Manage Authentication and Authorizations
Authentication
For technical details see About proxies.
DIRAC uses X509 certificates to identify clients and hosts, by conception X509 certificates are a very strong way to identify hosts and client thanks to asymetric cryptography. DIRAC is based on the openSSL library.
To identify users DIRAC use RBAC model (Role Based Access Control)
A role (called property in DIRAC) carries some authorization
A hostname has a DN and some properties
A username has a DN, and the groups in which it is included
A user group has a number of properties
Before authorize or not some tasks you have to define these properties, hostnames, usernames and groups. For that you may register informations at /DIRAC/Registry
.
# Sections to register VOs, groups, users and hosts
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/UserManagement.html
Registry
{
## Registry options:
# Default user group to be used:
DefaultGroup = lhcb_user
# Querantine user group is usually to be used in case you want to set
# users in groups by hand as a "punishment" for a certain period of time:
QuarantineGroup = lowPriority_user
# Default proxy time expressed in seconds:
DefaultProxyTime = 4000
##
# Trusted hosts section, subsections represents host name of the DIRAC secondary servers
Hosts
{
dirac.host.com
{
# Host distinguish name obtained from host certificate
DN = /O=MyOrg/OU=Unity/CN=dirac.host.com
# Properties associated with the host
Properties = JobAdministrator
Properties += FullDelegation
Properties += Operator
Properties += CSAdministrator
Properties += ProductionManagement
Properties += AlarmsManagement
Properties += ProxyManagement
Properties += TrustedHost
}
}
## VOs:
# DIRAC VOs section, subsections represents name of the DIRAC VO or alias name of the real VOMS VO
VO
{
# It is not mandatory for the DIRAC VO to have the same name as the corresponding VOMS VO
lhcb
{
# VO administrator user name, that also MUST be registered(/Registry/Users section)
VOAdmin = lhcbadmin
# VO administrator group used for querying VOMS server.
# If not specified, the VO "DefaultGroup" will be used
VOAdminGroup = lhcb_admin
# Real VOMS VO name, if this VO is associated with VOMS VO
VOMSName = lhcb
# Registered identity provider associated with VO
IdProvider = CheckIn
# Section to describe all the VOMS servers that can be used with the given VOMS VO
VOMSServers
{
# The host name of the VOMS server
cclcgvomsli01.in2p3.fr
{
# DN of the VOMS server certificate
DN = /O=GRID-FR/C=FR/O=CNRS/OU=CC-IN2P3/CN=cclcgvomsli01.in2p3.fr
# The VOMS server port
Port = 15003
# CA that issued the VOMS server certificate
CA = /C=FR/O=CNRS/CN=GRID2-FR
}
}
}
}
##
## Groups:
# DIRAC groups section, subsections represents the name of the group
Groups
{
# Group for the common user
lhcb_user
{
# DIRAC users logins than belongs to the group
Users = lhcbuser1
# Group properties(set permissions of the group users)
Properties = NormalUser # Normal user operations
# Permission to download proxy with this group, by default: True
DownloadableProxy = False
# Role of the users in the VO
VOMSRole = /lhcb
# Scope associated with a role of the user in the VO
IdPRole = some_special_scope
# Virtual organization associated with the group
VOMSVO = lhcb
# Just for normal users:
JobShare = 200
# Controls automatic Proxy upload:
AutoUploadProxy = True
# Controls automatic Proxy upload for Pilot groups:
AutoUploadPilotProxy = True
# Controls automatic addition of VOMS extension:
AutoAddVOMS = True
}
# Group to submit pilot jobs
lhcb_pilot
{
Properties = GenericPilot # Generic pilot
Properties += LimitedDelegation # Allow getting only limited proxies (ie. pilots)
Properties += Pilot # Private pilot
}
# Admin group
lhcb_admin
{
Properties = AlarmsManagement # Allow to set notifications and manage alarms
Properties += ServiceAdministrator # DIRAC Service Administrator
Properties += CSAdministrator # possibility to edit the Configuration Service
Properties += JobAdministrator # Job Administrator can manipulate everybody's jobs
Properties += FullDelegation # Allow getting full delegated proxies
Properties += ProxyManagement # Allow managing proxies
Properties += Operator # Operator
}
}
##
## Users:
# DIRAC users section, subsections represents the name of the user
Users
{
lhcbuser1
{
# Distinguish name obtained from user certificate (Mandatory)
DN = /O=My organisation/C=FR/OU=Unit/CN=My Name
# User e-mail (Mandatory)
Email = my@email.com
# Cellular phone number
mobile = +030621555555
# Quota assigned to the user. Expressed in MBs.
Quota = 300
# This subsection describes the properties associated with each DN attribute (optional)
DNProperties
{
# Arbitrary section name
DNSubsection
{
# Distinguish name obtained from user certificate (Mandatory)
DN = /O=My organisation/C=FR/OU=Unit/CN=My Name
# Proxy provider that can generate the proxy certificate with DN in DN attribute.
ProxyProviders = MY_DIRACCA
}
}
}
}
##
}
After registering users create a proxy with a group and this guarantees certain properties.
Users and their roles registered in a VOMS server can be synchronized to the DIRAC configuration using the VOMS2CSAgent
.
Authorizations
All procedure have a list of required Properties
and user may have at least one property to execute the procedure. Be careful, properties are associated with groups, not directly with users!
There are two main ways to define required properties:
“Hardcoded” way: Directly in the code, in your request handler you can write
`auth_yourMethodName = listOfProperties`
. It can be useful for development or to provide default values.Via the configuration system at
`/DIRAC/Systems/(SystemName)/(InstanceName)/Services/(ServiceName)/Authorization/(methodName)`
, if you have also define hardcoded properties, hardcoded properties will be ignored.
A complete list of properties is available in System Authorization. If you don’t want to define specific properties you can use “authenticated”, “any” and “all”.
“authenticated” allow all users registered in the configuration system to use the procedure (
/DIRAC/Registry/Users
).“any” and “all” have the same effect, everyone can call the procedure. It can be dangerous if you allow non-secured connections.
You also have to define properties for groups of users in the configuration system at `/DIRAC/Registry/Groups/(groupName)/Properties`
.