Manage Authentication and Authorizations

Authentication

For technical details see About proxies.

DIRAC uses X509 certificates to identify clients and hosts, by conception X509 certificates are a very strong way to identify hosts and client thanks to asymetric cryptography. DIRAC is based on the openSSL library.

To identify users DIRAC use RBAC model (Role Based Access Control)

  • A role (called property in DIRAC) carries some authorization

  • A hostname has a DN and some properties

  • A username has a DN, and the groups in which it is included

  • A user group has a number of properties

Before authorize or not some tasks you have to define these properties, hostnames, usernames and groups. For that you may register informations at /DIRAC/Registry.

# Sections to register VOs, groups, users and hosts
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/UserManagement.html
Registry
{

  ## Registry options:
  # Default user group to be used:
  DefaultGroup = lhcb_user

  # Querantine user group is usually to be used in case you want to set
  # users in groups by hand as a "punishment" for a certain period of time:
  QuarantineGroup = lowPriority_user

  # Default proxy time expressed in seconds:
  DefaultProxyTime = 4000
  ##

  # Trusted hosts section, subsections represents host name of the DIRAC secondary servers
  Hosts
  {

    dirac.host.com
    {

      # Host distinguish name obtained from host certificate
      DN = /O=MyOrg/OU=Unity/CN=dirac.host.com

      # Properties associated with the host
      Properties = JobAdministrator
      Properties += FullDelegation
      Properties += Operator
      Properties += CSAdministrator
      Properties += ProductionManagement
      Properties += AlarmsManagement
      Properties += ProxyManagement
      Properties += TrustedHost
    }
  }

  ## VOs:
  # DIRAC VOs section, subsections represents name of the DIRAC VO or alias name of the real VOMS VO
  VO
  {

    # It is not mandatory for the DIRAC VO to have the same name as the corresponding VOMS VO
    lhcb
    {

      # VO administrator user name, that also MUST be registered(/Registry/Users section)
      VOAdmin = lhcbadmin

      # VO administrator group used for querying VOMS server.
      # If not specified, the VO "DefaultGroup" will be used
      VOAdminGroup = lhcb_admin

      # Real VOMS VO name, if this VO is associated with VOMS VO
      VOMSName = lhcb

      # Registered identity provider associated with VO
      IdProvider = CheckIn

      # Section to describe all the VOMS servers that can be used with the given VOMS VO
      VOMSServers
      {

        # The host name of the VOMS server
        cclcgvomsli01.in2p3.fr
        {

          # DN of the VOMS server certificate
          DN = /O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr

          # The VOMS server port
          Port = 15003

          # CA that issued the VOMS server certificate
          CA = /C=FR/O=CNRS/CN=GRID2-FR
        }
      }
    }
  }
  ##

  ## Groups:
  # DIRAC groups section, subsections represents the name of the group
  Groups
  {

    # Group for the common user
    lhcb_user
    {

      # DIRAC users logins than belongs to the group
      Users = lhcbuser1

      # Group properties(set permissions of the group users)
      Properties = NormalUser # Normal user operations

      # Permission to download proxy with this group, by default: True
      DownloadableProxy = False

      # Role of the users in the VO
      VOMSRole = /lhcb

      # Scope associated with a role of the user in the VO
      IdPRole = some_special_scope

      # Virtual organization associated with the group
      VOMSVO = lhcb

      # Just for normal users:
      JobShare = 200

      # Controls automatic Proxy upload:
      AutoUploadProxy = True

      # Controls automatic Proxy upload for Pilot groups:
      AutoUploadPilotProxy = True

      # Controls automatic addition of VOMS extension:
      AutoAddVOMS = True
    }

    # Group to submit pilot jobs
    lhcb_pilot
    {
      Properties = GenericPilot # Generic pilot
      Properties += LimitedDelegation # Allow getting only limited proxies (ie. pilots)
      Properties += Pilot # Private pilot
    }

    # Admin group
    lhcb_admin
    {
      Properties = AlarmsManagement # Allow to set notifications and manage alarms
      Properties += ServiceAdministrator # DIRAC Service Administrator
      Properties += CSAdministrator # possibility to edit the Configuration Service
      Properties += JobAdministrator # Job Administrator can manipulate everybody's jobs
      Properties += FullDelegation # Allow getting full delegated proxies
      Properties += ProxyManagement # Allow managing proxies
      Properties += Operator # Operator
    }
  }
  ##

  ## Users:
  # DIRAC users section, subsections represents the name of the user
  Users
  {

    lhcbuser1
    {
      # Distinguish name obtained from user certificate (Mandatory)
      DN = /O=My organisation/C=FR/OU=Unit/CN=My Name

      # User e-mail (Mandatory)
      Email = my@email.com

      # Cellular phone number
      mobile = +030621555555

      # Quota assigned to the user. Expressed in MBs.
      Quota = 300

      # This subsection describes the properties associated with each DN attribute (optional)
      DNProperties
      {

        # Arbitrary section name
        DNSubsection
        {

          # Distinguish name obtained from user certificate (Mandatory)
          DN = /O=My organisation/C=FR/OU=Unit/CN=My Name

          # Proxy provider that can generate the proxy certificate with DN in DN attribute.
          ProxyProviders = MY_DIRACCA
        }
      }
    }
  }
  ##
}

After registering users create a proxy with a group and this guarantees certain properties.

Users and their roles registered in a VOMS server can be synchronized to the DIRAC configuration using the VOMS2CSAgent.

Authorizations

All procedure have a list of required Properties and user may have at least one property to execute the procedure. Be careful, properties are associated with groups, not directly with users!

There are two main ways to define required properties:

  • “Hardcoded” way: Directly in the code, in your request handler you can write `auth_yourMethodName = listOfProperties`. It can be useful for development or to provide default values.

  • Via the configuration system at `/DIRAC/Systems/(SystemName)/(InstanceName)/Services/(ServiceName)/Authorization/(methodName)`, if you have also define hardcoded properties, hardcoded properties will be ignored.

A complete list of properties is available in System Authorization. If you don’t want to define specific properties you can use “authenticated”, “any” and “all”.

  • “authenticated” allow all users registered in the configuration system to use the procedure (/DIRAC/Registry/Users).

  • “any” and “all” have the same effect, everyone can call the procedure. It can be dangerous if you allow non-secured connections.

You also have to define properties for groups of users in the configuration system at `/DIRAC/Registry/Groups/(groupName)/Properties`.