The NorduGrid Virtual Organization (VO) is the user and service management system for some of the resources that deploy the NorduGrid Middleware. The VO consists of the user and service database and a set of tools for database and grid-mapfile management. In particular, by being added to the NorduGrid VO, users can gain free access to those resources which authorize this VO members.
Since the membership is free, no guarantees are provided as to whether users will actually get access to the resources
In a Grid environment, users usually don't have login accounts with passwords for the computing resources they want to use, rather they hold a certificate issued by a Certificate Authority. This certificate authenticates them to the required resources. Authentication, however, does not mean automatic access to the resource. Access control for the computing resources (authorization) is an issue of a local policy, in the Grid environment it is done by mapping the accepted set of user certificates to local user accounts.
The NorduGrid VO maintains a list of accepted users who are authorized to use those resources which chose to allow them. The VO tools provide an automatic method for the NorduGrid sites to easily maintain the NorduGrid VO user to local Unix account mappings. This automatic mapping does not violate site autonomy, because the site administrators retain full control over their systems via to the possibility of denying access to unreliable Grid users in the NorduGrid VO's configuration file.
The VO is intended to maintain not only the user data, but all the services running on the NorduGrid, which require secure authentication and authorization, that is, they possess certificates. The database will be used to generate grid-mapfiles for these grid services too.
The database of the VO is maintained by the VO managers. Their responsibility is to add, delete or modify user entries. The NorduGrid VO supports the creation of groups. Groups can be created or removed by the VO managers. A group is a subset of the NorduGrid VO and is maintained by an assigned group manager. The group manager has the right to select members of the group out of the NorduGrid VO database. With the existence of user groups, site administrators can implement group based mappings (all the members of a certain group are mapped to the same local Unix user), in addition to the default user-based mappings.
The authentication and authorization of the managers of the database is done through their certificates. This means that access rights to the database are granted on the personal certificate level, i.e., the managers don't have to remember and type account names accompanied by their passwords, they only need to present their certificate to the VO server in order to modify data. This certificate based access control also eliminates the posibility of password sharing, only the owner of the right certificate is enabled to commit modifications to the database.
The VO database is stored in an LDAP server. We are running a GSI (Grid Security Infrastructure) modified OpenLDAP server. The built-in GSI-GSSAPI SASL mechanism of the OpenLDAP server provides an entry and attribute level access control, based on the Grid certificates. The database managers, being authenticated through their certificates, make use of the OpenLDAP command line tools in order to add, delete or modify entries in the VO. The NorduGrid sites periodically run the nordugridmap utility in order to query the VO LDAP server and automatically create/update the local user mappings according to their local site policy (defined in their nordugridmap.conf configuration file). All the relevant software can be downloaded from the NorduGrid software repository (authorisation part).
The NorduGrid VO has been implemented by using Open Source Software components. The database is managed by an OpenLDAP server, which makes use of the Grid Security Infrastructure layer developed by the Globus Project (TM). The web interface for browsing the VO is powered by the LDAPExplorer. The nordugridmap utility which generates the grid-mapfile is a modified version of the mkgridmap (v 1.6) Perl script written by the EU DataGrid authorization team.