Note : A new beta version of SAZ is released with enhanced features and is available at SAZ-VO

Site AuthoriZation Service

Purpose:

Site authorization service (SAZ) allows security authorities of the grid site to impose site-wide policy and to control access to the site.

 

 

 

 

 

SAZ Functionality

 

•      Allows administrators to control user access to the site resources

•      Provides means to retrieve the information about users and their access

•      Authorizes user by

–    Verifying user access status in the central database

–    By analyzing user certificate chain

   

•      Provides centralized maintenance of Certificate Revocation Lists (CRL)

 

 

 

 

 

 

 

SAZ Components

 

 

 

 

 

 

 

 

 

 

 

 

 

 

•        SAZ Server

–      extracts DN from User cert chain and looks in SAZDB for authorization.

–      checks for CRL, signature verification and signing policy.

•        SAZ DB

–      stores user's principal, dn, status etc

•        SAZ Client

–      Can be invoked from the Globus gatekeeper callout to communicate with SAZ server to check user authorization.

–      There are multiple clients in C and in Java, which can run as a standalone independent application for testing purposes.

–      It Passes User’s Cert Chain to SAZ Server for authorization. Client is authenticated using GSI.

•        Admin Interface Server

–      It allows admin to add, delete and list any DN and principal in SAZDB

–      It allows user to add, delete or list any DN associated with his own principal in SAZDB

•        AI/UIClient

–      It provides front end for the admin/user

–      The admin using AIClient, can insert, delete, update any user DN’s, principals and status. Admin is authenticated by using Kerberos.

–      The user using UIClient, can insert, delete any user’s DN that is assigned the same principal. He is authenticated by using Kerberos.

 

 

CLI Examples

•       The UI Client allows to perform the following commands:

–     ls  (lists dn, access status and principal  of all users associated with the same principal)

–     ls <dn> (lists dn, access status and principal  of the selected user)

–     add <dn> (adds the specified dn  to the database, set the principal to the principal of the current user)  

–     del <dn> (deletes the specified dn if it is associated with the same principal)

 

•       The AI Client allows to perform the following commands:

–     ls [dn] [principal] (lists dn, access status and principal of selected users. The wildcard “%” can be used for selection.)

–     add dn principal (adds the specified dn  and principal to the database)

–     del dn principal (deletes specified dn  and principal from the database)

–     enable dn principal (allows  specified dn  and principal to access site resources. The wildcard “%” can be used for selection.)

–     disable dn principal (denies  specified dn  and principal to access site resources. The wildcard “%” can be used for selection.)

INSTALL

    To install the Server

• pacman -get http://computing.fnal.gov/docs/products/saz:sazs
• source setup.sh

    To install the Client

• pacman -get http://computing.fnal.gov/docs/products/saz:sazc
• source setup.sh

READMEs

    Server README
    Client README