Mingchao,
I've had a look at the documentation and it is relatively simple to use
dCache's gPlazma authorization system to ban particular DN and VOMs role
combinations:
http://www.dcache.org/manuals/Book/ch12s05.shtml
To create a revocation entry, add a line with "-" (without quotes) as
the username in the /etc/grid-security/grid-vorolemap file, i.e.
"/DC=org/DC=doegrids/OU=People/CN=Timur Perelmutov 623542"
"/uscms/production" -
or modify the username of the entry if it already exists. The behaviour
is undefined if there are two entries which differ only by username.
Since DN is matched first, if a user would be authorized by his VO
membership through a "*" entry, but is matched according to his DN to a
revocation entry, authorization would be denied. Likewise if a whole VO
were denied in a revocation entry, but some user in that VO could be
mapped to a username through his DN, then authorization would be granted.
Could you add this to the wiki page?
Thanks,
Greig
On 07/11/07 17:55, Ma, M (Mingchao) wrote:
> Hi all,
>
> Considered the recent CNAF security incident and last weeks' RSA768 job,
> it seems that some admins do not know exactly how to ban/blacklist a
> user on CE, SE or GridFTP. I summed up some tips in the maillist and
> created a wiki page on gridPP
> (https://www.gridpp.ac.uk/wiki/How_to_ban/blacklist_user_on_CE_and_SE).
> It includes some basic tips on how to ban a user on different services.
> Please feel free to add/correct it or email me your solution.
>
> Cheers,
>
> Mingchao
|