/////////////////////////// 概念 ///////////////////////////
-----------------安全與認証機制-----------------
在 Grid 上, 安全與認証機制的方法是藉由 certificate 與 GSS 來達成.
且每個使用者都會有個 PKC12 (Public-Key Cryptography Standards 公開密碼標準) 產生的
Certificate(公鑰+個人資訊)與 Private key (私鑰), 通常公鑰是可以公開給外界去讀, 而私鑰則只能被自己使用. 一旦使用 PKC 標準, 透過 GSS 傳輸認証機制, 就能夠對兩個主機達成安全傳輸的目地.
-----------------Proxy-----------------
然而, 在 Grid 上, 有時需要傳送使用者的 PKC 到 Grid 的主機上, 例如在 CE 上需要從 SE 下載資料, 則要使用到此使用者的 PKC, 但這是危險的, 因為怕被別人盜去. 因此, 有了 Proxy 的產生, 它也擁有 PrivateKey/Publickey 但是只有幾個小時, 所以此 Proxy 就可以被帶到 Grid 環境上作到安全與認証機制. 此外, Proxy 的特性:
1. 預設為 12 小時
2. 它是不受密碼保護的
-----------------VOMS-----------------
目前最新的認証與安全機制是用 voms (VO Management Service), 它提供與管理使用者 Roles 和 Privileges, 詳細還需在研究. 而 VO 是 Virtual Organisations, 概念上一個使用者如果是某個 VO 則可以使用該 VO 的資訊.
在此要注意的是 grid proxy 和 voms-proxy 是有點類似, 又不太一樣的資訊,
在起 voms-proxy 時會需要先起 grid proxy, 再起 voms 資訊, 並會在/tmp/x509certificate 上加入 VO 資訊, 如
{{{
[ui01] /home/dhc00/LSA > voms-proxy-info -all
subject : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110/CN=proxy
issuer : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
identity : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
type : proxy
strength : 1024 bits
path : /tmp/x509up_u45075
timeleft : 11:59:51
=== VO euasia extension information ===
VO : euasia
subject : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
issuer : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw
attribute : /euasia/Role=NULL/Capability=NULL
timeleft : 11:59:50
uri : voms.grid.sinica.edu.tw:15015
}}}
前半段是 Grid-Proxy 而後半段是 VO 資訊,
也因此 Grid-proxy 和 Voms-proxy 在想法上是有雷同, 但是卻當成不同的 proxy.
/////////////////////////// 設定檔或環境變數 ///////////////////////////
I. 使用者的 PKC12 預設在 $home/.globus
II. 使用者起 Proxy 檔案放在 /tmp/x509up_uID
可用 echo $X509_USER_PROXY 查看如: /tmp/x509up_u45075
III. 一般 CA (Certification Authority) 放置在 /etc/grid-security/certificates
/////////////////////////// 指令 ///////////////////////////
1. grid-cert-info
2. grid-proxy-destroy grid-proxy-info grid-proxy-init
3. voms-proxy-init -voms
voms-proxy-info -all
/////////////////////////// 範例 ///////////////////////////
a. Check user certificate:
$grid-cert-info
{{{
[ui01] /home/dhc00/LSA > grid-cert-info
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1516 (0x5ec)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, O=AS, CN=Academia Sinica Grid Computing Certification Authority Mercury
Validity
Not Before: Jan 11 04:10:29 2010 GMT
Not After : Jan 11 04:10:29 2011 GMT
Subject: C=TW, O=AS, OU=GRID, CN=DeHua Chung 179110
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:a2:80:6b:9b:59:55:77:57:b6:19:0a:28:09:
bf:f4:e6:36:9c:22:bb:8c:6a:9d:73:c7:fe:2e:33:
3c:24:0c:bb:19:97:7e:d4:e1:21:1c:63:e1:b3:8b:
0d:6d:eb:76:67:1c:1b:24:9d:1d:f3:b2:53:2d:23:
96:a4:53:47:b1:d1:fb:16:3e:c1:a2:fb:0d:1e:29:
27:ae:75:af:be:a1:c6:57:3a:c8:34:6c:8d:bd:61:
d8:39:32:21:db:40:be:11:5d:29:14:b9:ee:7d:df:
ab:02:41:d4:15:12:e0:e4:dc:ae:3b:b2:11:f5:01:
69:c8:14:13:19:14:d2:36:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Subject Key Identifier:
