Versions Compared

Old Version 3

changes.mady.by.user Michal Jankowski

Saved on

compared with

New Version 4

changes.mady.by.user Michal Jankowski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The user registers in B2ACCESS  (and accesses it) using one of these different types of credentials:
    • SAML IdP,
    • social ID,
    • local username/password,
    • X.509(long living cert signed by IGTF approved CA)
  2. B2ACCESS issues X.509 short living cert signed by its internal CA
    • Expected to be replaced with RCauth
    • However. PRACE is not expected to accept RCauth
  3. The couple of scripts running on the resource (B2STAGE/B2SAFE service) periodically get users from  B2ACCESS, provision accounts and map DN from the issued certificate to these accounts.
  4. The user accesses the resource using the EUDAT certificate

Image RemovedImage Added

Figure 1. EUDAT B2ACCESS - B2STAGE/B2SAFE integration

...

1.Group "PRACE" is empty on B2ACCESS and there is no user XXX like "Michal Jankowski" in B2ACCESS

Image Added

Image Added

 

2.

User XXX "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

 Image Added
3.There is no local user account mapped to "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" on eptest.eudat.psnc.pl.Image Added 
4.

Users with attribute deisaUserProfile set to “EUDAT” are selected from PRACE LDAP.

The same selection is done by prace_eudat_users_sync.py script, that synchronizes PRACE LDAP and B2ACCESS. Normally the script is called periodically (e.g. hourly), but for the demo it may be run manually by the admin.

 Image Added
5.After the script run, the user XXX user  "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" appear in B2ACCESS and group "PRACE" contains PRACE users. Image Added
6.

User XXX "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" can access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

 Image Added
7.Local user account provisioning and grid mapping are done automatically on user login. Image Added
8.

Attribute deisaUserProfile with value “EUDAT” is removed from user XXX "Michal Jankowski" in PRACE LDAP.

 Image Added
9.As the result of prace_eudat_users_sync.py script run the user is removed from PRACE group in B2ACCESS (but not completely from the service).

Image Added

Image Added

 

10.

User XXX "/C=PL/O=GRID/O=PSNC/CN=Michal Jankowski" cannot access EUDAT resource at gsiftp://eptest.eudat.psnc.pl

 Image Added
11.The local account still exists, but the user is removed from the grid mapping. Image Added

 

Resources

  2. Unity IDM GitHub

...