We are working with cloud computing (OpenStack in particular) so
applying Unix UIDs is not really an option. Also users will not have an
account on Openstack prior to using it. Instead Keystone groups are
created (which equate to Unix accounts in that they confer a set of
access rights), so we need to map the users IDs into Keystone groups. In
your case, the user already knows his Unix login ID and password and so
can link this to his IDP ID. In our case we are proposing to send the
user his Keystone group name and a password. So we have essentially
solved the problem in very similar ways
regards
David
On 22/05/2014 15:25, Stefan Paetow wrote:
>> But what are they linking their ID to? It needs to be a VO role in
>> order to give them specific rights at the multitude of resources (I
>> guess your umbrella ID is a proxy for this?). So how do they know
>> which role to link to, and how does the system stop people linking
>> to unauthorised roles?
>
> In each of the PaNdata facilities, the link is made between their
> actual user account at the facility (they will *always* have a native
> account) and an identifier received from the Umbrella system. The
> identifier is anonymous but is unique to them.
>
> The link is maintained in a so-called User Office System, which is
> administered by the site in question (it also works for people like
> GridPP, DiRAC, etc). The site decides which resources that user has
> access to. Standard Unix/Windows UID and GIDs apply to any of the
> resources, so if, in the case of Diamond, a user is only allowed to
> log into Beamline I-14, then any attempts to log into Beamline B-06
> will fail because the permissions to that resource have not been
> given. Unix has been *very* good at that for the last 40 years, so
> leverage that :-)
>
> Stefan
>
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
> not-for-profit company which is registered in England under No.
> 2881024 and whose Registered Office is at Lumen House, Library
> Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No.
> 614944238
>
>
|