This page refers to the gLite version of CREAM. For CREAM released with EMI, please refer to the new CREAM wiki: http://wiki.italiangrid.org/CREAM

Authentication

Authentication in CREAM is managed via the trustmanager.

The Trust Manager is the component responsible for carrying out authentication operations. It is an implementation of the J2EE security specifications. Authentication is based on PKI. Each user (and Grid service) wishing to access CREAM is required to present an X.509 format certificate. These certificates are issued by trusted entities, the Certificate Authorities (CA). The role of a CA is to guarantee the identity of a user. This is achieved by issuing an electronic document (the certificate) that contains the information about the user and is digitally signed by the CA with its private key. An authentication manager, such as the Trust Manager, can verify the user identity by decrypting the hash of the certificate with the CA public key. This ensures that the certificate was issued by that specific CA. The Trust Manager can then access the user data contained in the certificate and verify the user identity.

Authorization

Authorization in CREAM is managed via a "custom" gJAF (Grid Java Authorization Framework). This framework provides a way to invoke a chain of policy engines and get a decision result about the authorization of a user. The policy engines are divided in two types, depending on their functionality. They can be plugged into the framework in order to form a chain of policy engines as selected by the administrator in order to let him set up a complete authorization system. A policy engine may be either a PIP or a PDP. PIP collect and verify assertions and capabilities associated with the user, checking her role, group and VO attributes. PDP may use the information retrieved by a PIP to decide whether the user is allowed to perform the requested action, whether further evaluation is needed, or whether the evaluation should be interrupted and the user access denied.

In CREAM both VO and DN based authorizations are supported. In the former scenario, implemented via the VOMS PDP, the administrator can specify authorization policies based on the VO the jobs' owners belong to (or on particular VO attributes). In the latter case the administrator of the CREAM-based CE can explicitly list all the Grid users (identified by their X.509 Distinguished Names) authorized to access CREAM services.

For what concerns authorization on job operations, by default each user can manage (e.g. cancel, suspend, etc.) only her own jobs. However, the CREAM administrator can define specific super-users who are empowered to manage also jobs submitted by other users.

The migration from gJAF to the new Argus Authorization Service is planned for CREAM CE v. 1.7

Credential mapping

The execution of user jobs in a Grid environment requires isolation mechanisms for both applications (to protect these applications from each other) and resource owners (to control the behavior of these arbitrary applications). CREAM implements isolation via local credential mapping, exploiting traditional Unix-level security mechanisms like a separate user account per Grid user. This Unix domain isolation is implemented in the form of the gLExec system, a sudo-style program which allows the execution of the user's job with local credentials derived from the user's identity and any accompanying authorization assertions. This relation between the Grid credentials and the local Unix accounts and groups is determined by the LCMAPS, using the configuration file /opt/glite/etc/lcmaps/lcmaps-suexec.db (/opt/glite/etc/lcmaps/lcmaps-glexec.db with CREAM CE v. >= 1.6, glite-ce-cream >= 1.12) gLExec also uses the LCAS, using the configuration file /opt/glite/etc/lcas/lcas-suexec.db (/opt/glite/etc/lcas/lcas-glexec.db with CREAM CE v. >= 1.6, glite-ce-cream >= 1.12) to verify the user proxy, to check if the user has the proper authorization to use the gLExec service, and to check if the target executable has been properly ``enabled'' by the resource owner.

The migration from glexec to sudo (as discussed and approved by the Security Coordination Group) is planned for CREAM CE v. 1.6 (glite-ce-cream >= 1.12).

Gridftpd

LCAS and LCMAPS are also used in the CREAM CE for the globus-gridftpd, but in this cases different configuration files are used: /opt/glite/etc/lcas/lcas.db and /opt/glite/etc/lcmaps/lcmaps.db.