Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Published byValerie Bond Modified over 7 years ago

Similar presentations

Presentation on theme: "Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008."— Presentation transcript:

1 Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT407 18 January 2008

2 Virtual Organisations

3 4 Dec. 2007(c) The University of Manchester 3 What is a Virtual Organisation  Is it like an organisation, only virtual? –Does it need to be a legal entity? not always but to function fully will probably need at least one legal representative  Is it a group of people? –Does it need to be more than one person?  An inter-organisation entity –Does it need to involve more than one organisation? –Does it need to involve any organisation?  Is it only about people? –Organisations have buildings, computers, data,...

4 4 Dec. 2007(c) The University of Manchester 4 Defining A VO As A Grid Entity  Lists –of Members of Distinguished Names of Certificates of DNs + the DN of the issuer  Lists express –VO Memberships –Role Memberships –Group Memberships –...  Regulations/T&Cs –Acceptable Use Policy

5 4 Dec. 2007(c) The University of Manchester 5 Granting A VO Access to the Grid  Copying the lists –of DNs, of Certificates, or of subject and issuer DNs 'Poll' Model  Defining Rules –e.g. Everyone from Manchester and Edinburgh O=Edinburgh, C=UK || O=Manchester, C=UK (NB this doesn't work well in grids)  Ask someone else –Call out to some on-line service, e.g. SAML Requests Pull Model  User Provided Credentials –e.g. Attribute Certificates or SAML Assertions, Push model

6 4 Dec. 2007(c) The University of Manchester 6 How Do VOs help – List Maintenance  Grid resources grant access based on local policy –Attribute matching against a list, e.g. a bunch of named individuals against a rule e.g. a time constraint  Maintaining lists can be cumbersome –especially if they're dynamic –especially if they need to be in many locations  Delegate list maintenance –Maintain lists of VOs not users Reduces overheads on resources Empowers Project Managers

7 4 Dec. 2007(c) The University of Manchester 7 How Do VOs help - Accounting  How to get charging right for resource usage –Possibility of using a resource for more than one purpose –(but) DN list based authorisation First “mapping” = Project to charge to  How to assert to which account to charge my usage. –Supply VO membership details or attributes i.e. authorise me to use resource as NNNN from VO MMMM  VO -> Project Mapping?

8 4 Dec. 2007(c) The University of Manchester 8 VOs and Network Entities  Resources used by the VO –Easiest case: VO = Project, Project requires resources: CPU / Disk / Bandwidth / Detector... Project maintains list of people, their roles and groups Project applies for resources on behalf of its people  Resources provided by the VO –Harder case: VO = Project / Organisation, People and Resource Project requires occasional extra resources / different resources Project can trade their resources

9 The Virtual Organisation Membership Service

10 4 Dec. 2007(c) The University of Manchester 10 What is VOMS  The Virtual Organisation Membership Service –One or more databases of users, groups and roles –A set of Web Services to query and administer the these databases –A portal to interface to these Web Services –A GSI service for obtaining “Attribute Certificates” –A bundle of client and administration tools

11 4 Dec. 2007(c) The University of Manchester 11 VOMS VO  VO Names –usually DNS based names (to avoid name-space conflicts) –e.g. ngs.ac.uk

12 4 Dec. 2007(c) The University of Manchester 12 VOMS Database  Each VO on a VOMS server has a database –DN –Issuer DN –Groups –Roles –..., email, CN, Institute, Phone Number,...

13 4 Dec. 2007(c) The University of Manchester 13 VOMS Web  Each VOMS has a Web Service interface –Allowing script based access For VO Administration List retrieval (polling)  Each VOMS has a Web Portal interface –Allowing non-technical VO administration Users can request to join a VO VO Managers may add users and change users' roles  Each VO will have a URI: –NGS VO's is https://voms.ngs.ac.uk:8443/voms/ngs.ac.uk/https://voms.ngs.ac.uk:8443/voms/ngs.ac.uk/ pointing a browser at this will reveal the Portal interface

14 4 Dec. 2007(c) The University of Manchester 14 VOMS and GSI  VOMS works with the Grid Security Infrastructure –A Proxy certificate may contain a VOMS extension –extensions may contain 1 or more “Attribute Certificates” –Resources may extract and use these ACs instead of polling VOMS servers  Each VO on a VOMS server has a VOMS daemon –This is what voms-proxy-init will talk to Clients need configuring –It is used mainly to obtain Attribute Certificates –It is a mutually authenticated connection you and it need to have grid (GSI) credentials

15 4 Dec. 2007(c) The University of Manchester 15 VOMS and Attribute Certificates  ACs tie a Grid Certificate to Attributes  Attributes are called: –Fully Qualified Attribute Names (FQAN)  FQANs may look like these: –“/ngs.ac.uk/Role=NULL” –“/ngs.ac.uk/SomeGroup/Role=Some Role”  ACs may contain multiple FQANs –The first one is usually taken for authorisation purposes  ACs are signed by the VOMS server (NB to validate the AC one needs the VOMS server certificate)

16 VOs VOMS and the NGS

17 4 Dec. 2007(c) The University of Manchester 17 VOs on the NGS  NGS provides a VOMS server –Hosting a VO is separate to an NGS project application may have a VO without any NGS resource allocation Useful not only for NGS but also other grids

18 4 Dec. 2007(c) The University of Manchester 18 VOMS on the NGS

19 4 Dec. 2007(c) The University of Manchester 19 VOMS on the NGS – List My Details

20 4 Dec. 2007(c) The University of Manchester 20 VOMS on the NGS – Apply for Membership

21 4 Dec. 2007(c) The University of Manchester 21 VOMS on the NGS – List All Members

22 4 Dec. 2007(c) The University of Manchester 22 VOMS on the NGS – List All Roles

23 4 Dec. 2007(c) The University of Manchester 23 VOMS on the NGS – Add New Members

24 4 Dec. 2007(c) The University of Manchester 24 VOMS on the NGS – Configure Access Control

25 4 Dec. 2007(c) The University of Manchester 25 VOMS on the NGS – Client/Server Config

26 4 Dec. 2007(c) The University of Manchester 26 VOMS on the NGS – Getting a VOMS Proxy

27 4 Dec. 2007(c) The University of Manchester 27 VOMS on the NGS – examining a VOMS Proxy

28 4 Dec. 2007(c) The University of Manchester 28 VOs on the NGS future  NGS currently associates VOs with projects but –project application mechanisms not quite in place today –support of VOs is in development and available only for testing/training purposes, but watch this space!  The NGS is working towards VOs with resources –i.e. to enable NGS Associate and Partner sites resource to trade with each other and with core sites

29 Research Computing Services University of Manchester

Download ppt "Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
15th January, 2007 1 NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.

15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.

The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
VOMS Alessandra Forti HEP Sysman meeting 27-28 April 2005.

VOMS Alessandra Forti HEP Sysman meeting April 2005.

Similar presentations

Ads by Google