76:CB:A8:01:46:2A:0C:C2:80:A5:75:5B:7D:B1:A1:8C:F5:11:8E:08
X509v3 Authority Key Identifier:
keyid:7F:4D:97:15:97:B4:8D:5F:C0:D7:77:AB:31:76:D0:5F:6B:E2:5B:30
DirName:/C=TW/O=AS/CN=Academia Sinica Grid Computing Certification Authority Mercury
serial:00
X509v3 Issuer Alternative Name:
email:asgcca@grid.sinica.edu.tw, URI:http://ca.grid.sinica.edu.tw/
X509v3 Subject Alternative Name:
email:Andy.Chung@twgrid.org
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.5935.10.1.2.1
Policy: 1.2.840.113612.5.2.2.1
CPS: http://ca.grid.sinica.edu.tw/CPS/
X509v3 CRL Distribution Points:
URI:http://ca.grid.sinica.edu.tw/publication/CRL/ASGCCA-crl.der
Signature Algorithm: sha1WithRSAEncryption
8f:cf:21:b7:36:89:41:6d:61:8d:c3:37:38:7c:62:34:24:b2:
0e:0b:80:ef:b8:c9:22:17:c5:b8:75:0e:3e:ed:aa:6b:64:1e:
17:e5:ea:4f:54:c9:9a:b6:65:78:ce:46:fb:9b:1d:14:18:8a:
2a:ea:cc:cc:71:2a:88:cf:6a:38:56:8b:b6:8c:be:05:11:5a:
06:a1:b7:68:e0:fe:a3:16:ba:eb:58:13:39:7d:50:90:fc:dc:
20:96:2e:94:77:c5:17:53:1f:6e:98:80:b5:fe:7e:32:99:c0:
16:a9:b0:14:d4:70:35:f5:4f:e9:db:f2:0b:f6:8a:95:25:9e:
89:26:09:ad:00:b1:17:b2:7c:9c:70:b7:46:d1:92:e2:6c:ca:
65:7d:83:6c:37:0e:28:a9:3b:40:8a:f3:f9:13:c2:63:bb:21:
b9:c0:b2:08:84:08:b5:31:66:d7:e8:09:56:ca:e0:ae:2e:27:
6d:e0:ad:63:14:b1:8e:e5:60:b6:0b:4b:a3:f8:fa:5c:8e:c3:
a9:04:9c:7e:bd:40:a5:f1:f7:9b:cf:c6:cc:e1:71:8d:ab:71:
47:6c:68:b2:d1:e3:37:5e:1a:0b:12:8a:68:8e:17:d4:8f:e4:
ba:d0:f1:38:e2:35:e5:f8:bb:a8:f4:d1:a0:8f:8e:1d:b1:69:
5d:2e:1c:08
}}}
b. 起 Grid Proxy: grid-proxy-destry
c. 查看 Proxy 資訊:
{{{
[ui01] /home/dhc00/LSA > grid-proxy-info
subject : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110/CN=proxy
issuer : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
identity : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
type : full legacy globus proxy
strength : 1024 bits
path : /tmp/x509up_u45075
timeleft : 9:46:39
}}}
d. 列出 voms-proxy-info 內容
{{{
[ui01] /home/dhc00/LSA > voms-proxy-init -voms euasia
Cannot find file or dir: /home/dhc00/.glite/vomses
Enter GRID pass phrase:
Your identity: /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
Creating temporary proxy ............................................................. Done
Contacting voms.grid.sinica.edu.tw:15015 [/C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw] "euasia" Done
Creating proxy ..................................................... Done
Your proxy is valid until Fri Jun 11 23:44:05 2010
[ui01] /home/dhc00/LSA > voms-proxy-info -all
subject : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110/CN=proxy
issuer : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
identity : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
type : proxy
strength : 1024 bits
path : /tmp/x509up_u45075
timeleft : 11:59:51
=== VO euasia extension information ===
VO : euasia
subject : /C=TW/O=AS/OU=GRID/CN=DeHua Chung 179110
issuer : /C=TW/O=AS/OU=GRID/CN=voms.grid.sinica.edu.tw
attribute : /euasia/Role=NULL/Capability=NULL
timeleft : 11:59:50
uri : voms.grid.sinica.edu.tw:15015
}}}
沒有留言:
張貼留言