Presentation is loading. Please wait.

Presentation is loading. Please wait.

VO Support and directions in OMII-UK Steven Newhouse, Director.

Similar presentations

Presentation on theme: "VO Support and directions in OMII-UK Steven Newhouse, Director."— Presentation transcript:

1 VO Support and directions in OMII-UK Steven Newhouse, Director

2 © 2 Our Mission… OMII-UK aims to provide software and support to enable a sustained future for the UK e-Science community and its international collaborators Promote the use of good-quality open-source software Reduce the risk of moving to new e-infrastructure world Recognise distinct user communities: by domain and function

3 © 3 Primary Concerns Standards driven Need to interoperate Recognise distinct requirements End-user Developer Service Provider Need to federate across multiple containers Provide infrastructures that are usable

4 © 4 OMII-UK Job Authorisation OMII 1.x: Application execution from GRIA Defined model enforced by PBAC PBAC: Process Based Application Control User registration & account (quota) creation Resource allocation for compute and data Data in Application execution Data out. Application needs to be installed on the machine

5 © 5 PBAC: Process Based Access Control Specify server side workflow Need to have performed Action Z on Service A before Action Y on Service B Check authorisation policy rather than interaction state State interaction captured within a conversation Authorisation action is related to a particular conversation Client interaction is planned & context dependent

6 © 6 OMII-UK Job Authorisation OMII 2.x: GridSAM GridSAM: Job Submission and Job Monitoring Uses JSDL to define the job Various back end environments DRMConnector Service specific Authorisation gridmap like Connector specific Authorisation

7 © 7 Within OMII 3.x Within a web service hosting environment Tomcat, Axis, WSS4J (WS-Security) Primarily Authentication through WS-Security Digital Signature on a signed message Signature MUST be signed by a certificate from a known CA Authentication data available to the service Outgoing message signed

8 © 8 Need to do better… An Authorisation policy that can be applied across consistently across all services Within a hosting environment A network of hosting environments (e.g. VO) A solution that can be reused: Apply policy for portlet access Service specific policies: Data tables within a database Queues or processor/memory limits within a job Standards driven

9 © 9 Current Prototype PERMIS: Generate Attribute Certs & Policy Authz Service: SAML 1.1 Assertion port type WS Request/ Response WS Container AXIS Handlers TestService OMIIAuthz OpenSAML LDAP PERMIS Management GUIs PEP = Policy Enforcement Point Due April 07 - OMII 3.4.0

10 © 10 But what is a VO? About roles, responsibilities and relationships Binding: Contractual Non-Binding: Best-effort End-users: Dynamic & flexible policy around their needs Resource Providers: Focus on users or VOs or real organisations? Usability: Critical need for tooling and integration into software

11 © 11 OMII-UK Users Applied Technology Specialists e-Infrastructure e-Researchers (domain & generic) Providers

12 © 12 Emerging Need: Dynamic Service Authorisation On job creation create a job specific policy Stevens job – he can manipulate & delete it But, the administrator can also delete it. But Steven may also want to allow June to be able to manipulate the job Provide an interface to manipulate policies Fine grained dynamic delegation

13 © 13 Other gaps in AAA… The third A – Accounting Looking at RUS & UR options Account (quota) solution from GRIA Applying for an account (e.g. GAMA, PURSe) The silent A – Audit Attribute Management VOMS Standards?

14 © 14 Summary Mange authorisation policies across services Accounting (use against quota) is important Pick up on existing standards & tools Authorisation infrastructure User registration & account generation Think about the stakeholders in the system OMII-UK currently a non-GSI world But out-of bound use through MyProxy Emerging need for dynamic policies & VOs

15 © 15 Where next… For further information, project lists, etc: Web: Downloads: OMII released last week. Calls: Portlets & GridAPIs For further questions, support issues, etc: Mail: For me: Mail:

Download ppt "VO Support and directions in OMII-UK Steven Newhouse, Director."

Similar presentations

Ads by Google