proxy cert request dn, cert, Pkey, VOMS cred. (short lifetime) certificate: dn, ca, Pkey mod_ssl pre-process: parameters->



Similar documents


H ig h L e v e l O v e r v iew. S te p h a n M a rt in. S e n io r S y s te m A rc h i te ct

1.- L a m e j o r o p c ió n e s c l o na r e l d i s co ( s e e x p li c a r á d es p u é s ).

ACE-1/onearm #show service-policy client-vips




Put the human back in Human Resources.


(RH 7.3, gcc ,VDT 1.1.6, EDG 1.4.3, GLUE, RLS) Tokyo BNL TAIWAN RAL 20/03/ /03/2003 CERN 15/03/ /03/2003 FNAL 10/04/2003 CNAF



3 k t h R e m e A c c e s s b t t t V T T c h t h p V T. Cl ic e ot rad io ut on nex o PN unnel yp e and oose e ap rop riat e PN unnel Int erfac e. 4.


Campus Sustainability Assessment and Related Literature


M P L S /V P N S e c u rity , C is c o S y s te m s, In c. A ll rig h ts re s e rv e d.

SCO TT G LEA SO N D EM O Z G EB R E-

With Rejoicing Hearts/ Con Amor Jovial. A Fm7 B sus 4 B Cm Cm7/B

EM EA. D is trib u te d D e n ia l O f S e rv ic e

i n g S e c u r it y 3 1B# ; u r w e b a p p li c a tio n s f r o m ha c ke r s w ith t his å ] í d : L : g u id e Scanned by CamScanner

I n la n d N a v ig a t io n a co n t r ib u t io n t o eco n o m y su st a i n a b i l i t y

w ith In fla m m a to r y B o w e l D ise a se. G a s tro in te s tin a l C lin ic, , K a s h iw a z a, A g e o C ity, S a ita m a



B a rn e y W a r f. U r b a n S tu d ie s, V o l. 3 2, N o. 2, ±3 7 8




Workload Management Services. Data Management Services. Networking. Information Service. Fabric Management

Understanding, Modelling and Improving the Software Process. Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 31 Slide 1

AN EVALUATION OF SHORT TERM TREATMENT PROGRAM FOR PERSONS DRIVING UNDER THE INFLUENCE OF ALCOHOL P. A. V a le s, Ph.D.

<?xml version="1.0" encoding="utf-8"?> <soapenv:envelope xmlns:soapenv="


B R T S y s te m in S e o u l a n d In te g r a te d e -T ic k e tin g S y s te m





Software Quality Requirements and Evaluation, the ISO Series




Workload Management Services. Data Management Services. Networking. Information Service. Fabric Management


Online Department Stores. What are we searching for?

A n d r e w S P o m e r a n tz, M D



U S B Pay m e n t P r o c e s s i n g TM

R e t r o f i t o f t C i r u n i s g e C o n t r o l

PSTN. Gateway. Switch. Supervisor PC. Ethernet LAN. IPCC Express SERVER. CallManager. IP Phone. IP Phone. Cust- DB


W h a t is m e tro e th e rn e t

How To Be A Successful Thai


How To Manage A Large Amount Of Information From A Computer To A Computer

Funding health care: The role of public and private and the role of the actuary

Beverlin Allen, PhD, RN, MSN, ARNP

CIS CO S Y S T E M S. G u ille rm o A g u irre, Cis c o Ch ile , C is c o S y s te m s, In c. A ll rig h ts re s e rv e d.

BLADE 12th Generation. Rafał Olszewski. Łukasz Matras


Victims Compensation Claim Status of All Pending Claims and Claims Decided Within the Last Three Years

P R E F E I T U R A M U N I C I P A L D E J A R D I M

Using Predictive Modeling to Reduce Claims Losses in Auto Physical Damage

UFPA Brazil. d e R e d e s Ó p tic a s e s e u s Im p a c to s n o F u tu r o d a In te r n e t

d e f i n i c j i p o s t a w y, z w i z a n e j e s t t o m. i n. z t y m, i p o jі c i e t o

L a h ip e r t e n s ió n a r t e r ia l s e d e f in e c o m o u n n iv e l d e p r e s ió n a r t e r ia l s is t ó lic a ( P A S ) m a y o r o

Heliophysics Integrated Observatory Coordinated Data Analysis Workshop

Public Health is Like..


