Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

State of art in current production infrastructures

Use-case: To automatically provision accounts on EUDAT from PRACE.

B2ACCESS – B2STAGE/B2SAFE integration in EUDAT

The current official EUDAT implementation uses the following steps:

...

The mapping of the (external/DN) user name to local (iRODS) user is configured in role_map.json file.  The file allows mapping one or more B2ACCESS/Unity groups (organizations) or users to iRODS account. The names of groups or user ids must be explicitly mentioned in that file. This type of mapping means, that normally multiple users are mapped to single iRODS account and share their data within the defined group. 

User management and AAI in PRACE

User accounts are kept in a central LDAP and local accounts on PRACE nodes are provisioned by this database directly or by synchronizing it offline. The users are authenticated by X.509 (long living) certificates signed by IGTF approved CA. In particular, B2ACCESS X.509 short living certificates will not be widely accepted by PRACE nodes.

There is deisaUserProfile attribute in the LDAP schema. This attribute with value “EUDAT” is provided to users who indicated a consent that their user information may be shared between PRACE and EUDAT.

PRACE – EUDAT AAI integration

Figure 2. Overview of the integration components

 

PRACE LDAP -> B2ACCESS synchronization

Users from PRACE LDAP with deisaUserProfile set to “EUDAT” must be imported to B2ACCESS. While this import some LDAP attributes shall be converted to B2ACCESS groups, also all these users probably shall belong to “PRACE” group. In this way we distinguish PRACE users from anyone with IGTF certificate who can setup an B2ACCESS account.

...

As the result all and only PRACE users with deisaUserProfile set to “EUDAT” have B2ACCESS accounts and belong to PRACE group, which also implies access to other EUDAT services.

B2ACCESS – B2STAGE/B2SAFE integration

Two different integration methods are implemented.

Modification of the existing mechanism

The modified (remote_users_sync.py) script is run from cron on B2STAGE and provisions user's account. Besides EUDAT DN (one from the certificate generated by B2ACCESS) the script maps also DN from the X500Name identity which is certificate used to authenticate the user against B2ACCESS (in this case: the “PRACE” certificate), e.g:

...

        {"typeId":"persistent",
"value":"a7f7c4b5-7005-4af6-b346-b87f6e8ba442" …}]

New mechanism

Authentication and mapping DN of the initiator of incoming gridFTP request to iRODS user is done by B2STAGE software (gridmap_iRODS_callout) implemented by EUDAT. This solution introduces a additional callout to B2STAGE code: an external application is called prior the authentication and mapping. The application gets the DN as a parameter, so it may perform online verification against B2ACCESS of this single user.

...

  1. Get user (entity) info and groups from Unity
  2. If the user doesn’t belong to any of locally accepted B2ACCESS groups, remove the user from local (iRODS) groups that are maps of B2ACCESS groups (e.g. from PRACE group) and exit.
  3. If the user doesn’t have a local iRODS account, create it and add DN mapping to that account. The local username may be concatenation of some string and B2ACCESS id or persistent id (configurable).
  4. Add the user to local groups according to group map configuration.

Demonstrator

The demo is available for users added to the test LDAP, in order to try it please contact: jankowsk@man.poznan.pl

Demonstrator workflow

1.Group "PRACE" is empty on B2ACCESS and there is no user like "Michal Jankowski" in B2ACCESS

2.

User "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

3.There is no local user account mapped to "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" on eptest.eudat.psnc.pl.
4.

Users with attribute deisaUserProfile set to “EUDAT” are selected from PRACE LDAP.

The same selection is done by prace_eudat_users_sync.py script, that synchronizes PRACE LDAP and B2ACCESS. Normally the script is called periodically (e.g. hourly), but for the demo it may be run manually by the admin.

5.After the script run, the user  "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" appear in B2ACCESS and group "PRACE" contains PRACE users.
6.

User "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" can access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

7.Local user account provisioning and grid mapping are done automatically on user login.
8.

Attribute deisaUserProfile with value “EUDAT” is removed from user "Michal Jankowski" in PRACE LDAP.

9.As the result of prace_eudat_users_sync.py script run the user is removed from PRACE group in B2ACCESS (but not completely from the service).

10.

User "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

11.The local account still exists, but the user is removed from the grid mapping.

 

Resources

  1. Unity IDM GitHub

Status

PRACE LDAP -> B2ACCESS script:

...