Auhorization Howto (VO document)

!!!DRAFT!!!!

Description of the NorduGrid Virtual Organization


The NorduGrid Virtual Organization (VO) is the user and service management system for the NorduGrid Testbed. The VO consists of the user and service database
and a set of tools for database and grid-mapfile management. In particular, the NorduGrid users gain access to the NorduGrid resources by being added to the
NorduGrid VO. 

Grid authentication and authorisation

In a Grid environment, users usually don't have login accounts with passwords for the computing resources they want to use, rather they hold a certificate issued by a
Certificate Authority. This certificate authenticates them to the required resources. Authentication, however, does not mean automatic access to the resource. Access
control for the computing resources (authorization) is an issue of a local policy, in the Grid environment it is done by mapping the accepted set of user certificates to
local user accounts. 

NorduGrid VO: purposes and organization

The NorduGrid VO maintains a list of accepted users who are authorized to use the NorduGrid resources. The VO tools provide an automatic method for the NorduGrid
sites to easily maintain the NorduGrid VO user to local Unix account mappings. This automatic mapping does not violate site autonomy, because the site administrators
retain full control over their systems via to the possibility of denying access to unreliable Grid users in the NorduGrid VO's configuration file. 

The VO is intended to maintain not only the user data, but all the services running on the NorduGrid, which require secure authentication and authorization, that is, they
possess certificates. The database will be used to generate grid-mapfiles for these grid services too. 

The database of the VO is maintained by the VO managers. Their responsibility is to add, delete or modify user entries. The NorduGrid VO supports the creation of
groups. Groups can be created or removed by the VO managers. A group is a subset of the NorduGrid VO and is maintained by an assigned group manager. The group
manager has the right to select members of the group out of the NorduGrid VO database. With the existence of user groups, site administrators can implement group
based mappings (all the members of a certain group are mapped to the same local Unix user), in addition to the default user-based mappings. 

The authentication and authorization of the managers of the database is done through their certificates. This means that access rights to the database are granted on
the personal certificate level, i.e., the managers don't have to remember and type account names accompanied by their passwords, they only need to present their
certificate to the VO server in order to modify data. This certificate based access control also eliminates the posibility of password sharing, only the owner of the right
certificate is enabled to commit modifications to the database. 

Technical implementation of the VO

The VO database is stored in an LDAP server. We are running a GSI (Grid Security Infrastructure) modified OpenLDAP server. The built-in GSI-GSSAPI SASL
mechanism of the OpenLDAP server provides an entry and attribute level access control, based on the Grid certificates. The database managers, being authenticated
through their certificates, make use of the OpenLDAP command line tools in order to add, delete or modify entries in the VO. The NorduGrid sites periodically run the
nordugridmap utility in order to query the VO LDAP server and automatically create/update the local user mappings according to their local site policy (defined in their
nordugridmap.conf configuration file). All the relevant software can be downloaded from the NorduGrid software repository.

Credits

The NorduGrid VO has been implemented by using Open Source Software components. The database is managed by an OpenLDAP server, which makes use of the
Grid Security Infrastructure layer developed by the Globus Project (TM). The web interface for browsing the VO is powered by the LDAPExplorer. The nordugridmap
utility which generates the grid-mapfile is a modified version of the mkgridmap (v 1.6) Perl script written by the EU DataGrid authorization team. 




This page contains the LDAP commands which should be used by the VO managers in order to maintain a consistent
user database of the NorduGrid Virtual Organization.

Operational steps:

     1.Download and modify the appropriate .ldif template according to your needs 
     2.Use your grid certificate to obtain a valid proxy
	$grid-proxy-init 
     3.Use one of the following LDAP commands to commit the changes to the VO database: 
	add a new user to the VO: 
	      $ldapadd -h grid-vo.nordugrid.org -Y GSI-GSSAPI -f user.ldif 
	add a new service to the VO: 
	      $ldapadd -h grid-vo.nordugrid.org -Y GSI-GSSAPI -f service.ldif 
	remove a user/service from the VO: 
	      $ldapdelete -h grid-vo.nordugrid.org -Y GSI-GSSAPI "cn=username,ou=People,o=NorduGrid"
	      $ldapdelete -h grid-vo.nordugrid.org -Y GSI-GSSAPI "cn=service/hostname:port,ou=service,o=NorduGrid" 
	add/remove members to/from an existing group (modify the group): 
	      $ldapmodify -h grid-vo.nordugrid.org -Y GSI-GSSAPI -f group.ldif 

