Authentication, Authorization and Access¶
5/27/14 this information is obsolete, please see: https://cdcvs.fnal.gov/redmine/projects/fife/wiki/Welcome_New_Computing_Users
Strong Authentication Guide¶
The Strong Authentication guide is the definitive security document
The Strong Authentication Guide was revised in May 2014.
We give a synopsis here, targeted at Intensity and Cosmic frontier users,with links to the full documents.
Terminology
- Authentication determines the identity of you or your program.
- Authorization determines what you are allowed to do
Authentication¶
Fermilab strives for a single-signon model.
You do have a single username at Fermilab for most purposes.
The implementation of this can get complex, see the summary at Who Am I
There are several separate security realms, due mainly to incompatibility of client tools.
- Kerberos - An unexpired kerberos ticket for your principal lets you
- Login to Unix systems
- Generate AFS tokens - for access to login area files
- Generate X509 certs - for access to restricted web pages, including SAM via samweb
- Generate VOMS proxies - for Grid job submission and GridFTP data access
- Services - your LDAP account lets you log in to
- OSG PKI SSL certificates let you
- Access to restricted Web pages such as parts of DocDB
- Access to Grid computing and GridFTP data movement
- AFS tokens
- Access login areas under /afs/fnal.gov/files/home*/
- Access some web page source files
- Kerberos WIN.FNAL.GOV - Windows only
- For login to Windows systems