GT 4.0: Security

Abstract

Security tools are concerned with establishing the identity of users or services (authentication), protecting communications, and determining who is allowed to perform what actions (authorization), as well as with supporting functions such as managing user credentials and maintaining group membership information.

GT4 provides distinct WS and pre-WS authentication and authorization capabilities. Both build on the same base, namely standard X.509 end entity certificates and proxy certificates, which are used to identify persistent entities such as users and servers and to support the temporary delegation of privileges to other entities.

For more information about the security concepts behind GT4, see Security: Key Concepts.

For a comparison of features between Java and C code, see Security Features.

For firewall information, click here.

For information about types of proxy certificates used in GT, click here.

GT security is based on certificates and gridmap files:

GT4’s WS security includes:

  • Message-level Security [pdf] mechanisms, which implement the WS-Security standard and the WS-SecureConversation specification to provide message protection for GT4’s SOAP messages
  • Transport-level Security [pdf] mechanisms, which use transport-level security (TLS) mechanisms; and
  • Authorization Framework that allows for a variety of authorization schemes, including a “grid-mapfile” access control list, an access control list defined by a service, a custom authorization handler, and access to an authorization service via the SAML protocol.
  • Security Descriptor Framework that allows for a declarative configuration of security properties on clients and services.

For non-WS components, GT4 provides similar authentication, delegation, and authorization mechanisms, although with fewer authorization options. See the following components for more information:


List of Tables

1. GT 4.0 Security Features