1 / 9

Certificates/Authorisation for DataGrid Testbeds

Certificates/Authorisation for DataGrid Testbeds. David Kelsey CLRC/RAL, UK d.p.kelsey@rl.ac.uk. Members of WP6 CA group. Luca dell Agnello INFN, Italy Roberto Alfieri INFN, Italy Jean-Luc Archimbaud CNRS, France Roberto Cecchini INFN, Italy Jorge Gomes LIP, Portugal

marinda
Download Presentation

Certificates/Authorisation for DataGrid Testbeds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certificates/Authorisation for DataGrid Testbeds David KelseyCLRC/RAL, UKd.p.kelsey@rl.ac.uk D.P.Kelsey, WP6 Security

  2. Members of WP6 CA group • Luca dell Agnello INFN, Italy • Roberto Alfieri INFN, Italy • Jean-Luc Archimbaud CNRS, France • Roberto Cecchini INFN, Italy • Jorge Gomes LIP, Portugal • David Groep NIKHEF, NL • Denise Heagerty CERN • Dave Kelsey (Chair) RAL, UK • Daniel Kouril Cesnet, Czech Rep. • Rafael Marco Spain • Pietro Paolo Martucci CERN • Andrew Sansum RAL, UK • Others joining soon D.P.Kelsey, WP6 Security

  3. Meetings • 4/5 December 2000, CERN • 2 March 2001, CERN • Next meeting: 5 June 2001, CERN D.P.Kelsey, WP6 Security

  4. CA status • National CA already in operation for DataGrid Testbed0 • CERN • Czech Republic • France • Italy • Netherlands • Nordic • Portugal • Spain • UK • Not on WP6 web yet (Czech Republic, Spain, Nordic) • Sites not represented? D.P.Kelsey, WP6 Security

  5. Certificates for users/hosts • All testbed users should obtain a certificate from their own national CA. • Same for host certificates • See WP6 web page • http://marianne.in2p3.fr • Countries not yet running a CA • Implement one or • Find an existing CA willing to issue certificates • Globus certificates are still OK for Testbed0 but should be avoided if possible • Will be removed in Testbed 1 (M9) D.P.Kelsey, WP6 Security

  6. User accounts for Testbed0 • Certificates from national CA • Requests for “GRID” accounts via WP managers • For definite need only • WP manager gives list to WP6 • WP6 will arrange for accounts on Testbed0 sites • And entry in grid mapfile • groups in testbed0? (WP number?) • This does not scale! • We need to plan for for M9/Testbed 1 • Longer term – different approach D.P.Kelsey, WP6 Security

  7. Acceptable use policy? • Do we need an acceptable use policy or other document? • Can show to management to convince them that they should allow an unknown set of people to run programs on computers at a testbed site? • Who are the users? • Why should they use a testbed site? • Do we envisage trusting someone who defines the list of people we will allow to run jobs, access data etc? • Will such lists be signed etc? D.P.Kelsey, WP6 Security

  8. Configuration of systems • See WP6 web • Needs to be part of the standard distribution • To configure complete list of trusted CA’s • To configure the certificate request mechanism • To update CRL’s • Local site is free to accept trusted CA’s or not. • We will check CPS of each CA to define “trust” D.P.Kelsey, WP6 Security

  9. Authorisation • CAS from Globus • May not be ready/tested for testbed1 • So plan on not using it • Authorisation via Grid mapfile • gid, uid UNIX security mechanisms • INFN LDAP tool for group membership • Andrew McNab patch for leasing generic accounts • Need input from WP8-10 for group structure D.P.Kelsey, WP6 Security

More Related