Useful remarks:

 The modifications (who and when) made by the managers can be checked by querying some of the core ldap attributes:
 $ldapsearch -h grid-vo.nordugrid.org -x createTimestamp creatorsName modifyTimestamp modifiersName 
 Be very precise in properly filling out the .ldif templates, since extra spaces, tabs or enters (non-printing characters) will result in human unreadable encoded
 values (i.e. instead of "Mds-validfrom: 111111111111Z" you will add "Mds-validfrom:: MTExMTExMTExMTExWiA=" to the database) 
 In case of emergency, consult the man pages of ldapadd/ldapdelete/ldapmodify & ldapsearch :) 






Below needs to be edited 
-------------------------------------------------------------------------------
B<nordugridmap> is run by NorduGrid sites (usually as a crontab entry) 
in order to automatically generate their grid-mapfile.
For further information refer please to the Authorization document.

  by accepting 
users from the NorduGrid
VO ldap server and from the Datagrid VO ldap user Groups. 
The script first parses a local-grid-mapfile, then adds all the user
entries from the NorduGrid Vo, and finally processes the users taken from 
the Datagrid VO Groups.
Entry duplication is checked and avoided.
The generated grid-mapfile is written to a file specified in the configuration file
(default is /etc/grid-security/grid-mapfile).
 
The configuration file F<mkgridmap.conf> understands the following keywords:

=over 4

=item  gmf <the_grid_mapfile_to_be_generated>

=item  gmf_local <the_local_grid_mapfile>

=item  all_nordugrid_user <yes/no, whether all the NorduGrid VO users get mapped automatically>

=item  group <URL_of_the_ldap_group> <local_user_mapping>

=item  allow  <pattern_to_match>

=item  deny  <pattern_to_match>

=item  default_lcluser <the_default_local_mapping>


=back


This is an example  F<mkgridmap.conf>:

      ### GRID-MAPFILE
      gmf /etc/grid-security/grid-mapfile
      
      ### GRID-MAPFILE-LOCAL
      gmf_local /etc/grid-security/local-grid-mapfile
      
      ### Allow all the users from the NorduGrid VO, the default is yes
      all_nordugrid_user yes
      
      ### Groups from Virtual Organizations and Their (optional) User Mappings
      group ldap://grid-vo.nordugrid.org/ou=testbed1,dc=nordugrid,dc=org  vikings
      group ldap://grid-vo.nikhef.nl:389/o=alice,dc=eu-datagrid,dc=org  alice
      group ldap://grid-vo.nikhef.nl:389/o=cms,dc=eu-datagrid,dc=org  cms
       
      ### deny|allow pattern_to_match
      #allow *dutchgrid*       
      #deny  *infn* 
     
      #### DEFAULT LOCAL USER
      default_lcluser gridtest

The users of the NorduGrid VO, unless otherwise specified in the
gmf_local, are mapped to the default_lcluser.
The value of default_lcluser is also used in all the cases when
no explicit user mapping is defined. 


Specify <default_lcluser> . or <default_lcluser> .[PREFIX]
(eg .cms) to enable dynamic allocation of local usernames
(Andrew McNab's gridmapdir patch).

With B<gmf_local> you can specify an optional local-grid-mapfile
where you can keep your separately mapped static entries. 

List of changes:

=item - Users taken from VO ldap database are checked for Authentication before they get mapped

=item - an extra search section is added with direct processesing of all the users of the NorduGrid VO ldap
        in addition to the original group level search algorithm.

=item - the AUTO mapping function, which automatically generated local usernames from 
	certificate subjects, has been removed.
 
=item -the generated grid-mapfile file is now written to gmf 
       (default value /etc/grid-security/grid-mapfile)
       
------------------------
