gplazma2 plugins and configuration karsten schwank
play

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, - PowerPoint PPT Presentation

Jan 07, 2024 •156 likes •748 views

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics Plugins Migrating from v1 to v2 Introducing Argus Introducing Kerberos Examples The WLCG Case Using Kerberos and NIS

  1. gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012

  2. Overview ● Basics ● Plugins ● Migrating from v1 to v2 ● Introducing Argus ● Introducing Kerberos ● Examples ● The WLCG Case ● Using Kerberos and NIS ● Summary Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 2

  3. Basics Authorization with gPlazma2 is ● A 4 step process ● Authenticate – “Who are we talking to?” ● Map – “How does the authenticated user fit into our site?” ● Account – “Is the account currently banned?” ● Session – “What is the user allowed to access?” Configuration of gPlazma2 is ● Done via the file /etc/dcache/gplazma.conf Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 3

  4. Step 1: Authentication (auth) Who are we talking to? ● Pin “Principals” to the subject ● Plugins: ● KPWD – dCache's own file based mechanism ● VOMS – Virtual Organization Membership Service ● X509 – X.509 certificate extractor ● JAAS – Java Authentication and Authorization Service ● XACML – Use a XACML server (e.g., GUMS) ● gPlazma1 – Use old gPlazma Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 4

  5. auth:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] login behrmann read-write 1000 1000 /foo /bar / /O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann behrmann@ndgf.org passwd behrmann aec59c36 read-write 1000 1000 / / kpwd Principal Username+Password Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 5

  6. auth:x509 ● X.509 certificate extractor X.509 chain DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 6

  7. auth:voms ● Virtual Organization Membership Service gplazma.vomsdir.ca [/etc/grid-security/certificates] gplazma.vomsdir.dir [/etc/grid-security/vomsdir] X.509 chain FQAN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 7

  8. auth:xacml ● XACML gplazma.xacml.client.type gplazma.xacml.service.url gplazma.vomsdir.dir [/etc/grid-security/certificates] gplazma.vomsdir.ca [/etc/grid-security/certificates] gplazma.voms.validate X.509 chain Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 8

  9. auth:jaas ● Java Authentication and Authorization Service gplazma.jaas.name Username+Password Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 9

  10. auth:gplazma1 ● Use gPlazma1 as a plugin gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] gPlazma1 supported gPlazma1 supported User information credentials Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 10

  11. Step 2: Mapping (map) How does the authenticated user fit in our site? ● Use the “principals” from auth step to assign a local name to the subject ● Plugins: ● KPWD: dCache's file based solution ● KRB5: Kerberos ● NSSwitch: Username and Groupname ● NIS: Network Information System ● AuthzDB: Local file based solution ● GridMap: Local file based solution ● VoRoleMap: Local file based solution ● gPlazma1 Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 11

  12. map:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] mapping "/O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann" behrmann Username DN/Kerberos Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 12

  13. map:krb5 ● Kerberos Username Kerberos Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 13

  14. map:gridmap ● GridMap gplazma.gridmap.file [/etc/grid-security/grid-mapfile] "/O=GermanGrid/OU=DESY/CN=Tigran Mkrtchyan" tigran Username DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 14

  15. map:vorolemap ● VoRolemap gplazma.vorolemap.file [/etc/grid-security/grid-vorolemap] "/O=GermanGrid/OU=DESY/CN=Tigran Mkrtchyan" "/dteam" tigran Username DN+FQAN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 15

  16. map:nsswitch ● NSSwitch /etc/nsswitch.conf UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 16

  17. map:nis ● NIS gplazma.nis.server [niserv.domain.com] gplazma.nis.domain [domain.com] UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 17

  18. map:authzdb ● AuthzDB gplazma.authzdb.file [/etc/grid-security/storage-authzdb] authorize behrmann read-write 1000 1000 / /data/ /data/ UID+GID Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 18

  19. map:gplazma1 ● gPlazma1 gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] More gPlazma1 gPlazma1 supported User information user information Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 19

  20. Step 3: Account Is the account currently banned? ● Check if we have any reason not to allow the user to access our system ● Plugins: ● KPWD: dCache's file based solution ● Argus: a hierarchical centralized authentication and authorization service Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 20

  21. account:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] passwd behrmann # read-write 1000 1000 / / Banned? Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 21

  22. account:argus ● Argus gplazma.argus.hostcert [/etc/grid-security/hostcert.pem] gplazma.argus.hostkey [/etc/grid-security/hostkey.pem] gplazma.argus.ca [/etc/grid-security/certificates] gplazma.argus.endpoint [https://localhost:8154/authz] Banned? DN Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 22

  23. Step 4: Session What is the user allowed to access? ● Use the local name to assign home and root directory. ● Plugins: ● KPWD: dCache's file based solution ● NIS: Network Information System ● NSSwitch: Name Service Switch ● AuthzDB: Local file based solution ● gPlazma1: Use old gPlazma as plugin Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 23

