Fermilab Computing Division

CS Document 1274-v1

gPlazma: Introducing RBAC security in dCache

Document #:
Document type:
Submitted by:
Frank Wurthwein
Updated by:
Frank Wurthwein
Document Created:
16 Nov 2005, 11:42
Contents Revised:
07 Mar 2006, 09:19
Metadata Revised:
07 Mar 2006, 09:19
Viewable by:
  • Public document
Modifiable by:
  • Same as Viewable by

Quick Links:
Latest Version

We introduce gPLAZMA (grid-aware PLuggable AuthoriZation MAnagement) Architecture.
Our work is motivated by a need for fine-grain security (Role Based Access Control or
RBAC) in Storage Systems, and utilizes VOMS extended X.509 certificate specification for defining extra attributes (FQANs), based on RFC 3281. Our implementation, the gPLAZMA module for dCache, introduces Storage Authorization Callouts for SRM and GridFTP. It allows using different authorization mechanisms simultaneously, fine-tuned with switches and priorities of mechanisms. Of the four mechanisms currently supported, one is an integration with RBAC services in the OSG Privilege Project, others are built-in as a lightweight suite of services (gPLAZMAlite Services Suite) including the legacy dcache.kpwd file, as well as the popular grid-mapfile, augmented with a gPLAZMAlite specific RBAC mechanism. Based on our current work, we also outline a future potential towards authorization for storage quotas.
This work was undertaken as a collaboration between PPDG Common, OSG Privilege project, and the SRM-dCache groups at DESY, FNAL and UCSD.
Files in Document:
Associated with Events:
CHEP2006 held from 13 Feb 2006 to 17 Feb 2006 in Mumbai, India
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.10, contact Document Database Administrators