Károly Lőrentey
ELTE ITK, Budapest, Hungary
Ákos Frohner
CERN, Geneva, Switzerland
R. Alfieri
INFN and Department of Physics, Parma, Italy
R. Cecchini
INFN, Firenze, Italy
V. Ciaschini
INFN, CNAF, Italy
A. Gianoli
INFN, Ferrara, Italy
F. Spataro
INFN, Parma, Italy
Authorisation is an
important part of the management of any computer system. The problem of access
control requires particular attention in the case of the Grid, where the size
and distributed nature of the user base questions the applicability of a
low-level, user-based access control scheme that is entirely tied to the Grid
resources.
Sorting users in
authorisation groups and using this general membership information in access
control is an extremely useful administration tool. We present the Virtual Organisation Membership Service
(VOMS), which represents authorisation group information in the Grid by
attribute certificates embedded inside the proxy certificates used in the Grid
Security Infrastructure.
Like the proxy
certificates, attribute certificates have a limited lifetime. It is possible to
embed more than one attribute certificate inside a single proxy; therefore a
user can access the resources of two or more unrelated Virtual Organisations at
the same time.
The properties of
VOMS include
ˇ
Simple resource management: VOMS provides a simple solution for local
authorisation. The actual access control decisions remain in the hands of the
resource administrators, but the VOMS attributes of a user can be taken into
consideration during the authorisation process.
ˇ
Compatibility on the service side: Attributes are embedded as an optional
extension in the proxy certificate. This means that existing GSI-based services
will continue to work without changes after the introduction of VOMS. Of
course, these services will not be able to take advantage of the extra
information provided by VOMS.
ˇ
Single Sign-On: VOMS on the client side is practically
transparent to the user (voms-proxy-init instead of grid-proxy-init). Once an
attribute certificate is retrieved, it can be used without contacting VOMS
until expiration.
ˇ
Distributed administration: The administration of individual authorisation
groups may be flexibly delegated to local administrators in organisations
participating in the VO. Administration tasks may be performed through a
SOAP-based secure web service.
ˇ
Traceability: The history feature of the VOMS administration interface supports
online queries of any given previous state of the membership database. Changes
can be listed and selectively revoked.