gplazma2 plugins and configuration karsten schwank
play

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, - PowerPoint PPT Presentation

Jan 07, 2024 •156 likes •748 views

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics Plugins Migrating from v1 to v2 Introducing Argus Introducing Kerberos Examples The WLCG Case Using Kerberos and NIS

  1. gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012

  2. Overview ● Basics ● Plugins ● Migrating from v1 to v2 ● Introducing Argus ● Introducing Kerberos ● Examples ● The WLCG Case ● Using Kerberos and NIS ● Summary Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 2

  3. Basics Authorization with gPlazma2 is ● A 4 step process ● Authenticate – “Who are we talking to?” ● Map – “How does the authenticated user fit into our site?” ● Account – “Is the account currently banned?” ● Session – “What is the user allowed to access?” Configuration of gPlazma2 is ● Done via the file /etc/dcache/gplazma.conf Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 3

  4. Step 1: Authentication (auth) Who are we talking to? ● Pin “Principals” to the subject ● Plugins: ● KPWD – dCache's own file based mechanism ● VOMS – Virtual Organization Membership Service ● X509 – X.509 certificate extractor ● JAAS – Java Authentication and Authorization Service ● XACML – Use a XACML server (e.g., GUMS) ● gPlazma1 – Use old gPlazma Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 4

  5. auth:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] login behrmann read-write 1000 1000 /foo /bar / /O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann behrmann@ndgf.org passwd behrmann aec59c36 read-write 1000 1000 / / kpwd Principal Username+Password Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 5

  6. auth:x509 ● X.509 certificate extractor X.509 chain DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 6

  7. auth:voms ● Virtual Organization Membership Service gplazma.vomsdir.ca [/etc/grid-security/certificates] gplazma.vomsdir.dir [/etc/grid-security/vomsdir] X.509 chain FQAN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 7

  8. auth:xacml ● XACML gplazma.xacml.client.type gplazma.xacml.service.url gplazma.vomsdir.dir [/etc/grid-security/certificates] gplazma.vomsdir.ca [/etc/grid-security/certificates] gplazma.voms.validate X.509 chain Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 8

  9. auth:jaas ● Java Authentication and Authorization Service gplazma.jaas.name Username+Password Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 9

  10. auth:gplazma1 ● Use gPlazma1 as a plugin gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] gPlazma1 supported gPlazma1 supported User information credentials Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 10

  11. Step 2: Mapping (map) How does the authenticated user fit in our site? ● Use the “principals” from auth step to assign a local name to the subject ● Plugins: ● KPWD: dCache's file based solution ● KRB5: Kerberos ● NSSwitch: Username and Groupname ● NIS: Network Information System ● AuthzDB: Local file based solution ● GridMap: Local file based solution ● VoRoleMap: Local file based solution ● gPlazma1 Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 11

  12. map:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] mapping "/O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann" behrmann Username DN/Kerberos Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 12

  13. map:krb5 ● Kerberos Username Kerberos Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 13

  14. map:gridmap ● GridMap gplazma.gridmap.file [/etc/grid-security/grid-mapfile] "/O=GermanGrid/OU=DESY/CN=Tigran Mkrtchyan" tigran Username DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 14

  15. map:vorolemap ● VoRolemap gplazma.vorolemap.file [/etc/grid-security/grid-vorolemap] "/O=GermanGrid/OU=DESY/CN=Tigran Mkrtchyan" "/dteam" tigran Username DN+FQAN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 15

  16. map:nsswitch ● NSSwitch /etc/nsswitch.conf UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 16

  17. map:nis ● NIS gplazma.nis.server [niserv.domain.com] gplazma.nis.domain [domain.com] UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 17

  18. map:authzdb ● AuthzDB gplazma.authzdb.file [/etc/grid-security/storage-authzdb] authorize behrmann read-write 1000 1000 / /data/ /data/ UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 18

  19. map:gplazma1 ● gPlazma1 gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] More gPlazma1 gPlazma1 supported User information user information Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 19

  20. Step 3: Account Is the account currently banned? ● Check if we have any reason not to allow the user to access our system ● Plugins: ● KPWD: dCache's file based solution ● Argus: a hierarchical centralized authentication and authorization service Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 20

  21. account:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] passwd behrmann # read-write 1000 1000 / / Banned? Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 21

  22. account:argus ● Argus gplazma.argus.hostcert [/etc/grid-security/hostcert.pem] gplazma.argus.hostkey [/etc/grid-security/hostkey.pem] gplazma.argus.ca [/etc/grid-security/certificates] gplazma.argus.endpoint [https://localhost:8154/authz] Banned? DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 22

  23. Step 4: Session What is the user allowed to access? ● Use the local name to assign home and root directory. ● Plugins: ● KPWD: dCache's file based solution ● NIS: Network Information System ● NSSwitch: Name Service Switch ● AuthzDB: Local file based solution ● gPlazma1: Use old gPlazma as plugin Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 23

  24. session:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] login behrmann read-write 1000 1000 /home /root / /O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann behrmann@ndgf.org passwd behrmann aec59c36 read-write 1000 1000 / / Home+Root+RO/RW Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 24

  25. session:nis ● NIS gplazma.nis.server [niserv.domain.com] gplazma.nis.domain [domain.com] Home+Root Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 25

  26. session:nsswitch ● NSSwitch /etc/nsswitch.conf Home+Root UID+GID Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 26

  27. session:authzdb ● AuthzDB gplazma.authzdb.file [/etc/grid-security/storage-authzdb] authorize behrmann read-write 1000 1000 / /data/ /data / Home+Root+RW/RO Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 27

