ADA authentication and authorization

Contact: David Adams

ATLAS Offline Computing: [ Top | Grid | ATLAS grid | Analysis | ADA ]

Introduction
Most of the services within ADA require authentication and authorization. Each user is required to have a Globus GSI certificate and and register it with the ATLAS VO (virtual organization). Service requests include a proxy with limited lifetime generated from the user's certificate. ADA services perform the usual globus authentication and extract the user's unique distingushed name (DN) from the proxy certificate. Authorization is performed by comparing this DN wth the list of DN's obtained from the VO.

As of DIAL release 1.20, DIAL services make use of proxy forwarding, i.e. they may forward the users certificate to obtain authorization to use other services for file transfer, job submission and other activities.

User identity
Certificates have a finite lifetime and may be obtained from different certificate authorities. A single user is likely to hold many certificates over the lifetime of ATLAS and there is no guarantee that the user will be assigned the same DN (distinguished name) for all certificates. For this reason, we seek a mechanism to link together all the DN's associated with each user and assign each user a single persistent identity. However, at present the DN serves to identify the user.

Obtaining and registering user certificates
Instructions for obtaining certificates may be found here.
All members of ATLAS can register for the LCG ATLAS VO on the LCG registration page.
Members of US ATLAS can find information about obtaining and registering grid certificates here.

Generating proxy certificates
Once a certificate is obtained and installed, a proxy may be generated using the the usual globus command

> grid-proxy-init

> grid-proxy-info

> check_proxy

GLite
GLite has its own flavor of grid certificates but is presently accepting those generated using the above mechanisms. If you wish to use gLite services, you must additionally register with the gLite VO.