Presentation is loading. Please wait.

Presentation is loading. Please wait.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Published byMarshall James Modified over 8 years ago

Similar presentations

Presentation on theme: "Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab."— Presentation transcript:

1 Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab

2 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 2 Talk Overview Site Authorization Service –Functionality –Components –CLI examples –Status and deployment Local Resource Authorization Service –Functionality –Components –GUI screenshots –Status Summary

3 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 3 Site Authorization Service Purpose: Site authorization service (SAZ) allows security authorities of the grid site to impose sitewide policy and to control access to the site. Stakeholder: –Fermilab Computing Facility (D. Skow)

4 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 4 SAZ Functionality Allows administrators to control user access to the site resources Provides means to retrieve the information about users and their access Authorizes user by –verifying user access status –by analyzing user certificate chain Provides centralized maintenance of Certificate Revocation Lists (CRL)

5 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 5 SAZ Components SAZ Server –extracts DN from User cert chain and looks in SAZDB for authorization. –checks for CRL, signature verification and signing policy. SAZ DB –stores user's principal, dn, status etc SAZ Client –invoked as Globus gatekeeper plugins to communicate with SAZ server to check user. –passes User’s Cert Chain to SAZ Server for authorization. Client is authenticated using GSI. Admin Server –allows admin to add, delete and list any DN and principal in SAZDB –user to add, delete or list any DN associated with his own principal in SAZDB AI/UIClient –provides front end for the admin/user –admin can insert, delete, update any user DN’s, principals and status. Admin is authenticated by using Kerberos. –user UIClient can insert, delete any user’s DN that is assigned the same principal. He is authenticated by using Kerberos. UI Client AI Client SAZClient SAZDB Kerberos Authentication GSI Channel Only Select query Select,Update,Insert and Delete query SAZ SERVER AI SERVER

6 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 6 CLI Examples The UI Client allows to perform the following commands: –ls (lists dn, access status and principal of all users associated with the same principal) –ls (lists dn, access status and principal of the selected user) –add (adds the specified dn to the database, set the principal to the principal of the current user) –del (deletes the specified dn if it is associated with the same principal) The AI Client allows to perform the following commands: –ls [dn] [principal] (lists dn, access status and principal of selected users.The wildcard “%” can be used for selection.) –add dn principal (adds the specified dn and principal to the database) –del dn principal (deletes specified dn and principal from the database) –enable dn principal (allows specified dn and principal to access site resources. The wildcard “%” can be used for selection.) –disable dn principal (denies specified dn and principal to access site resources. The wildcard “%” can be used for selection.)

7 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 7 SAZ Status and Deployment All components are in Java, except SAZ Client (C) SAZ beta version is released –(download http://tam01.fnal.gov:8080/src/FNAL/mysaz)http://tam01.fnal.gov:8080/src/FNAL/mysaz Installed at Fermi by security team Successfully used on CMS grid deployment testbed for a month Gathering the list of improvements/ new features from Fermilab security team More work on documentation needs to be done

8 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 8 Local Resource Authorization Service Purpose: Local Resource Administration Service (LRAS) associates the VO member with the local account and local resources based on the information provided by the user in the user proxy certificate. LRAS automates and facilitates the process of managing fine grain access to a local grid resource. Stakeholders: –US CMS –SDSS –Fermilab Mass Storage System (Enstore)

9 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 9 LRAS Architecture LRAS DB VOMS EDG DB VO A VOMS Admin API Update Daemon LRAS Server Admin GUI Client API GSI Channel Query:Is authorized ? What User account? What Abstract Resource Name? Synchronize LRAS DB with VOMS DBs VOMS EDG DB VO B Manage user access, mapping to account and resources

10 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 10 LRAS Components LRAS Server: –a server that authorizes/denies the user's access to the local cluster and provides a mapping between the user proxy information and the abstract resource known to the server. LRAS DB: –a database that contains the list of known VOs, the list of groups within the VO, available abstract resources, the list of users', their access status and mapping to UNIX id and the list of resources associated with each user. LRAS Update Daemon: –The LRAS Update Daemon is a process that fetches the groups and member information from the multiple VOs and populates the LRAS database. The Update Daemon collects member information only for (VO, group) tuples that are identified by the LRP and have an assigned UNIX id. It is also responsible for keeping the LRAS DB in sync with the information it obtains from the VO. It uses the VOMS EDG admin API to communicate with VOMS. LRAS Client API: –The API allows a client (e.g. gatekeeper, storage element) to connect with the LRAS Server and fetch the user's related information. LRAS Admin GUI: –a graphical user interface that is used to facilitate LRPs to manage user access status, introduce new resources and map them to a particular user.

11 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 11 Admin GUI Screenchots

12 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 12 LRAS Status All components are in Java, LRAS Client API also exists in C. LRAS alpha version is released –(download http://tam01.fnal.gov:8080/src/FNAL/lras) More testing is needed More work on documentation needs to be done

13 12/15/2003 User Registration/VO management/AuthZ workshop at CERN 13 Summary VOX Local Services (SAZ and LRAS) have been designed as general services for site controls. Implementation specifics for Fermilab are collected in few points. Both packages can be used anywhere where there are similar needs We are very interested in feedback and looking for volunteers to try out the software More info: http://www.uscms.org/s&c/VO E-mail: vo-project@fnal.gov

Download ppt "Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab."

Similar presentations

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance

DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Assuring e-Trust always www.certiver.com 1 Status of the Validation and Authentication service for TACAR and Grids.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

Similar presentations

Ads by Google