|
Only authorized clients can perform operations on the myproxy-server. The myproxy-server administrator controls who can store, modify, retrieve, and remove credentials. Users can place additional access controls on credentials when they store them. This document describes the available access control policies. Who can store credentials?The accepted_credentials policy, set by the myproxy-server administrator in the myproxy-server.config file, sets the policy for who can store credentials based on the clients SSL/TLS authenticated identity. The administrator may disallow credential storage entirely, when, for example, the myproxy-server is configured to act as a certificate authority (CA) or when the administrator loads all credentials on behalf of users. The administrator can restrict the ability to store credentials to specific users or to any users who hold certificates issued by specific CAs. In all cases, the client's certificate must be signed by a CA that is trusted by the myproxy-server. Who can modify or get information about stored credentials?Only the credential owner can overwrite or remove credentials, change a credential's passphrase, or get information about stored credentials. The client's authenticated SSL/TLS identity must match the identity of the stored credentials. SSL/TLS authentication is required. Who can retrieve a delegated credential (with myproxy-logon)?Access to credentials is controlled by policies set both by the myproxy-server administrator (in the myproxy-server.config file) and the credential owner (when storing the credential with myproxy-init or myproxy-store). The myproxy-server supports a variety of policies. If the stored credentials are encrypted, the client must supply the correct passphrase to decrypt the credentials. If pam "required" is set in myproxy-server.config, the client must supply a passphrase that can be verified via PAM for the requested username. If sasl "required" is set in myproxy-server.config, the client must successfully authenticate via SASL for the requested username. The client must satisfy one of the following:
Who can directly retrieve a credential (with myproxy-retrieve)?To retrieve credentials directly, rather than via delegation, the client must satisfy all the conditions for delegation described in the previous item, plus:
How do I set policies for stored credentials?Using myproxy-init or myproxy-store:
Last modified
04/27/09. |