Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem,

Published byShon Darcy Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem,"— Presentation transcript:

1 Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

2 2 Overview Using Virtual Organisation Management (VOM) portal How VOM portal can be utilised for –Managing Globus Toolkit enabled resources –Configuring Community Authorisation Service –Administering ICENI Related Work Conclusions

3 3 Why do we need VO Management? VO’s consists of –dynamic set of distributed resources. –distributed user base. –distributed management infrastructure.

4 4 Contd… VO’s need to provide services for –User authentication and authorisation –Defining and enforcing access control and usage policies Every project is having to develop it’s own customised VO management setup Need to replace current manual processes which do not scale well »policy based automated systems

5 5 Virtual Organisation Management ( VOM) portal Portal for remote VO management. Grid service to download and upload information into the VOM database. Client tools to interact with the service through Grid Security Infrastructure (GSI) authenticated network connections. VOM Portal facilitates –User registration into VO using grid certificates. –Resource Access Control –Resource Usage Accounting and Reporting.

6 6 VOM Roles Ordinary users belonging to a VO/community & wanting to use grid resources. Resource managers wanting to make their grid enabled machines accessible to a VO/community. Administrators of a VO managing access control & monitoring usage of constituent users & resources.

7 7 VOM Usage: User Precondition: should have a certificate issued by CA accepted by VO. Registers with VO –Request propagated to VO Admin & on approval to respective resource managers for account creation. Views his usage log on web. Does not need to chase each site/resource in VO & sign separate usage policy forms.

8 8 VOM Usage: Resource Manager Precondition: –Should have a certificate issued by CA accepted by VO. –Manages/owns a grid-enabled resource Setup access control and logging capability by deploying client on his grid-enabled resource. Approve/Reject/Disable user access. Can view own usage stats/graphs.

9 9 VOM Usage: VO Administrator Precondition: –should have a certificate issued by CA accepted by VO. Approve user enrolment requests through web page. Manage constituent resources. Monitor usage of various users/resources or whole VO. View stats/graphs of historical VO usage.

10 10 User Interface Workflow

11 11 VOM Implementation Server –Java servlets hosted in Tomcat container –GT3 based web service –Apache with mod_jk Tomcat support Client –Java based –Connects to web service using secure (GSI) connection

12 12 Managing Globus Toolkit enabled resources Resource access control –through automated grid-map file management Resource Usage Logging and Reporting –through instrumented job-managers provided Resource owner needs to setup respective clients, which connect to the VOM server over a secure connection

13 13 Resource Access Control

14 14 Resource Usage Service

15 15 Configuring Community Authorisation Service Allows resource providers to specify fine-grained access control for the community rather than individual users  Community manages itself grid-proxy-init –––––> cas-proxy- init

16 16 Configuring CAS CAS lacks a web interface for configuring VO’s trust relationships VOM provides a source of authenticated & authorised users The VO admin uses CAS to setup the VO's trust relationships (e.g. adding new users and objects) and to grant them fine-grained access control to the VO's resources.

17 17 Administering ICENI Each resource running ICENI has a –Domain Manager: implements fine-grained access control policies relating to the resources in the private administrative domain –Policy Manager: used to define access control policy at role, group, organisation or individual user level –Identity Manager: used to authenticate users accessing resources, and authorise them against the access policy defined by the resource

18 18 ICENI Architecture Resource Manager Policy Manager CR SR Identity Manager Domain Manager CR SR Gateway between private and public regions Public Resource Browser Public Computational Community SR CR Public Computational Community SR Private Administrative Domain SR CR Resource Broker Application Design Tools Component Design Tools Application Mapper Web Services Gateway Applicatio n Portal Private Computational Resource Software Resources Network Resources Storage Resources JavaCoG Globus

19 19 Contd… ICENI Role Management GUI VOM Admin can also switch roles/groups a user belongs to within ICENI. –Needs a ICENI plugin installed on VOM server.

20 20 Related Work VOMS CAS GUMS PERMIS Akenti

21 21 Virtual Organisation Membership Service (VOMS) Developed for DataTAG by INFN and for DataGrid by CERN Database of user roles and capabilities –Administrative tools –Client interface voms-proxy-init –Uses client interface to produce an attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server –Works with non-VOMS services, but gives more info to VOMS-aware services Allows VOs to centrally manage user roles and capabilities

22 22 VOMS Shortcomings –Lacks web interface for user/resource registration –Only maintains certificate DN & their assoc. groups info Lacks any other info e.g. personal info, usage logs Does not collect any resource specific, site specific data –Additional attributes in certificates do not conform to any standard => only VOMS enabled software can use it. –Extensions planned @ EU Data Grid / LCG –Local Centre Authorisation Service (LCAS) –Local Credential MAPping Service (LCMAPS) –Java based Trust Manager FermiLab as part of US CMS, SDSS, and iVDGL projects –VOM Registration Server(VOM RS) –VOMS eXtension (VOX) e.g. Site AuthoriZation (SAZ) and Local Resource Authorization Service (LRAS)

23 23 VOM comparison with VOMS VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both provide grid-map file management capability through slightly different ways VOM does not provide attribute certificate generation capability

24 24 Community Authorisation Service (CAS) v1.0 released with Globus Toolkit version 3.2 Allows resource providers to specify fine-grained access control for the community rather than individual users  Community manages itself grid-proxy-init => cas-proxy-init