  24. session:kpwd ● KPWD gplazma.kpwd.file [/etc/dcache/dcache.kpwd] login behrmann read-write 1000 1000 /home /root / /O=Grid/O=NorduGrid/OU=ndgf.org/CN=Gerd Behrmann behrmann@ndgf.org passwd behrmann aec59c36 read-write 1000 1000 / / Home+Root+RO/RW Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 24

  25. session:nis ● NIS gplazma.nis.server [niserv.domain.com] gplazma.nis.domain [domain.com] Home+Root Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 25

  26. session:nsswitch ● NSSwitch /etc/nsswitch.conf Home+Root UID+GID Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 26

  27. session:authzdb ● AuthzDB gplazma.authzdb.file [/etc/grid-security/storage-authzdb] authorize behrmann read-write 1000 1000 / /data/ /data / Home+Root+RW/RO Username Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 27

  28. session:gplazma1 ● gPlazma1 gplazma.legacy.config [/etc/dcache/dcachesrm-gplazma.policy] Home+Root+RW/RO More gPlazma1 user information Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 28

  29. Moving from v1 to v2 Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 29

  30. → v1 v2 plugins gPlazma v1 gPlazma v2 plugins, for each phases plugin Auth Map Account Session kpwd opt: x509, suf: kpwd req: kpwd suf: kpwd opt: kpwd grid-mapfile opt: x509 opt: gridmap, req: gridmap suf: authzdb suf: authzdb gplazmalite- opt: x509, opt: vorolemap, req: vorolemap suf: authzdb vorole-mapping opt: voms suf: authzdb xacml-vo- opt: xacml suf: authzdb req: authzdb suf: authzdb mapping Key: opt = optional, suf = sufficient, req = requisite Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 30

  31. → v1 v2: example ● Top part of gPlazma v1 config file Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 31

  32. → v1 v2: example ● Ignore plugins that are switched off Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 32

  33. → v1 v2: example ● Consider the remaining plugins in their execution order Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 33

  34. ● Use table to build initial gPlazma2 configuration Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 34

  35. → v1 v2: example ● Notice that there are some duplicates Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 35

  36. → v1 v2: example ● Adjust configuration to remove duplication Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 36

  37. Commercials Argus Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 37

  38. Introducing Argus ● Centralized Policies Policy Administration ● Hierarchical Distribution poll ● Authentication Policy Decision ● Authorization request Policy Enforcement subject,action resource Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 38

  39. Commercials End See now: The standard case feat. Argus Gplazma2: Plugins and Configuration | Karsten Schwank | 17.4.2012 | Page 40

Recommend

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache

How to join XrootD Federations with dCache Plugins Karsten Schwank Berlin, 27.5.2013 dCache Team Contents Join the CMS XrootD Federation (AAA) Join the Atlas XrootD Federation (FAX) Install the Atlas Pool Monitoring Plugin Use the

645 views • 60 slides
Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and

Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and

. . . . . . Getting started with agile developement using the Atlassian Suite at DESY Jrgen Starek and Karsten Schwank November 25, 2014 Jrgen Starek and Karsten Schwank Agile Development with JIRA@DESY . . . . . . . Jrgen

951 views • 69 slides
13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa Abstract I'm going to talk about how I use these plugins to be able to write code effectively as a professional

362 views • 25 slides
Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration management Configuration management Field of management that focuses on establishing and maintaining consistency of a systems attributes

647 views • 6 slides
Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration Local configuration Editing of Configuration Data (1) Keyhole approaches (2) Greenfield approaches (3) Templating Missing pieces Handle

831 views • 61 slides
xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow extension of behaviour Authentication plugins Authorisation / name-space mapping See Gerd's talk Xrootd news | Paul Millar | 2012-04-18 |

522 views • 6 slides
Motivation It may involve Minor changes in the main source Requires static linking We

Motivation It may involve Minor changes in the main source Requires static linking We

1 July 2012 Plugins: Outline 1/61 Outline Workshop on Essential Abstractions in GCC GCC Control Flow and Plugins Motivation GCC Resource Center Plugins in GCC (www.cse.iitb.ac.in/grc) GCC Control Flow Department of Computer

639 views • 24 slides
Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

./plugins/input/raster/raster_info.os ./plugins/input/raster/raster_datasource.os ./src/font_engine_freetype.os ./plugins/input/raster/raster .input ./src/point_symbolizer .os ./src/scale_denominator .os ./src/envelope.os

888 views • 40 slides
A Month of WordPress Plugins 2007 Ask and You May

A Month of WordPress Plugins 2007 Ask and You May

WordPress Plugins Lorelle VanFossen File Gallery WordPress Plugin A Month of WordPress Plugins 2007 Ask and You May Change WordPress Open Camp

542 views • 32 slides
Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How

Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How

Developing Protg Plugins Ray Fergerson Stanford Overview What is a Plugin? How Plugins work Plugin Types and Capabilities Development Tips Packaging Bundling Coming Changes Out of Scope Standard Java

