IBM HPSS Network Card User Manual


 
the principal's LDAP hpssGECOS attribute, then Site-style accounting will be used. Otherwise
UNIX-style accounting will be used.
To keep the accounting information consistent, it is important to set up all users in the HPSS
Authorization services with the same style of accounting (i.e. they should all have the AA= string in
their hpssGECOS attribute or none should have this string.) The hpss_ldap_admin tool can be used to
set attributes for a user including the hpssGECOS field. For more information, see the
hpss_ldap_admin man page.
See Section 12.4: Accounting of the HPSS Management Guide for more information.
3.9.4. Security Policy
HPSS server authentication and authorization make extensive use of UNIX or Kerberos
authentication and either UNIX or LDAP authorization mechanisms. Each HPSS server has
configuration information that determines the type and level of services available to that server.
HPSS software uses these services to determine the caller identity and credentials. Server security
configuration is discussed in more detail in Section 5.2: Server Configuration of the HPSS
Management Guide.
Once the identity and credential information of a client has been obtained, HPSS servers enforce
access to their interfaces based on permissions granted by an access control list stored in the DB2
table AUTHZACL.
HPSS client interface authentication and authorization security features for end users depend on the
interface, and are discussed in the following subsections.
3.9.4.1. Client API
The Client API interface uses either UNIX username/password or Kerberos authentication and either
UNIX or LDAP authorization features. Applications that make direct Client API calls must have
valid credentials prior to making those calls. Kerberos credentials can be obtained either at the
command line level via the kinit mechanism or within the application via the sec_login_set_context
interface. UNIX credentials are determined by the HPSS rpc library based on the UNIX user id and
group id of the application process.
3.9.4.2. FTP/PFTP
By default, FTP and Parallel FTP (PFTP) interfaces use either a username/password mechanism or
Kerberos credentials to authenticate. Either UNIX or LDAP is used to authorize end users. The end
user identity credentials are obtained from the principal and account records in the appropriate
security registry.
3.9.4.3. XFS
Since XFS is a filesystem interface, it uses the standard filesystem security mechanisms - owners,
groups and UNIX mode bits to enforce security policy. For communication between the HDM and
the DMG, the regular HPSS server authentication and authorization mechanisms are used.
3.9.4.4. Name Space
Enforcement of access to HPSS name space objects is the responsibility of the Core Server. A user's
access rights to a specific name space object are determined from the information contained in the
object's ACL, and the user's credentials.
HPSS Installation Guide July 2008
Release 6.2 (Revision 2.0) 98