Presentation is loading. Please wait.

Presentation is loading. Please wait.

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Published byGabriella McElroy Modified over 10 years ago

Similar presentations

Presentation on theme: "29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester."— Presentation transcript:

1 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester

2 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Outline What VOMS provides What VOs need to do VO naming VOMS and sites... and jobs... and SRM... application frameworks

3 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org What VOMS provides X.509 Attribute Certificates (AC) – ie a digitally signed statement that a user belongs to one or more groups Users fetch a VOMS AC with voms-proxy-init – AC included in proxy that authenticates user to sites – AC proves membership of one or more groups – Users can also request proof of roles within groups In principle, can have ACs from more than one VOMS

4 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org What VOs need Their own VOMS service – ie on their own machine, or hosted by a Tier-1/Tier-2 – (GridPP VOMS at Manchester, hosts several VOs.) To decide what groups and roles they need – More can be added at any time To define the procedure for joining the VO – Local contacts? Proof of experiment membership? – LCG VO Policy being drafted: http://www.cern.ch/proj-lcg- security/documents.html

5 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VO naming Several EDG/EGEE/LCG documents have been produced saying that VO names should be DNS names – eg atlas.cern.ch not just atlas – this will guarantee uniqueness (eg US vs official VOs) – allows for dynamic or lightweight VOs, since CA should only issue a cert for a DNS name to its owner Most of the middleware will accept DNS VO names But some problems with deployment scripts Someone (GridPP?) should do some real world testing

6 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS on sites This different for different services – Some services (eg WM Proxy, LCAS) can use fine grained access based on GridSite/GACL – Other systems (eg pool groups) can only handle a limited number of VOMS groups/roles: usually just production, software management and all other users VOMS used for two main things – Can users of this VO runs jobs? – Who can access this file?

7 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and jobs Sites already chose which VOs they support, and can enforce this using VOMS May also want to restrict access to queues and queue privileges But this information is relatively static, and chosen by the site itself as part of its configuration – So current mechanism is sufficient? However, there are systems like GPBox which will allow access policies to be published to sites.

8 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and SRM SRM allows users to set Unix-like permissions for files, in terms of users and groups This is extended to include DN or VOMS roles instead of pure Unix names Finally, this offers a uniform interface to the various ways of controlling access to files on sites – whether Unix files + pool users/groups – GridSite GACL policies etc, But still need tools to use this interface

9 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Applications If VOs decide to use groups and roles, then they need to provide support for this in their application framework (either in software or in documentation) – eg if you want to give write access to an analysis group's data, to the group's managers This is the equivalent of setting umask in Unix, so your files are created with the correct permissions It's not clear how this will be done, but the start of chaotic user analysis jobs will be a big motivator for it

10 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS implementations INFN CNAF/Bologna – VOMS AC issuing server: the only implementation and derived from Globus gatekeeper – VOMS parser for C/C++: again, depends of Globus libs CERN/KTH (EDG WP2) – Java Security: now part of gLite, and used by gLite Java GridPP Manchester – GridSite for C/C++/scripts: used by Apache based gLite Web Services (WM Proxy) and being taken up by LCAS

11 29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Summary VOMS middleware itself and running VOMS Services exist and are pretty complete Finer grained control is becoming available Applications need to decide how they plan to use this these extra options – eg delegate write permissions to analysis subgroups Several implementations exist – including our home-grown GridSite one from GridPP

Download ppt "29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester."

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Similar presentations

Ads by Google