Using virtual organizations membership system with EDG´s grid security and database access

We describe the European data grid´s (EDGs) Java security system and spitfire database access system giving special emphasis on the virtual organization technologies. These technologies create a feasible framework for authentication and authorization in distributed grid applications. A virtual organization (VO) is a collection of people in the same administrative domain. A user can belong to many virtual organizations and have a different role (user, client, administrator, ..). in each of them. An authorization of a user to different services within a VO is based on the user´s identity and a service called a virtual organization membership service (VOMS) that maps these identities with roles. The user proves his identity over the Internet using authentication process. The user normally authenticates using his credentials, which comprise of a certificate chain and a private key. In grid systems, the user usually authenticates using proxy credentials that are derived from the actual credentials. The proxy credentials comprise of the user´s certificate chain added with a proxy certificate and a proxy private key. In the proxy creation process, the user´s VO information, including groups and roles, is included into the proxy certificate. In order to use these proxy certificates with VO information we have created an authorization system and to demonstrate the usage we have extended the functionality spitfire, a relational database front end. This involves assigning the user a database role (read, write, update..). based on the VO information in his certificate. There is also a GUI for configuring the authorization service. The earth observation team´s database access for ozone profile validation is used here as an example of an application.