DIRAC Authorization schema

This page describes how the authorization works in DIRAC

Authorization schema

DIRAC authorization is based on properties. Each remote method provided by DIRAC services can grant execution permission to a set of properties. These properties are assigned to user groups and hosts. Properties are assigned to methods and groups/hosts in the DIRAC CS.

Properties definition and usage

Users are defined using this CS schema

Security
- Users
  - <nickname>
     DN = <user DN>[, <userDN>]*
- Groups
  - <group name>
     Users = <comma separated list of user nicknames belonging to the group>
     Properties = <comma separated list of properties>
     VOMSRole = <VOMS attribute related to this group>

Hosts are defined using this CS schema

Security
- Hosts
  - <host nickname>
     DN = <host DN>
     Properties = <comma separated list of properties>

Properties defined in a group, apply to all users in that group. Hosts have their properties defined individually. Those properties are the ones that will allow to execute services methods. Services have defined in their CS section which properties are required to execute their methods using the next CS schema.

Systems
- <system name>
  - <setup>
    - Services
      - <service name>
         Port = <port number>
         Handler = <path to handler>
         Protocol = <dip / dips>
        - Authorization
           <RPC method 1> = <comma separated list of properties>
           <RPC method 2> = <comma separated list of properties>
           <RPC method 3> = <comma separated list of properties>
           Default = <comma separated list of properties>
          - FileTransfer
             ToClient = <comma separated list of properties>
             FromClient = <comma separated list of properties>
             Default = <comma separated list of properties>

There are two sections for defining authorization rules:

  • The Authorization section defines rules for RPC calls. Each option under section Authorization defines a rule for an RPC method. For instance, Systems/Monitoring/LHCb-Dev/Services/Test/Authorization/doSomething = prop1, prop2 would allow anyone with prop1 or prop2 to query RPC method doSomething of service Monitoring/Test for the LHCb-Dev setup.
  • The Authorization/FileTransfer has the authorization rules for transfer queries and works like the RPC one, except that the options aren't method names but transfer direction.

There are three special keywords that can be used in the authorization sections of a service:

  • Default as a RPC method name in the Authorization section matches any RPC method that does not have an authorization rule in the section.
  • all as a property name allows any client to query that method.
  • authenticated as a property name allows any authenticated client.

List of valid Properties

All Properties are defined in DIRAC.Core.Security.Properties as string variables. In the code, developers have to use the variable to avoid errors as much as possible. The properties defined are:

Manager related properties

  • CS_ADMINISTRATOR = "CSAdministrator" : Allows to modify the Configuration System central version, triggering a update in the whole system.
  • SERVICE_ADMINISTRATOR = "ServiceAdministrator" : Grants manager privileges on the DIRAC services. For instance, it allows to delete old activities in the Monitoring system or triggering a rebucketing on the accounting data.
  • PROXY_MANAGEMENT = "ProxyManagement" : Grants manager privileges on the ProxyManager service.
  • JOB_ADMINISTRATOR = "JobAdministrator" : Grants manager privileges on the WMS system.

Job related properties

  • NORMAL_USER = "NormalUser" : Grant basic privileges to users such as submit jobs, and monitor them.
  • JOB_SHARING = "JobSharing" : Jobs submitted by users in a group with this property don't belong to the user individually but to the whole group. For instance lhcb_prod has this property.
  • PILOT = "Pilot" : This property is used to submit private pilots to the underlying grids. This property allows to match jobs from the WMS correspoding to the same user but any group. The gLite WMS only allows one proxy per user to be automatically renewed from MyProxy so we can not submit pilots with short lived proxies for different groups and the same user.
  • GENERIC_PILOT = "GenericPilot" : This property is used to submit generic pilots to the underlying grids. This property allows to match jobs from the WMS correspoding to any user and group.

Proxy related properties

  • FULL_DELEGATION = "FullDelegation" : Grants permission to retrieve any delegated proxy from the Proxy Manager service.
  • LIMITED_DELEGATION = "LimitedDelegation" : Grants permission to retrieve any limited delegated proxy from the Proxy Manager service.
  • PRIVATE_LIMITED_DELEGATION = "PrivateLimitedDelegation" : Grants permission to retrieve limited delegated proxy from the Proxy Manager service for the same user and any group that does not have this property. This property is granted to the private pilots to allow private pilots to retrieve the real identity to execute the workload.

Misc properties

  • TRUSTED_HOST = "TrustedHost" : It allows hosts to act in behalf of users when interacting with other DIRAC services. Only DIRAC web servers need to have this property
  • SITE_MANAGER = "SiteManager" : To be decided

Examples of code usage

All the properties must be defined in DIRAC.Core.Security.Properties. All the authorization and authentication helper methods live under DIRAC.Core.Security. DIRAC.Core.Security.CS has a lot of helper methods to retrieve info from the CS regarding authorization such as discovering which are the properties of a given group.

Examples outside a service handler

  • Retrieve the properties of a group

from DIRAC.Core.Security import CS
print CS.getPropertiesForGroup( "lhcb_prod" )

  • Get the users in a group

from DIRAC.Core.Security import CS
print CS.getUsersInGroup( "lhcb_prod" )

  • Get the DNs of a user

from DIRAC.Core.Security import CS
print CS.getDNForUsername( "username" )

Inside a service handler

Some services need to know the identity of the connecting client to modify their behaviour. There self.getRemoteCredentials() method of the service handlers returns a dictionary with all the information about the connecting client.

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r5 - 2009-02-13 - AdriaCasajus
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LHCb All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback