GETTING ACCESS TO THE GRID

About This Presentation

Title:

Description:

Number of Views:32

Avg rating:3.0/5.0

Slides: 17

Provided by: adi101

Category:

Tags: access | getting | grid | the | impersonation

Transcript and Presenter's Notes

Title: GETTING ACCESS TO THE GRID

1
GETTING ACCESSTO THE GRID

ADINA RIPOSAN Applied Information
Technology Department of Computer Engineering
2

Authentication Authorization
In Grid environments, your host will become a
client in some cases, and a server in other
cases.
gt Therefore, your host might be required
to authenticate another host and
be authenticated by the host at the same time.
The mutual Authentication function of GSI
It proceeds with the Authentication steps, and
changes the direction of hosts and redoes the
procedure.
Briefly speaking
Authentication is the process of sharing public
keys securely with each other
Authorization is the process that MAPS your DN to
a local user/group of a remote host.

REMOTE DELEGATION
When you make a proxy to a remote machine, the
proxy's private key is on the remote machine
gt The super-user of that machine can access your
proxy's private key and conduct business under
your name.
This delegated credential can be vulnerable to
attacks.
In order to avoid this impersonation, it is
recommended that the proxy attain restricted
policies from its owner, as in the case with
GRAM, for example.
(The standardization of this proxy restriction
is now going on under GSI Working Group of Grid
Forum Security)
To distribute jobs to remote grid machines, and
Let them distribute their child jobs to other
machines under your security policy.
gt The DELEGATION function of GSI can be used.

9
Delegation procedure of users proxy
10

If you are on the side of host A,
gt you can create your proxy at host B
gt to delegate your authority
This proxy acts as yourself, and submits a
request to host C on your behalf.
The next steps
the procedure to create your proxy
(proxy creation) at a remote machine, and
the procedure to submit a request to the other
remote host on your behalf (proxy action)

Proxy creation
1. A trusted communication is created between
host A and host B.
2. You request host B to create a proxy that
delegates your authority.
3. Host B creates the request for your proxy
certificate, and send it back to host A.
4. Host A signs the request to create your proxy
certificate using your private key and sends it
back to host B.
5. Host A sends your certificate to host B.

Proxy action
1. Your proxy sends your certificate and the
certificate of your proxy to host C.
2. Host C gets your proxy's public key through
the path validation procedure
Host C gets your subject and your public key from
your certificate using CA's public key.
b. Host C gets the proxy's subject and your
proxy's public key from your proxy's certificate
using your public key.
c. The subject is a Distinguished Name similar to
"OGrid/OGlobus/OUitso.grid.com/CNyour name"
The subject of proxy certificate is similar to
its owner's (your) subject and is similar to
"OGrid/OGlobus/OUitso.grid.com/CNyour
name/CNproxy"

So in order to validate the proxy certificate,
Host C just has to check that the words that
eliminate the words "/CNproxy" from the proxy's
subject is just the same as your subject.
gt If it is validated, your proxy is
authenticated by host C and able to act on your
behalf.
3. The proxy encrypts a request message using its
private key and sends it to Host C.
4. Host C decrypts the encrypted message using
the proxy's public key and gets the request.
5. Host C runs the request under the authority of
a local user.
The user is specified using a mapping file, which
represents the mapping between the grid users
(subject) and local users (local user name).