Lockheed Martin s Move to Assurance: Software Safety and Security Certification Best Practices (BP)

The Results of Implementing an ESL Orientation Class

UNIK4250 Security in Distributed Systems University of Oslo Spring Part 7 Wireless Network Security

ASCENT TM Integrated Shipment Management


Lehman Brothers UK Holdings Limited In Administration

J a re k G a w o r, J o e B e s te r, M a th e m a tic s & C o m p u te r. C o m p u ta tio n In s titu te,

E S T A D O D O C E A R Á P R E F E I T U R A M U N I C I P A L D E C R U Z C Â M A R A M U N I C I P A L D E C R U Z

Opis przedmiotu zamówienia - zakres czynności Usługi sprzątania obiektów Gdyńskiego Centrum Sportu


1. Oblast rozvoj spolků a SU UK 1.1. Zvyšování kvalifikace Školení Zapojení do projektů Poradenství 1.2. Financování


CREATE SHAPE VISUALIZE

Farmers attitudes toward and evaluation and use of insurance for income protection on Montana wheat farms by Gordon E Rodewald

T ra d in g A c tiv ity o f F o re ig n In s titu tio n a l In v e s to rs a n d V o la tility

How To Know If You Are A Good Or Bad Person

JCUT-3030/6090/1212/1218/1325/1530

Vom prozessorientierten Wissensmanagement zum intelligenten Engineering-Portal

Vanguard Direct Deposit S e r v i c e. An easy, electronic way to deposit your pay at Va n g u a r d

Engenharia de Software

Transcription:

Overview of the New S ec u rity M od el WP6 Meeting V I D t G R I D C o nf er enc e B r c el o ne, 1 2-1 5 M y 2 0 0 3

Overview focus is on VOMS C A d e t il s r e in D 7. 6 Se cur it y D e sig n proxy cert: dn, cert, Pkey, VOMS cred. (short lifetime) request certificte: dn, c, Pkey V OMS proxy cert certificte VOMS cred: VO, group(s), role(s) proxy cert us er proxy cert proxy cert delegtion: cert+key (long lifetime) proxy cert MyP rox y re-newl request delegtion: cert+key (short lifetime) TrustMnger uth TrustMnger uth mod_ssl uth GSI uth GSI uth WebServices Authz dn,ttrs,cl, req.op ->yes/no uthz pre-process: prmeters-> obj.id + req. op. pre-process: prmeters-> obj.id + req. op. pre-process: prmeters-> obj.id + req. op. LCAS dn,ttrs,cl, req.op ->yes/no uthz dn -> DB role m p doit obj.id -> cl dn,ttrs,cl, req.op ->yes/no uthz GACL: obj.id -> cl dn,ttrs,cl, req.op ->yes/no uthz GACL: obj.id -> cl dn,ttrs,cl, req.op ->yes/no uthz LCMAPS dn -> userid, krb ticket m p doit doit doit doit corse grined ( e. g. S p it f ire) f ine grined ( e. g. R ep M ec) f ine grined ( e. g. G rids it e) f ine grined ( e. g. S E, / grid) corse grined ( e. g. gt ek eep er) J v w eb C Overview of the New Security Model - n 2

User s A u t h o ri z t i o n i n E D G 1. 4. x h i g h frequency low frequency CA CA CA host cert ( l on g l i f e) serv i c e user serv i c e user c rl up d t e user cert ( l o n g l i f e) VO- L D A P reg i str ti on VO- L D A P g ri d - p rox y - i n i t p ro x y cert ( sh o rt l i f e) VO- L D A P VO- L D A P m k g r i d m p g ri d - m p f i l e ut h en t i c t i o n i n f o Overview of the New Security Model - n 3

User s A u t h o ri z t i o n i n E D G 2. x h i g h frequency low frequency CA CA CA h o st cert ( l o n g l i f e) serv i c e user serv i c e user crl updte user cert ( l o n g l i f e) r e g i st r t i on VO- VOM S r e g i st r t i on VO- VOM S voms-p r ox y -i n i t p ro x y cert ( s ho rt l i f e) VO- VOM S s erv i ce cert ( s ho rt l i f e) uthz cert ( s ho rt l i f e) VO- VOM S uthz cert ( s ho rt l i f e) ut h en t i c t i o n & ut h o ri z t i o n i n f o e d g -j v -se c u r i t y LCAS Overview of the New Security Model - n 4

