Fwd: RE: [security-wg] Re: SlashGrid
Robert Olson
olson at mcs.anl.gov
Thu Oct 10 07:23:41 CDT 2002
more on slasgrid, he's using attribute certs for fine-grain access control,
looks like (markus is a good guy, talked to him at the last ggf).
--bob
>From: "Markus Lorch" <mlorch at vt.edu>
>To: "Matt Crawford" <crawdad+gridsec at fnal.gov>,
> "Andrew McNab" <mcnab at hep.man.ac.uk>
>Cc: <security-wg at gridforum.org>
>Subject: RE: [security-wg] Re: SlashGrid
>Date: Wed, 9 Oct 2002 23:59:02 -0400
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.21
>X-Spam-Level:
>Sender: owner-security-wg at gridforum.org
>
> >
> > Well, I'd like to see a "read /afs/fnal.gov/.../crawdad/foo.ps"
> > credential I can forward to the print service, and a "create files in
> > /afs/fnal.gov/.../crawdad/job-output/" I can give to the batch system.
>
>Well that is a prototype I can offer. I use attribute certificates that
>contain simple privilege statements such as
>
>FilePermission://zuni.cs.vt.edu/opt/grid/mydata,read,write
>
>or e.g.
>
>AccessPermission://zuni.cs.vt.edu/
>
>these statements are bound to either the end identity in the user pkc
>or to a proxy certificate.
>
> >
> > But either the credential needs to be qualified with an "as AFS user
> > crawdad at fnal.gov" so the ACL can be consulted when the credential is
> > used, or the file server has to make sure the ACL hasn't changed
> > since the credential was issued, in which case it could become an
> > anonymous credential.
>
>I set and reset ACL values based on the permissions specified in the
>attribute certs, thus I make sure that only the permissions are active that
>are
>either
>(1) statically configured into the OS or ACLs, or
>(2) supplied with the request
>
>If no static configured privileges are used this scheme allows us to use
>grid resources without having static user accounts (a generic account is
>allocated upon presentation of an "AccessPermission" privilege, then all
>other (file) privileges are applied, after the request has been served the
>generic account is returned into a restricted state and released)
>
>I use POSIX ACLs to enforce the fine grain file rights. Enforcement of such
>FilePrivileges works on Linux, IRIX without any additional trusted software
>components (AIX and Solaris also has POSIX ACL, but I haven't gotten around
>to port my library to their system calls - mainly because I have neither a
>AIX nor a Solaris machine at the moment)
More information about the ag-dev
mailing list