Delegation

Principles

The delegation, in Grid systems, is a process by which someone gives somebody else rights to act on his behalf.

Here we talk about delegation using public key infrastructure (PKI) certificates or X.509 certificates, especially using proxies. The proxies can be of RFC3820, draft RFC or legacy format.

The principles followed are that private key never goes over the network and that each private key is unique (random, not assured to be unique).

Steps for delegation

A simplified list of steps to obtain delegation:

  • client sends server a message informing that he wants to delegate
  • server generates a private key
  • server sends the public key that corresponds to the private key to the client
  • client generates a certificate using the public key from server and signs it with his private key
  • client sends the certificate to the server

After this procedure the server has the client certificate chain used in the authentication, the new proxy and corresponding private key. Thus the server has credentials allowing it to act on behalf of the client.

Security considerations

The delegation gives the server rights to act on belhalf of the user. That is what is wanted, but it is also a vulnerability, for example in case the server is hacked. One system to mitigate this vulnerability is to use limited proxies. Those are used in worker nodes (WN) as they are considered the most vulnerable as they are running user's jobs. When the proxy lands in a WN, it is marked limited, which means that it can't be used to submit jobs anymore. There are other ways to limit proxies too, but they are rarely or never used (yet?).

Further information

Further information about the delegation system developed in EGEE project in cooperation with GridSite and used in EMI is available below:

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r4 - 2013-02-12 - JoniHahkala
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback