Filter
Top Products
Chapter 2. Security and System Access
2.1. Security Services
As of release 6.2, HPSS no longer uses DCE security services. The new approach to security divides
services into two APIs, known as mechanisms, each of which has multiple implementations.
Configuration files control which implementation of each mechanism is used in the security realm
(analogous to a DCE cell) for an HPSS system. Security mechanisms are implemented in shared object
libraries and are described to HPSS by a configuration file. HPSS programs that need to use the
mechanism dynamically link the library to the program when the program starts.
The first type of mechanism is the authentication mechanism. This API is used to acquire credentials
and to verify the credentials of clients. Authentication verifies that a client really is who he claims to be.
The second type of mechanism is the authorization mechanism. Once a client's identity has been
verified, this API is used to obtain the authorization details associated with the client such as uid, gid,
group membership, etc., that are used to determine the privileges accorded to the client and the resources
to which it has access.
2.1.1. Security Services Configuration
Ordinarily, the configuration files that control HPSS's access to security services are set up either by the
installation tool, mkhpss, or by the metadata conversion tools. This section is provided purely for
reference. Each of the files below is stored by default in /var/hpss/etc.
• auth.conf, authz.conf
These files define which shared libraries provide implementations of the authentication and
authorization mechanisms, respectively. They are plain text files that have the same format. Each
line is either a comment beginning with # or consists of two fields separated by whitespace: the
path to a shared library and the name of the function used to initialize the security interface.
• site.conf
This file defines security realm options. This is a plain text file in which each line is a comment
beginning with # or is made up of the following fields, separated by whitespace:
<siteName> <realmName> <realmID> <authzMech> <authzURL>
· <siteName> - the name of the local security site. This is usually just the realm name in
lowercase.
· <realmName> - the name of the local security realm. If using Kerberos authentication, this is
the name of the Kerberos realm. For UNIX authentication, it can be any non-empty string. By
convention, it is usually the fully qualified hostname.
· <realmID> - the numeric identifier of the local security realm. If using Kerberos
authentication and this is a preexisting site going through conversion, this value is the same as
the DCE cross cell ID which is a unique number assigned to each site. A new site setting up a
new HPSS system will need to contact an HPSS support representative to obtain a unique
value.
· <authzMech> - the name of the authorization mechanism to be used by this HPSS system.
HPSS Management Guide November 2009
Release 7.3 (Revision 1.0) 21