release notes | Book: 1.9.5, 1.9.12 (opt, FHS), 2.11 (FHS), 2.12 (FHS), 2.13 (FHS), 2.14 (FHS), | Wiki | Q&A black_bg
Web: Multi-page, Single page | PDF: A4-size, Letter-size | eBook: epub black_bg
Chapter 12. gPlazma authorization in dCache
Prev Part II. Configuration of dCache Next
The dCache Book > Configuration of dCache > gPlazma authorization in dCache

Chapter 12. gPlazma authorization in dCache

Ted Hesselroth

Table of Contents

Installation
Configuring the gPlazma Policy File
Configuring the kpwd Plugin
Configuring the grid-mapfile Plugin
Preparing the grid mapfile
storage-authzdb
Preparing storage-authzdb
Support for the Priority Field in storage-authzdb
Configuring the gplazmalite-vorole-mapping Plugin
Preparing grid-vorolemap
Authorizing a VO
Revocation Entries
More Examples
Configuring the saml-vo-mapping Plugin
Configuring the xacml-vo-mapping Plugin
An example policy file
The Setup Files
The gPlazmaSetup File
The gridftpdoorSetup and srmSetup Files
Using Direct Calls of gPlazma Methods
Operation without a gPlazma Cell
Using a gPlazma Cell with a Direct-Call Fallback
gPlazma Options
Validating User Attributes in dCache 1.8
Validating User Attributes in dCache 1.9
Delegation to gPlazma

gPlazma is a cell in dCache that authorizes users. Cells make requests to gPlazma by submitting user credential information to it, receiving the authorization decision and site-specific user information such as uid, gid, and rootpath in return.

The acronym stands for Grid-aware PLuggable AuthoriZation Management, and supports the use of plugins which implement various selectable authorization methods. The four currently-available methods are:

  • kpwd : This is the legacy method. The dcache.kpwd file is used to map a user’s DN to a local username, and the same file is used in a second mapping of the username to the uid, gid, and rootpath. As in all methods, if the mappings succeed, file system access is done using the obtained uid and gid, and a check is done that the local path of the transfer starts with the designated rootpath.

  • grid-mapfile : This method employs a grid mapfile. From the mapfile, the user’s DN is mapped to a username. A second file, storage-authzdb, is used for the mapping of the username to the uid, gid, and rootpath.

  • gplazmalite-vorole-mapping : In this method the mapping to the username is done from the concatenation of the user’s DN with the user’s Role (or, more precisely, with the user’s Fully Qualified Attribute Name). The mapping of username to uid, gid, and rootpath is through the storage-authzdb file.

  • saml-vo-mapping : The DN and Role are mapped to a username via a callout to a GUMS server. The GUMS service may run an extension which returns the uid, gid, and rootpath as well. Otherwise, the mapping of username to uid, gid, and rootpath is through the storage-authzdb file.

The following describes how to use gPlazma in dCache.

Prev Up Next
Examples Home Installation