations are name-spaced identifiers that can contain attributes.  Obligations are name-spaced identifiers that can contain attributes.

Legend:
Removed from v.937  
changed lines
  Added in v.938

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28