445 views • 26 slides
Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top WordPress Plugins The WordPress Plugin Directory contains nearly 25,000 plugins (as of 5/18/13) Thursday, May 23, 13 Top WordPress Plugins

505 views • 25 slides
GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM attack history GSM attack vectors Attacking GSMs A 5/1 encryption Risk scenario: GSM payment GSM is global, omnipresent and wants to

600 views • 46 slides
radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file input/output access wrapped with plugins: Posix IO W32 IO Remote TCP IO EWF (Encase disk images) Debugger Haret ... Hexadecimal

695 views • 12 slides
Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten

Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten

Measuring sin 2 2 13 with Reactor Antineutrinos - Proposals with US Involvement - Karsten Heeger Lawrence Berkeley National Laboratory Karsten Heeger US-Japan Seminar, September 17, 2005 Understanding Neutrino Mixing Atmospheric Solar

706 views • 34 slides
EPiServer och Configuration Management EPiServer och Configuration Management Configuration

EPiServer och Configuration Management EPiServer och Configuration Management Configuration

EPiServer och Configuration Management EPiServer och Configuration Management Configuration Management in general Tools we use SCM Structure of folder and project Web.config Tips about Project Files and Assembly references 2 CM Tools used

347 views • 20 slides
Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin

Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin

Extending Rails: Understanding and Building Plugins Clinton R. Nixon Welcome! Welcoming robin by Ian-S (http://flickr.com/photos/ian-s/2301022466/) What are we going to talk about? The short How plugins work with Ruby on Rails

980 views • 83 slides
10+ 15+ Successful Moodle Satisfied academics Projects clients 15+ 5+ Custom plugins Years

10+ 15+ Successful Moodle Satisfied academics Projects clients 15+ 5+ Custom plugins Years

Quick Facts 10+ 15+ Successful Moodle Satisfied academics Projects clients 15+ 5+ Custom plugins Years of moodle developed development experience Customers https://devlion.co/ Plugins overview Share With - local plugin Share Drive

987 views • 21 slides
Configuration Space II Sung-Eui Yoon ( ) Course URL:

Configuration Space II Sung-Eui Yoon ( ) Course URL:

Configuration Space II Sung-Eui Yoon ( ) Course URL: http://sglab.kaist.ac.kr/~sungeui/MPA Class Objectives Configuration space Definitions and examples Obstacles Paths Metrics 2 Configuration Space

618 views • 30 slides
Reduced Basis Methods Karsten Urban for (some particular) Ulm University (Germany) HJB

Reduced Basis Methods Karsten Urban for (some particular) Ulm University (Germany) HJB

Reduced Basis Methods Karsten Urban for (some particular) Ulm University (Germany) HJB equations Institute for Numerical Mathematics page 1/27 RBM for HJB | RICAM 2016 | Karsten Urban | Acknowledgements Acknowledgements joint work with

913 views • 90 slides
Build Powerful FrontEnd Workflows with PostCSS Guide to writing/generating cutting edge CSS Key

Build Powerful FrontEnd Workflows with PostCSS Guide to writing/generating cutting edge CSS Key

Build Powerful FrontEnd Workflows with PostCSS Guide to writing/generating cutting edge CSS Key TakeAways PostCSS - Deep Dive plugins you can use custom plugins Workflow Essential Concepts Plugins to help with tasks Drupal Theme Starter

1.17k views • 58 slides
Data Mining in Bioinformatics Day 6: Classification in Bioinformatics Karsten Borgwardt February

Data Mining in Bioinformatics Day 6: Classification in Bioinformatics Karsten Borgwardt February

Data Mining in Bioinformatics Day 6: Classification in Bioinformatics Karsten Borgwardt February 25 to March 10 Bioinformatics Group MPIs Tbingen Karsten Borgwardt: Data Mining in Bioinformatics, Page 1 Karsten M. Borgwardt Protein

574 views • 38 slides
Router Plugins (Formerly Crossbow) A Software Architecture for Next Generation Routers John

Router Plugins (Formerly Crossbow) A Software Architecture for Next Generation Routers John

Router Plugins (Formerly Crossbow) A Software Architecture for Next Generation Routers John DeHart jdd@arl.wustl.edu Washington January 9, 2001 Router Plugins (Crossbow) 1 WASHINGTON UNIVERSITY IN ST LOUIS Agenda 9:00 - 9:20

551 views • 13 slides
SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow

SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow

SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow Key Build Artifacts Ansible Playbooks Ardana release Configuration file templates Generated Customer Examples Service Edit Definitions

108 views • 10 slides
Configuration 2 What system configuration does zsim simulate? Type and number of cores,

Configuration 2 What system configuration does zsim simulate? Type and number of cores,

MICRO 2015 Waikiki, Hawaii 5 Dec 2015 ZS IM T UTORIAL Configuration and Stats Configuration 2 What system configuration does zsim simulate? Type and number of cores, caches, how different components are connected to each other.

560 views • 22 slides

More recommend