Chep06 : gPLAZMA, Introducing RBAC Security in dCache


gPLAZMA : Introducing RBAC Security in dCache


Abhishek Singh Rana UCSD
Frank Wuerthwein UCSD
and the dCache team


We introduce gPLAZMA (grid-aware PLuggable AuthoriZation MAnagement) Architecture. Our work is motivated by a need for fine-grain security (Role Based Access Control or RBAC) in Storage Systems, and utilizes VOMS extended X.509 certificate specification for defining extra attributes (FQANs), based on RFC 3281. Our implementation, the gPLAZMA module for dCache, introduces Storage Authorization Callouts for SRM and GridFTP. It allows using different authorization mechanisms simultaneously, fine-tuned with switches and priorities of mechanisms. Of the four mechanisms currently supported, one is an integration with RBAC services in the OSG Privilege Project, others are built-in as a lightweight suite of services (gPLAZMAlite Services Suite) including the legacy dcache.kpwd file, as well as the popular grid-mapfile, augmented with a gPLAZMAlite specific RBAC mechanism. Based on our current work, we also outline a future potential towards authorization for storage quotas. This work was undertaken as a collaboration between PPDG Common, OSG Privilege project, and the SRM-dCache groups at DESY, FNAL and UCSD.