CS Document 1274-v1
gPlazma: Introducing RBAC security in dCache
- Public document
- Same as Viewable by
- We introduce gPLAZMA (grid-aware PLuggable AuthoriZation MAnagement) Architecture.
Our work is motivated by a need for fine-grain security (Role Based Access Control or
RBAC) in Storage Systems, and utilizes VOMS extended X.509 certificate specification for defining extra attributes (FQANs), based on RFC 3281. Our implementation, the gPLAZMA module for dCache, introduces Storage Authorization Callouts for SRM and GridFTP. It allows using different authorization mechanisms simultaneously, fine-tuned with switches and priorities of mechanisms. Of the four mechanisms currently supported, one is an integration with RBAC services in the OSG Privilege Project, others are built-in as a lightweight suite of services (gPLAZMAlite Services Suite) including the legacy dcache.kpwd file, as well as the popular grid-mapfile, augmented with a gPLAZMAlite specific RBAC mechanism. Based on our current work, we also outline a future potential towards authorization for storage quotas.
This work was undertaken as a collaboration between PPDG Common, OSG Privilege project, and the SRM-dCache groups at DESY, FNAL and UCSD.
- Associated with Events:
- CHEP2006 held from 13 Feb 2006 to 17 Feb 2006 in Mumbai, India