Presentation is loading. Please wait.

Presentation is loading. Please wait.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Published byJayce Covin Modified over 9 years ago

Similar presentations

Presentation on theme: "Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005."— Presentation transcript:

1 Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005

2 Definition Role based VO authorization: an authorization decision based on an extended credential provided by the VO server that allows a user to have different sessions in which he obtains different privileges

3 Use case A VO compiles a list of users that can use data production resources When acting as data production coordinator, the user gets a “token” from the VO, that states he is authorized to act in that role The user presents that token to the site when submitting a job or initiating a file transfer The services maps the user to a different account based on the role The different account allows access to restricted resources or a different class of service (i.e. file access, higher queue priorities, special pool of machines, …)

4 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 0 The user, member of VO “foo”, wants to submit a job with a role “bar” to the gatekeeper of site “X”.

5 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 1 The user run “voms-proxy-init –voms foo:/foo/Role=bar”, to generate his VO authorized proxy.

6 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 2 Voms-proxy-init creates a normal user proxy, and then sends it to the foo VO VOMS server.

7 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 3 The VOMS server returns the VOMS proxy, signed by the VO, that authorizes the user to act as “bar”.

8 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 4 The user submits the job to site X

9 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 5 The gatekeeper, through the globus call-out, delegates the PRIMA module to decide what local user account to should be used for the given GRID credential.

10 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 6 Prima extracts the Proxy information and sends a message to asks GUMS which local account should be used. (The message is a SAML authorization request)

11 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 7 GUMS consults its configuration, the local copy it keeps of the different database, and determines that the corresponding credential should be mapped to “foobar1”. GUMS returns a message, a SAML successful response with the obligation account=“foobar1”

12 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 8 PRIMA interprets the response, and return the account “foobar1” to the gatekeeper.

13 An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 9 The gatekeeper sets the uid to “foobar1” and submits the job. Note: a cron jobs on the gatekeeper contact GUMS to retrieve the inverse map needed for accounting.

14 Components: VOMS A VO service (one per VO) that provides extended proxies with signed group and role membership Vincenzo Ciaschini, INFN - Karoly Lorentey, et al Part of OSG 0.2.1 distribution, used in production

15 Components: PRIMA The gatekeeper callout module that is able to contact a site Authorization service to retrieve the mapping Markus Lorch, VT Part of OSG 0.2.1 distribution, used in production

16 Components: GUMS A site Authorization service that manages site-wide mappings Gabriele Carcassi, BNL Part of OSG 0.2.1 distribution, used in production

17 Components: VOMRS A VO service that manages the VO Registration process, and feeds the list of currently approved members to VOMS FNAL team Used in production

18 Storage AuthZ site GUMS Server Gatekeeper GRAM gridFTP PRIMA Execution site SRM/ dCache gPLAZMA Storage Authorization Service

19 Components: Storage AuthZ An authorization service that provides the extra authorization attributes required by dCache (contacts GUMS to retrieve the mapping) Markus Lorch, VT Prototype

20 Components: gPLAZMA The dCache Authorization infrastructure, which is able to contact the Storage Authorization Service Abhishek Singh Rana, UCSD et al. Distributed as part of dCache, Beta quality, in production at Fermi in a couple of months (probably less)

Download ppt "Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.

Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Similar presentations

Ads by Google