The NorduGrid Virtual Organization (VO) is the user management system for Nordic academic Grid users. It is typically used by resources that deploy the ARC Middleware, though as such the VO is middleware-neutral. The VO is formalized through a user database and a set of tools for database and grid-mapfile management. In particular, by being added to the NorduGrid VO, users can gain free access to those resources which authorize this VO members.
Since the membership is free, no guarantees are provided as to whether users will actually get access to the resources
In a Grid environment, users usually don't have login accounts with passwords for the computing resources they want to use, rather they hold a certificate issued by a Certificate Authority. This certificate authenticates them to the required resources. Authentication, however, does not mean automatic access to the resource. Access control for the computing resources (authorization) is an issue of a local policy, in the Grid environment it is done by mapping the accepted set of user certificates to local user accounts.
The NorduGrid VO maintains a list of accepted users who are authorized to use those resources which chose to allow them. The VO tools provide an automatic method for the NorduGrid sites to easily maintain the NorduGrid VO user to local Unix account mappings. This automatic mapping does not violate site autonomy, because the site administrators retain full control over their systems via to the possibility of denying access to unreliable Grid users in the NorduGrid VO's configuration file.
The database of the VO is maintained by the VO managers. Their responsibility is to add, delete or modify user entries. The NorduGrid VO supports the creation of groups. Groups can be created or removed by the VO managers. A group is a subset of the NorduGrid VO and is maintained by an assigned group manager. The group manager has the right to select members of the group out of the NorduGrid VO database. With the existence of user groups, site administrators can implement group based mappings (all the members of a certain group are mapped to the same local Unix user), in addition to the default user-based mappings.
The authentication and authorization of the managers of the database is done through their certificates. This means that access rights to the database are granted on the personal certificate level, i.e., the managers don't have to remember and type account names accompanied by their passwords, they only need to present their certificate to the VO server in order to modify data. This certificate based access control also eliminates the posibility of password sharing, only the owner of the right certificate is enabled to commit modifications to the database.
The VO database is kept in a VOMS server, and is managed via respective VOMS tools. The NorduGrid sites periodically run the nordugridmap utility in order to query the VO server and automatically create/update the local user mappings according to their local site policy (defined in their configuration file). All the relevant software can be downloaded from the NorduGrid software repository (see authorisation part).
The NorduGrid VO has been implemented by using Open Source Software components. The user database and its management is done with the help of VOMS software, developed and supported by a number of EU projects. The nordugridmap utility which generates the grid-mapfile is a modified version of the mkgridmap Perl script written by the EU DataGrid authorization team.