  28. session:gplazma1 ● gPlazma1 gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] Home+Root+RW/RO More gPlazma1 user information Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 28

  29. Moving from v1 to v2 Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 29

  30. → v1 v2 plugins gPlazma v1 gPlazma v2 plugins, for each phases plugin Auth Map Account Session kpwd opt: x509, suf: kpwd req: kpwd suf: kpwd opt: kpwd grid-mapfile opt: x509 opt: gridmap, req: gridmap suf: authzdb suf: authzdb gplazmalite- opt: x509, opt: vorolemap, req: vorolemap suf: authzdb vorole-mapping opt: voms suf: authzdb xacml-vo- opt: xacml suf: authzdb req: authzdb suf: authzdb mapping Key: opt = optional, suf = sufficient, req = requisite Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 30

  31. → v1 v2: example ● Top part of gPlazma v1 config file Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 31

  32. → v1 v2: example ● Ignore plugins that are switched off Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 32

  33. → v1 v2: example ● Consider the remaining plugins in their execution order Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 33

  34. ● Use table to build initial gPlazma2 configuration Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 34

  35. → v1 v2: example ● Notice that there are some duplicates Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 35

  36. → v1 v2: example ● Adjust configuration to remove duplication Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 36

  37. Commercials Argus Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 37

  38. Introducing Argus ● Centralized Policies Policy Administration ● Hierarchical Distribution poll ● Authentication Policy Decision ● Authorization request Policy Enforcement subject,action resource Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 38

  39. Commercials End See now: The standard case feat. Argus Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache Team Contents Join the CMS XrootD Federation (AAA) Join the Atlas XrootD Federation (FAX) Install the Atlas Pool Monitoring Plugin Use the

645 views • 60 slides
Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and

Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and

. . . . . . Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and Karsten Schwank November 25, 2014 Jrgen Starek and Karsten Schwank Agile Development with JIRA@DESY . . . . . . . Jrgen

951 views • 69 slides
13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa Abstract I'm going to talk about how I use these plugins to be able to write code effectively as a professional

362 views • 25 slides
Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration management Configuration management Field of management that focuses on establishing and maintaining consistency of a systems attributes

647 views • 6 slides
Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration Local configuration Editing of Configuration Data (1) Keyhole approaches (2) Greenfield approaches (3) Templating Missing pieces Handle

831 views • 61 slides
xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow extension of behaviour Authentication plugins Authorisation / name-space mapping See Gerd's talk Xrootd news | Paul Millar | 2012-04-18 |

522 views • 6 slides
Motivation It may involve Minor changes in the main source Requires static linking We

Motivation It may involve Minor changes in the main source Requires static linking We

1 July 2012 Plugins: Outline 1/61 Outline Workshop on Essential Abstractions in GCC GCC Control Flow and Plugins Motivation GCC Resource Center Plugins in GCC (www.cse.iitb.ac.in/grc) GCC Control Flow Department of Computer

639 views • 24 slides
Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

./plugins/input/raster/raster_info.os ./plugins/input/raster/raster_datasource.os ./src/font_engine_freetype.os ./plugins/input/raster/raster .input ./src/point_symbolizer .os ./src/scale_denominator .os ./src/envelope.os

888 views • 40 slides
A Month of WordPress Plugins 2007 Ask and You May

A Month of WordPress Plugins 2007 Ask and You May

WordPress Plugins Lorelle VanFossen File Gallery WordPress Plugin A Month of WordPress Plugins 2007 Ask and You May Change WordPress Open Camp

542 views • 32 slides
Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How

Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How

Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How Plugins work Plugin Types and Capabilities Development Tips Packaging Bundling Coming Changes Out of Scope Standard Java

445 views • 26 slides
Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top WordPress Plugins The WordPress Plugin Directory contains nearly 25,000 plugins (as of 5/18/13) Thursday, May 23, 13 Top WordPress Plugins

505 views • 25 slides
GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM attack history GSM attack vectors Attacking GSMs A 5/1 encryption Risk scenario: GSM payment GSM is global, omnipresent and wants to

600 views • 46 slides
radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file input/output access wrapped with plugins: Posix IO W32 IO Remote TCP IO EWF (Encase disk images) Debugger Haret ... Hexadecimal

695 views • 12 slides
Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten

Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten

Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten Heeger Lawrence Berkeley National Laboratory Karsten Heeger US-Japan Seminar, September 17, 2005 Understanding Neutrino Mixing Atmospheric Solar

706 views • 34 slides
EPiServer och Configuration Management EPiServer och Configuration Management Configuration

EPiServer och Configuration Management EPiServer och Configuration Management Configuration

EPiServer och Configuration Management EPiServer och Configuration Management Configuration Management in general Tools we use SCM Structure of folder and project Web.config Tips about Project Files and Assembly references 2 CM Tools used

347 views • 20 slides
Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin

Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin

Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin by Ian-S (http://flickr.com/photos/ian-s/2301022466/) What are we going to talk about? The short How plugins work with Ruby on Rails

980 views • 83 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

84 views • 6 slides
Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014 Identity Users; user groups. Hosts; host groups; services. Identities

700 views • 18 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Winter 2011 Josh Benaloh Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based protocols) Introduction Kerberos SSL/TLS Certificates and Public Key Infrastructure (PKI) Certificates

1.81k views • 135 slides
SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton

SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton

SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton jpatton@cs.wisc.edu HTCondor Week 2019 This material is based upon work supported by the National Science Foundation under Grant No. 1738962. Any opinions,

890 views • 39 slides

More recommend