National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

Only authorized clients can perform operations on the myproxy-server. The myproxy-server administrator controls who can store, modify, retrieve, and remove credentials. Users can place additional access controls on credentials when they store them. This document describes the available access control policies.

Who can store credentials?

The accepted_credentials policy, set by the myproxy-server administrator in the myproxy-server.config file, sets the policy for who can store credentials based on the clients SSL/TLS authenticated identity. The administrator may disallow credential storage entirely, when, for example, the myproxy-server is configured to act as a certificate authority (CA) or when the administrator loads all credentials on behalf of users. The administrator can restrict the ability to store credentials to specific users or to any users who hold certificates issued by specific CAs. In all cases, the client's certificate must be signed by a CA that is trusted by the myproxy-server.

Who can modify or get information about stored credentials?

Only the credential owner can overwrite or remove credentials, change a credential's passphrase, or get information about stored credentials. The client's authenticated SSL/TLS identity must match the identity of the stored credentials. SSL/TLS authentication is required.

Who can retrieve a delegated credential (with myproxy-logon)?

Access to credentials is controlled by policies set both by the myproxy-server administrator (in the myproxy-server.config file) and the credential owner (when storing the credential with myproxy-init or myproxy-store). The myproxy-server supports a variety of policies.

If the stored credentials are encrypted, the client must supply the correct passphrase to decrypt the credentials.

If pam "required" is set in myproxy-server.config, the client must supply a passphrase that can be verified via PAM for the requested username.

If sasl "required" is set in myproxy-server.config, the client must successfully authenticate via SASL for the requested username.

The client must satisfy one of the following:

  1. The client's authenticated SSL/TLS identity must match the myproxy-server.config authorized_retrievers policy.
    Also, if the stored credential has an authorized_retrievers policy, the client's authenticated SSL/TLS identity must match that;
    otherwise, it must match the myproxy-server.config default_retrievers policy.
    Also, the client must supply a passphrase in the request that decrypts the credential,
    or must supply a passphrase that can be verified via PAM for the requested username,
    or must successfully authenticate via SASL for the requested username,
    or must provide a valid Pubcookie granting cookie for the requested username.
  2. The client's authenticated SSL/TLS identity must match the myproxy-server.config authorized_renewers policy.
    Also, if the stored credential has an authorized_renewers policy, the client's authenticated SSL/TLS identity must match that;
    otherwise, it must match the myproxy-server.config default_renewers policy.
    Also, the client must prove posession of a valid (not expired) certificate with identity matching the stored credential.
  3. The client's authenticated SSL/TLS identity must match the myproxy-server.config trusted_retrievers and authorized_retrievers policies.
    Also, if the stored credential has a trusted_retrievers policy, the client's authenticated SSL/TLS identity must match that;
    otherwise, it must match the myproxy-server.config default_trusted_retrievers policy.
    Also, if the stored credential has an authorized_retrievers policy, the client's authenticated SSL/TLS identity must match that;
    otherwise, it must match the myproxy-server.config default_retrievers policy.

Who can directly retrieve a credential (with myproxy-retrieve)?

To retrieve credentials directly, rather than via delegation, the client must satisfy all the conditions for delegation described in the previous item, plus:

  • The client's client's authenticated SSL/TLS identity must match the myproxy-server.config authorized_key_retrievers policy.
  • Also, if the stored credential has an authorized_key_retrievers policy, the client's authenticated SSL/TLS identity must match that;
    otherwise, it must match the myproxy-server.config default_key_retrievers policy.

How do I set policies for stored credentials?

Using myproxy-init or myproxy-store:

  • -r sets the credential's authorized_retrievers policy
  • -R sets the credential's authorized_renewers policy
  • -Z sets the credential's trusted_retrievers policy
  • -E sets the credential's authorized_key_retrievers policy

Last modified 04/27/09.
©2000-2017 Board of Trustees of the University of Illinois.