Security Group D7.6 Design Ideas E-mail: [email protected] Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 1 Mutual Authentication GSI – certificate based authentication challenge = random data key(data) = encoding with key validation: decode(public key, encode(private key, data)) = data Short-time certificates! -> no CRL Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 2 Delegation proxy certificate is generated on the server side private key not crosses the net rights of the proxy are subset of the original rights Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 3 Membership (dataflow) organisation virtual organisation VO policy site policy read a file ACL file VO membership, group, role Authenticate a user at a service Gather additional information associated to the user or the actual session (e.g. group membership, role, time) Gather additional information associated to the protected service or object (e.g. file permissions) Get local policy applicable to the situation (e.g. temporarily disabled user) Make an authorization information based on the identity and the additional information Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 4 Membership (sequence) Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 5 Access Control List user ACL read user – list of capabilities operation +cap.1:read DN, VO cap.1 +cap.2:write,read file -cap.3:read cap.2 … … +cap.m:op1,op2 cap.n protected object – access control list (policy: pattern + ACL) -> yes/no decision decision capability: yes/no policy /cms/**:+cms:read DN VO DN group/role/... *:-Bob:read,write,delete *.bak:+cleanup-role:delete Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 6 New File or Directory in an SE the original owner (creator) is marked for accounting not user for authorization! File creator: Alice creator have admin (getacl, setacl) permissions ACL additional permissions from the enclosing object (default ACL), site and VO policy delete is a file attribute Directory creator:Alice ACL mark group/VO for accounting? +Alice:getacl,setacl, read,write,delete +Alice:getacl,setacl,create,list,delete default ACL dir:+Alice:getacl,setacl,create,list,delete file:+Alice:getacl,setacl,read,write,delete Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 7 File Replication (sequence) Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 8 File Replication +Alice:read,write,admin user 1. SE.getACL(+Alice:read,write,admin) 5. 2. RM.preRegister -> RM-role 6.2. 3. MC 2. 4. RM 1. 3. 6.1. 7. SE f1 +Alice:read,write,admin +Alice:read,write,admin +RM-role:admin +Alice:read +RM-role:admin * SE.setACL(+Alice:read,write,admin; RMrole:admin) 4. Alice: RM.register 5. RM: MC.register 6. 7. SE.getACL, MC.setACL (+Alice:read,write,admin; RM-role:admin) SE.setACL(+Alice:read; RM-role:admin) SE f1 +Alice:read +RM-role:admin Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 9 Normal File Access user 1. MC RM 1. RM.getBestFile(LFN) -> SE, FN 2. SE.read(FN) 2. SE f1 SE +Alice:read +RM-role:admin f1 +Alice:read +RM-role:admin Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 10 Medical Image Access Alice 1. MC 1., 2. 2. RM patient +Alice:read RM.getAppMetaData -> restricted-cert, key 3. SE.read(FN, restricted-cert) 4. decode(key, FN) image 3. key SE f1 RM.getBestFile(LFN) -> SE, FN SE +RM-role:admin,read f1 +RM-role:admin,read Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 11 RM-role CAS user MC 2. 4. 1. 3. RM-2 RM-1 RM-role RM-role 1. CAS.getMembership -> RM-role 2. CAS.getMembership -> RM-role 3. user 4. metadata catalog 5. storage element 6. file ACL entry 5. SE f1 6. +Alice:read +RM-role:admin SE f1 +Alice:read +RM-role:admin Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 12 Administrator Roles CA it CA ch RM VO LHC RB CAS CA fr RM VO EDG RB Virtual Organisation administrators CAS job SE CE CERN CAS admin RM admin RB admin Site administrators file SE CE INFN Certificate Authorities SE CE CNRS SE admin CE admin Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 13 Other issues initial credential: userid/password (PAM), kx509, ... renewable, CAS: forwardable certificates does more, then necessary encoding mapping mutual of capabilities (structure vs. DN) CAS: composition of (Virtual) Organisations authorization: use only VO-role playing service ACLs for jobs: monitor, stop, resume, kill using multiple vs. single VO (multiple vs. one cas-certificate) ... Ákos FROHNER – DataGrid Security - 2002-05-17 - n° 14
© Copyright 2026 Paperzz