Table of Contents
About Legion security|
How it affects your system
Creating & working in a secure net
Adding users to a secure net
Shutting down a secure system
Other on-line tutorials & documentation
$ . ~legion/setup.sh or $ source ~legion/setup.csh
The following style conventions are used in these tutorials:
|About Legion security|
Layers in Legion security model|
The message layer intercepts every message that is sent from or received by an object. For outgoing messages, the layer uses the message's implicit parameters to determine what security measures to apply. Implicit parameters here are similar to Unix environment variables, although their values are not restricted to strings.
The message layer can protect individual messages, but it cannot stop an attacker from simply calling the methods of an object. The MayI layer (as in, "May I call this method?") has that job. When an object with a MayI layer is called, MayI examines the method call before the method is actually invoked. If the call passes MayI's access control policy, it is allowed. Otherwise, a security exception is returned to the caller.
Please see section 7.0 in the System Administrator manual for more information on the security model.
|How it affects your system|
When you create new users, with legion_create_user, a new context will be created for the new user in the /users context (i.e., /users/user_name). This can be used as the new user's home context. Note that users can only work in the /home, /etc, /temp, /mpi, and /pvm contexts. The admin user can work anywhere in context space.
If you have a multi-architecture net, you will need to register implementations for each architecture (an implementation for your bootstrap architecture was automatically created when the system was first initialized). Use the legion_create_implementation command:
$ legion_create_implementation \ $LEGION/bin/$LEGION_ARCH/AuthenticationObject \ $LEGION_ARCH -c /class/AuthenticationObjectClass $
To start security, run legion_init_security. Legion will create the /users context and the admin user id object. The admin user is the system's administrator: whoever is logged in and running the command will be the admin.
Once the command has finished, you must log in as admin. You must include the/users
$ legion_login /users/admin Password: xxxx $
|Special implications||About the AuthenticationObject|
We should note that release 1.6.x of the system has not been hardened to withstand attack. For example, by sending an appropriately mangled message, a sender can crash an object because the low-level message processing layers will not understand the headers. These changes are currently in progress.
|Creating & working in a secure net|
Users can work in a secure net by entering:
$ source <path_to_globally_visible_setup_script>/setup.[sh|csh] $ legion_login /users/<user_name> $ legion_cd /home/<user_name>
|Adding users to a secure net|
$ legion_create_user <user name>
|Shutting down a secure system|
If you have only one user (i.e., /users/admin) and are using a basic host object on your bootstrap host, run legion_shutdown while logged in. You will probably need to clean up after the system by hand (i.e., kill the processes one by one from the command line: you can use ps to check that all Legion processes have been killed).
Other relevant on-line documents:
Other relevant on-line documents:
|Click on the to go to the page.|
Logging in to a running Legion system
Introduction to Legion context space
Legion tty objects
Running a PVM code in Legion
Running a Legion MPI code
Running native MPI code
Quick list of all 1.7 Legion commands|
Usage of all 1.7 Legion commands
FAQs for running programs in Legion
Starting a new Legion system
Legion host and vault objects
Adding host and vault objects
Brief descriptions of all on-line tutorials
Last modified: Thu Jun 15 16:28:28 2000
[Testbeds] [Et Cetera] [Map/Search]