Speaker
Abhishek Singh RANA
(University of California, San Diego, CA, USA)
Description
We introduce gPLAZMA (grid-aware PLuggable AuthoriZation MAnagement) Architecture.
Our work is motivated by a need for fine-grain security (Role Based Access Control or
RBAC) in Storage Systems, and utilizes VOMS extended X.509 certificate specification
for defining extra attributes (FQANs), based on RFC 3281. Our implementation, the
gPLAZMA module for dCache, introduces Storage Authorization Callouts for SRM and
GridFTP. It allows using different authorization mechanisms simultaneously,
fine-tuned with switches and priorities of mechanisms. Of the four mechanisms
currently supported, one is an integration with RBAC services in the OSG Privilege
Project, others are built-in as a lightweight suite of services (gPLAZMAlite Services
Suite) including the legacy dcache.kpwd file, as well as the popular grid-mapfile,
augmented with a gPLAZMAlite specific RBAC mechanism. Based on our current work, we
also outline a future potential towards authorization for storage quotas. This work
was undertaken as a collaboration between PPDG Common, OSG Privilege project, and the
SRM-dCache groups at DESY, FNAL and UCSD.
Primary authors
Abhishek Singh RANA
(University of California, San Diego, CA, USA)
Frank WUERTHWEIN
(University of California, San Diego, CA, USA)
Co-authors
Dane Skow
(Fermi National Accelerator Laboratory, Batavia, IL, USA)
Ian Fisk
(Fermi National Accelerator Laboratory, Batavia, IL, USA)
Jon Bakken
(Fermi National Accelerator Laboratory, Batavia, IL, USA)
Michael Ernst
(DESY, Hamburg, Germany)
Patrick Fuhrmann
(DESY, Hamburg, Germany)
Robert Kennedy
(Fermi National Accelerator Laboratory, Batavia, IL, USA)
Timur Perelmutov
(Fermi National Accelerator Laboratory, Batavia, IL, USA)