25 25 CAS Shortcomings Functional –Lacks web front-end for user registration –Does not contain any info apart from DN, access rights –Resource logging & account mapping gets complicated due to use of totally new DN by CAS Non-Functional –Takes ultimate control away from site/resource owners, which is not practical in real world scenarios –Built on top of Grid Security Infrastructure (GSI) hence dependency on Globus. –royalty-free license from RSA needed to use it in other projects –Currently only a customised version of grid-ftp (supplied with CAS distribution) supports CAS credentials –Hard to install & configure and more a prototype than a production ready system as claimed

26 26 VOM comparison with CAS VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both provide resource access control management mechanisms –VOM through grid-map file management –CAS by abstracting the grid identities (i.e. user certificates) and using the community identities at resources as access control mechanisms VOM does not provide new proxy certificate generation capability like CAS.

27 27 VO #3 … Grid User Management System (GUMS) US Atlas Grid Provides user registration facility. Shortcomings –Lacks a web interface for user/resource registration, currently through email. VO User Registry Database VO #2 Database Site User Info Database grid-mapfile Site Pull cron job

28 28 PrivilEge and Role Management Infrastructure Standards Validation (PERMIS) Privilege Management Infrastructure (PMI) which uses attribute certificates conforming to the X.509 standard Policy driven engine accessible through a java API uses LDAP to store policies and attribute certificates Policies are written in XML PERMIS API Implementation AEF=(application Dependent) Access control Enforcement Function ADF= (application independent) Access control Decision Function Target Present Access Request Decision Request e.g. DN+Access Request Decision e.g. Grant/Deny Access Request LDAP Directories Retrieve Policy and Role ACs RoleActionTarget Adminapprove User rights page

29 29 PERMIS Shortcomings It just provides an authorisation framework using attribute certificates => policy driven authorisation –Does not store any other data about users e.g. personal, usage etc. –Does not store any data about resources, sites etc. –Not intended to provide overall VO management capability e.g. authentication of users or accounting of user/resource usages

30 30 Akenti Policy Language Provides a policy language based on XML Can be used for certificate based authorisation Shortcomings –Needs customised front end –No notion of VO Conceptually similar to PERMIS

31 31 VOM comparison with PERMIS & Akenti VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both PERMIS & Akenti provide rich policy authorisation engine. VOM does not provide policy authorisation language, API or engine. => complimentary

32 32 Open Issues - VO Deployment issues Manchester Oxford Edinburgh NGS London 1 Horizontal (National Grid Service) VERTICALVERTICAL VERTICALVERTICAL Cambridge 1 London 2Cambridge 2

33 33 Future Work Explicit RBAC using proposed NIST standard Explicit policy management –Separate Contract/SLA for VO, Resource, User joining VO Resource specifies minimum/average/maximum service offered Users specifies average & maximum service expectation Explore use of GLUE information Schema for import/export of user/resource info Explore pure web services implementation

34 34 Conclusions VOM provides a centralised management interface for managing a VO Can be used for resource access control and usage accounting for the Globus Toolkit Can be used as a secure web interface for configuring CAS Can also be used for role-based identity management in ICENI

35 35 Acknowledgments Testing and evaluation of software done with the help from members of the UK Grid Engineering Task Force. Deployed across the Level 2 UK e-Science Grid to provide user management and accounting capability ( http://www.grid-support.ac.uk/l2g/ ). Work done as part of OSCAR-G project funded by DTI, Compusys & Intel (THBB/C/008/00028) CAS evaluation funded by JISC AAA programme

36 36 Acknowledgements Director: Professor John Darlington Research Staff: –Nathalie Furmento, Stephen McGough, William Lee –Jeremy Cohen, Marko Krznaric, Murtaza Gulamali –Laurie Young, Jeffrey Hau –David McBride, Ali Afzal Support Staff: –Oliver Jevons, Sue Brookes, Glynn Cunin, Keith Sephton Alumni: –Steven Newhouse, Yong Xie, Gary Kong –James Stanton, Anthony Mayer, Angela O’Brien Contact: –http://www.lesc.ic.ac.uk/  e-mail: lesc@ic.ac.uk

Download ppt "Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem,"

Similar presentations

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
ICENI: An Open Grid Services Architecture Implemented with Jini William Lee, Nathalie Furmento, Anthony Mayer, Steven Newhouse and John Darlington London.

ICENI: An Open Grid Services Architecture Implemented with Jini William Lee, Nathalie Furmento, Anthony Mayer, Steven Newhouse and John Darlington London.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
OxGrid, A Campus Grid for the University of Oxford Dr. David Wallom.

OxGrid, A Campus Grid for the University of Oxford Dr. David Wallom.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
15th January, 2007 1 NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.

15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
Future UK e-Science Grid Middleware Dr Steven Newhouse London e-Science Centre Department of Computing, Imperial College London.

Future UK e-Science Grid Middleware Dr Steven Newhouse London e-Science Centre Department of Computing, Imperial College London.
ICENI Overview & Grid Scheduling Laurie Young London e-Science Centre Department of Computing, Imperial College.

ICENI Overview & Grid Scheduling Laurie Young London e-Science Centre Department of Computing, Imperial College.

Similar presentations

Ads by Google