the principal's LDAP hpssGECOS attribute, then
To keep the accounting information consistent, it is important to set up all users in the HPSS Authorization services with the same style of accounting (i.e. they should all have the AA= string in their hpssGECOS attribute or none should have this string.) The hpss_ldap_admin tool can be used to set attributes for a user including the hpssGECOS field. For more information, see the hpss_ldap_admin man page.
See Section 12.4: Accounting of the HPSS Management Guide for more information.
3.9.4. Security Policy
HPSS server authentication and authorization make extensive use of UNIX or Kerberos authentication and either UNIX or LDAP authorization mechanisms. Each HPSS server has configuration information that determines the type and level of services available to that server. HPSS software uses these services to determine the caller identity and credentials. Server security configuration is discussed in more detail in Section 5.2: Server Configuration of the HPSS Management Guide.
Once the identity and credential information of a client has been obtained, HPSS servers enforce access to their interfaces based on permissions granted by an access control list stored in the DB2 table AUTHZACL.
HPSS client interface authentication and authorization security features for end users depend on the interface, and are discussed in the following subsections.
3.9.4.1. Client API
The Client API interface uses either UNIX username/password or Kerberos authentication and either UNIX or LDAP authorization features. Applications that make direct Client API calls must have valid credentials prior to making those calls. Kerberos credentials can be obtained either at the command line level via the kinit mechanism or within the application via the sec_login_set_context interface. UNIX credentials are determined by the HPSS rpc library based on the UNIX user id and group id of the application process.
3.9.4.2. FTP/PFTP
By default, FTP and Parallel FTP (PFTP) interfaces use either a username/password mechanism or Kerberos credentials to authenticate. Either UNIX or LDAP is used to authorize end users. The end user identity credentials are obtained from the principal and account records in the appropriate security registry.
3.9.4.3. XFS
Since XFS is a filesystem interface, it uses the standard filesystem security mechanisms - owners, groups and UNIX mode bits to enforce security policy. For communication between the HDM and the DMG, the regular HPSS server authentication and authorization mechanisms are used.
3.9.4.4. Name Space
Enforcement of access to HPSS name space objects is the responsibility of the Core Server. A user's access rights to a specific name space object are determined from the information contained in the object's ACL, and the user's credentials.
HPSS Installation Guide | July 2008 |
Release 6.2 (Revision 2.0) | 98 |
