Presentation on theme: "29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester."— Presentation transcript:
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org Outline What VOMS provides What VOs need to do VO naming VOMS and sites... and jobs... and SRM... application frameworks
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org What VOMS provides X.509 Attribute Certificates (AC) – ie a digitally signed statement that a user belongs to one or more groups Users fetch a VOMS AC with voms-proxy-init – AC included in proxy that authenticates user to sites – AC proves membership of one or more groups – Users can also request proof of roles within groups In principle, can have ACs from more than one VOMS
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org What VOs need Their own VOMS service – ie on their own machine, or hosted by a Tier-1/Tier-2 – (GridPP VOMS at Manchester, hosts several VOs.) To decide what groups and roles they need – More can be added at any time To define the procedure for joining the VO – Local contacts? Proof of experiment membership? – LCG VO Policy being drafted: security/documents.html
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org VO naming Several EDG/EGEE/LCG documents have been produced saying that VO names should be DNS names – eg atlas.cern.ch not just atlas – this will guarantee uniqueness (eg US vs official VOs) – allows for dynamic or lightweight VOs, since CA should only issue a cert for a DNS name to its owner Most of the middleware will accept DNS VO names But some problems with deployment scripts Someone (GridPP?) should do some real world testing
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org VOMS on sites This different for different services – Some services (eg WM Proxy, LCAS) can use fine grained access based on GridSite/GACL – Other systems (eg pool groups) can only handle a limited number of VOMS groups/roles: usually just production, software management and all other users VOMS used for two main things – Can users of this VO runs jobs? – Who can access this file?
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org VOMS and jobs Sites already chose which VOs they support, and can enforce this using VOMS May also want to restrict access to queues and queue privileges But this information is relatively static, and chosen by the site itself as part of its configuration – So current mechanism is sufficient? However, there are systems like GPBox which will allow access policies to be published to sites.
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org Applications If VOs decide to use groups and roles, then they need to provide support for this in their application framework (either in software or in documentation) – eg if you want to give write access to an analysis group's data, to the group's managers This is the equivalent of setting umask in Unix, so your files are created with the correct permissions It's not clear how this will be done, but the start of chaotic user analysis jobs will be a big motivator for it
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org VOMS implementations INFN CNAF/Bologna – VOMS AC issuing server: the only implementation and derived from Globus gatekeeper – VOMS parser for C/C++: again, depends of Globus libs CERN/KTH (EDG WP2) – Java Security: now part of gLite, and used by gLite Java GridPP Manchester – GridSite for C/C++/scripts: used by Apache based gLite Web Services (WM Proxy) and being taken up by LCAS
29 June 2006 GridSite - - Andrew McNabwww.gridsite.org Summary VOMS middleware itself and running VOMS Services exist and are pretty complete Finer grained control is becoming available Applications need to decide how they plan to use this these extra options – eg delegate write permissions to analysis subgroups Several implementations exist – including our home-grown GridSite one from GridPP