Information Technology Reference
In-Depth Information
acceptance due to the simple model for dei ning the roles specii c to a
particular VO and how they can be used/enforced. Sites themselves are
responsible for coni guring their resources to use these roles. With VOMS,
this is implemented with tools such as the Local Centre Authorization
Service (LCAS) and the Local Credential Mapping Service (LCMAPS) [14],
which map the user role information into group identities (
gid
), user identi-
ties (
uid
), and associated local pool accounts established on the local cluster
for that particular VO. Rei nements can be made to this model in order to
allow more local control over the use of resources; for example, applying
i le store limits to a particular VO. We note that this local enforcement is not
explicitly dei ned within the VO policy (given by the dei nition of the roles
in the VOMS server). Rather, this is left up to local administrators to decide
how the particular roles and privileges associated with that VO should be
interpreted when accessing the resource.
VOMS offers tools that allow users to generate local proxy credentials
based on the contents of the VOMS database and embed these within
X.509 proxy credentials. This credential includes the basic authentication
information that standard grid proxy credentials contain, as well as role
and capability information from the VOMS server. One of the benei ts of
VOMS is that grid applications can use the credential without using the
VOMS data. Alternatively, VOMS-aware applications can use the VOMS
data to make both authentication and authorization decisions regarding
user requests. Given the background and history to VOMS, the focus of
authorization has primarily been at the level of mappings to local groups
and accounts on clusters, but it is quite possible to use VOMS credentials
to make i ner-grained access control decisions as we shall see in the case
studies. One way in which such i ner-grained access control can be sup-
ported is through the Privilege and Role Management Infrastructure
Standards Validation (PERMIS) technology [15,16].
12.3.4
Privilege and Role Management Infrastructure
Standards Validation
The PERMIS project (www.openpermis.org) was an EC project that built
an authorization infrastructure to realize a scalable X.509 attribute certii -
cate (AC)-based privilege management infrastructure. Through PERMIS,
an alternative and more scalable approach to centrally allocated X.509
public key certii cates can be achieved through the issuance of locally
allocated X.509 ACs.
The PERMIS software realizes an RBAC authorization infrastructure. It
offers standards-based APIs that allows developers of resource gateways
(gatekeepers) to enquire if a particular access to a resource should be
allowed. The PERMIS RBAC system uses XML-based policies dei ning
rules, specifying which access control decisions are to be made for given
VO resources. These rules include dei nitions of subjects that can be
Search WWH ::
Custom Search