Project

General

Profile

Authentication, Authorization and Access

5/27/14 this information is obsolete, please see: https://cdcvs.fnal.gov/redmine/projects/fife/wiki/Welcome_New_Computing_Users

Strong Authentication Guide

The Strong Authentication guide is the definitive security document
The Strong Authentication Guide was revised in May 2014.
We give a synopsis here, targeted at Intensity and Cosmic frontier users,with links to the full documents.

Terminology
  • Authentication determines the identity of you or your program.
  • Authorization determines what you are allowed to do

Authentication

Fermilab strives for a single-signon model.
You do have a single username at Fermilab for most purposes.
The implementation of this can get complex, see the summary at Who Am I

There are several separate security realms, due mainly to incompatibility of client tools.

  • Kerberos - An unexpired kerberos ticket for your principal lets you
    • Login to Unix systems
    • Generate AFS tokens - for access to login area files
    • Generate X509 certs - for access to restricted web pages, including SAM via samweb
    • Generate VOMS proxies - for Grid job submission and GridFTP data access
  • Services - your LDAP account lets you log in to
  • OSG PKI SSL certificates let you
    • Access to restricted Web pages such as parts of DocDB
    • Access to Grid computing and GridFTP data movement
  • AFS tokens
    • Access login areas under /afs/fnal.gov/files/home*/
    • Access some web page source files
  • Kerberos WIN.FNAL.GOV - Windows only
    • For login to Windows systems

Who Am I Summary of identities