This wiki is obsolete, see the NorduGrid web pages for up to date information.

NG2011/Grid school/Enteringavo

From NorduGrid
Jump to navigationJump to search


Possessing a certificate does not mean automatic access to the resource. Access control for the computing resources, called as authorization, is an issue of a local policy, and in the Grid environment it is done by mapping the accepted set of user certificates to local user accounts.

For the authorization you have to be a member of a recognized and supported User Group (or VO). In most cases sites implement authorization policies by selecting User Groups (VOs). If you are a member of a User Group (VO) which is authorized on a specific site then you can access the site resources (e.g. CPU cycles, storage space) provided your credentials are authenticated too.

Authentication and Authorization are decoupled processes. It is possible that although you are a member of an authorized User Group (VO) nevertheless you experience problems accessing the site's resources due to your untrusted certificate (in this case you may contact the site administrator and find out the reason your Issuer CA is not trusted). Similarly, you will not have access to the site in the opposite case when your certificate is authenticated but you are not member of any authorized User Groups. In order to access a resource you must be both authenticated and authorized, the former is achieved by possessing a site-recognized certificate (your credential was issued by a trusted CA) while the latter requires membership of an authorized User Group (you are a member of a User Group which was granted resource allocation on the site) .

You must apply for such membership by contacting VO managers, or negotiate access with resource owners.

A Virtual Organization (VO) is basically a group of people that are authorized to run Grid jobs on a set of Grid resources. For example, a research project members can join in a VO, so that they can negotiate access to Grid resources, policies etc. Typically, a VO has a manager which maintains the list of members and contacts resource owners whenever a negotiation is needed, for example, if a new user has a certificate issued by a new Certificate Authority (CA), or CA public keys have changed. VO managers are normally in charge of negotiating resources available for the VO members. Each site on the Grid can choose to authorize any set of VOs, allowing all their members to run Grid jobs or to store data on the corresponding facility.

For now you could just know that you're authenticated and authorized on at least one cluster -- Let's check it.

Creating proxy

As it was mentioned before, you create a special short-lived certificate called "proxy-certificate" to access grid. In ARC it's done with the help of arcproxy command. Simply run:


Check info about the created proxy with:

arcproxy -I

Testing authorization



No error messages shall appear.