VOMS Overview Provides info bout the user s reltionship with his VO( s) g roups, c om pulsory g roups, roles (dm in, student,... ), c pbilities (free form string ), tem porl bounds F etures single login: voms- p r ox y - init only t the beginning of the session (replces g r id - p r o x y - init) ; expirtion time: the u thoriz tion inform tion is only v lid for lim ited period of tim e (possibly d ifferent from the prox y certificte itself) ; b c k w rd c omptib il ity : the ex tr V O relted inform tion is in the u ser s prox y certificte, w hich cn be still u sed w ith non V O M S - w re serv ices; mu l tipl e V O s : the u ser m y u thenticte him self w ith m u ltiple V O s nd crete n ggregte prox y certificte; s ec u rity : ll client- serv er com m u nictions re secu red nd u thenticted. Overview of the New Security Model - n 5

v v VOMS A r c h i t e c t u r e G S I v o m s - p r o x y - i n i t oms d oms d P e r l C L I s o p + S S L Tomct & j v -s e c Tomct & j v -s e c W e b i n t e r f c e h t t p s x i s x i s s e r v l e t s e r v l e t V O M S V O M S i m p l i m p l JDBC DBI DB m k g r i d m p h t t p s A p ch e & mod _ s s l A p ch e & mod _ s s l MySQL d b User q u ery serv er n d c l i en t ( C + + ) J v W eb S erv i c e b sed d m i n i st r t i o n i n t erf c e v o m s - h t t p d v o m s - h t t p d w i t h h i s t o r y n d u d i t r e c o r d s P erl c l i en t ( b t c h p ro c essi n g ) VOMS server W eb b ro w ser c l i en t ( g en eri c d m i n i st r t i v e t sk s) W eb serv er i n t erf c e f o r m k g ri d m p Overview of the New Security Model - n 6

Migrtion to VOMS voms- l d p - sy n c VO- L D A P VOM S voms- l d p - sy n c VO- L D A P VOM S e d g - mk g r i d m p e d g - mk g r i d m p grid- p ro x y - in it grid- p ro x y - in it g r i d - m p f i l e g r i d - m p f i l e s e r v i c e u s e r s e r v i c e u s e r p r o x y phse 0. p r o x y phse 1. t e st i n g t h e V O M S se r ve r s u se r m n g e me n t on V O M S VO- L D A P VOM S VOM S e d g - mk g r i d m p v o m s - p ro x y - in it grid- p ro x y - in it v o m s - p ro x y - in it g r i d - m p f i l e s e r v i c e u s e r s e r v i c e u s e r p r o x y ( v o m s ) phse 2. p r o x y ( v o m s ) phse 3. c omp t i b i l i t y mod e : mi x e d se r vi c e s f u l l y mi g r t e d : on l y V O M S - w r e se r vi c e s Overview of the New Security Model - n 7

Auth/Authz i n S e r v i c e s GSI bsed or comptible uthentiction g rid- mpf ile or V O M S bsed uthoriz tion ( cn be both) policy or A C L bsed ccess control corse nd fine grined solutions ccess control descrip tion s sy ntx is not stndrd implemented lterntiv es: edg-j v -security for J v w eb serv ices G S I / L C A S / L C M A P S for ntiv e C / C + + serv ices m od_ ssl/ G A C L for A p ch e b sed w eb serv ices ( S lh grid for trnsp rent filesy stem A C L s) Overview of the New Security Model - n 8

Locl Site Authoriztion Locl Centre Authoriztion Service (LCAS) Hndles uthoriztion requests to locl fbric uthoriztion d e c is ions b s e d on p rox y us e r c e rtif ic te nd j ob s p e c if ic tion; s up p orts grid- m p f il e mechnism. Plug-i n f r m e w o r k ( h o o k s f o r e x t e r n l ut h o r i z t i o n p lugi n s ) l l o w ed u ser s ( grid- m p f il e o r l l o w e d_ u s e rs. db ), b nned u ser s ( b n _ u s e rs. db ), v il b l e t imesl o t s ( t im e s l o t s. db ) p l u g in f o r V O M S ( t o p r o cess u t ho r iz t io n d t ) Locl Credentil Mpping Service (LCMAPS) provides l oc l c reden t i l s n eeded f or j ob s in f b ric m ppin g b sed on u ser iden t it y, V O f f il i t ion, l oc l sit e pol ic y S p i t f i r e R ol e- b sed u t h oriz t ion w it h su pport f or u t h oriz t ion in f o provided b y V O M S Overview of the New Security Model - n 9

TODO Test th e p i ec es i n th e Testb ed s U se th e sec u r i ty m o d el -> g et r e l l i f e u se c ses I m p l em en t th e m i ssi n g p i ec es n d D i sc r d i n g th e u n u sed C o m m o n sy n t x n d sem n ti c s f o r c c ess c o n tr o l c o n f i g u r ti o n s S u b sti tu ti o n o f V O M S c er ti f i c tes b y A ttr i b u te C er ti f i c tes ( R F C 3 2 8 1 ) S u p p o r t f o r ti m e c y c l i c / b o u n d p er m i ssi o n s n d r o l es D t b se r ep l i c ti o n Overview of the New Security Model - n 1 0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information