Presentation is loading. Please wait.

Presentation is loading. Please wait.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Published byGloria Young Modified over 8 years ago

Similar presentations

Presentation on theme: "VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab."— Presentation transcript:

1 VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab

2 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 2 Outlines VOMRS –Purpose –Scope –Deployment –Convergence with VOMS-Admin –Place in Grid World VO Services: –Gums –gPlazma –SAZ –Authorization Interoperability –SVOPME Project Conclusion

3 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 3 Virtual Organization Management Registration Service (VOMRS) VOMRS was developed to address the end-to-end needs for VO membership registration and groupings of common interest within the Fermilab and WLCG contexts. Initiated on 1/24/03, first production release - 3/1/2004. Some of the collected requirements were incorporated into Joint Security Policy Group (JSPG) VO Membership Management Policy document. The implementation is in compliance with JSPG requirements.

4 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 4 VOMRS Scope VOMRS offers a comprehensive set of services that facilitates secure and authenticated management of VO membership, grid resource authorization and privileges: implements a registration workflow supports management of multiple grid certificates per member permits VO-level control of member's privileges provides email notifications of selected events supports VO-level control over its trusted set of Certificate Authorities permits delegation of responsibilities within the various VO administrators: –VO Admin –Representative –Group Owner/Group Manager manages groups and group roles –Group/group role definition –Group/group role access –Group role are linked to a specific group –Group/group role assignment request is capable of interfacing to third-party systems –CERN and Fermilab HR databases –DZero SAM –VOMS

5 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 5 VOMRS Deployment VOMRS is a part of VDT Multiple production installations: –Fermilab: 11 instances. Total number of registered users > 5,000 –CERN: 11 instances. Total number of registered users >4,000 –Also installed at BNL Texas Tech University APAC - University of Melbourne Desy Forschungszentrum Jülich

6 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 6 VOMS-Admin is emerging: –2.5 version will have a lot of new features. –This raises the possibility of rationalizing the support and converging on a single solution by continuing and extending our current collaboration. There are several crucial features that should be implemented in VOMS-Admin in order to do so: –Persistent member’s status –Member’s institutional expiration –Enhance handling of groups and group roles: Group and group role definitions Opened/Restricted access Possibility to attached a particular role to a specified group continued on the next slide … VOMRS and VOMS-Admin Convergence (I)

7 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 7 VOMRS and VOMS-Admin Convergence (II) List of required features : –Interfacing third-party services during registration and membership validation –Dynamic list of collected personal information –Registration workflow and event notification –Web UI improvements Online help Sortable, selectable output Ability to execute actions for multiple users simultaneously Required effort estimated by VOMS-Admin developers is about 8-10 FTE months + 2 months for customer feedback and deep testing This effort is coordinated by LCG VO Registration Task Force

8 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 8 VO Services Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch 1 4 5 6 7 2 3 WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO

9 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 9 VO Services Project VO Services project provides user registration to VO and fine-grain access authorization to resources. –Gabriele Garzoglio (Fermilab) is project leader. VOMRS forms part of a set of VO services implemented in accordance to the OSG blueprint and targeted to meet the needs of the OSG: –Certificate to User Account Mapping (GUMS) –Authorization for Storage and Compute Services (gPlazma, glExec) –Site Banning Tool (SAZ) Working with Globus, EGEE/gLite and INFN to provide interoperability and consolidate the implementations in the future (Authorization Interoperability Project) Participating in the SVOPME project that provided the prototype tools for automating the process of managing role-based privileges over the Grid, from VOs to Grid sites Adapting VO services to new use cases (e.g. LIGO, Shibboleth based identity management).

10 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 10 GUMS GUMS (Grid User Management System) maps users' grid credentials to site-specific identities in accordance with the site's grid resource usage policy Replaces the Globus grid-mapfile. Retrieves membership information from a VO server such as LDAP or VOMS. Currently the focus is on operational properties of the tools, such as monitoring, status/availability checks, validity of the authz configuration at a site, etc.

11 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 11 gPlazma gPlazma (Grid-aware PLuggable AuthoriZation MAnagement) provides the authorization decision and site- specific user information relevant to user’s credential when requested by storage cells (gridFtpdoor, SRM) Retrieves username from GUMS by providing user’s DN and FQAN. Retrieves storage-privilege set {uid,gid, permitted storage area, r/w permissions} form Storage Meta Data Service. Returns a User Authorization Record (a SAML response format) to gPlazma.

12 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 12 SAZ SAZ (Site Authorization Service ) allows security authorities of the grid site to impose sitewide policy and to control access to the site. Allows administrators to control user access to the site resources. Provides means to retrieve the information about users and their access. Authorizes user by checking –user’s certificate chain –status of VO FQAN provided in extended certificate –user’s access status OSG is interested in this technology to implement a Grid- wide banning tool.

13 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 13 Authorization Interoperability Activity Started in Oct 2006 as a collaborative effort between the OSG VO Services Project, EGEE, Globus and Condor (joined later) Goal: To provide interoperability between middleware and authorization infrastructures. The common protocol is used by resource getaways, or Policy Enforcement Points (PEP) to interact with Policy Decision Points (PDP) For each access request, the PDP informs the PEP on whether access is granted or denied and, what obligations need to be enforced if access if granted. Obligations are used as a mechanism to restrict privileges at Grid resources. The final design document: “An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids” http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2685

14 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 14 SVOPME Project SVOPME – A Scalable Virtual Organization Privileges Management Environment. –Joint Project : Tech-X Corporation and Fermilab financed by Small Business Innovation Research –Phase I is completed in March 2008 Goal to develop tools and services for automating the process of managing role-based privileges over the Grid, from VOs to Grid sites. Prototype tools were developed to facilitate the automatic propagation of privilege data –VO Policy Editor – generates VO policies and verification queries –VO/Grid Policies Comparer - produces a report on which VO policies are honored by the Grid site and which are not –VO/Grid Policies Advisor - advises the Grid administrator on what amendments needs to be performed on the Grid; such that the Grid site complies with the VO policies XML schema for specifying role-based privilege policies was defined and used to assist documenting and converting policies among VOs and Grid sites. Proof of concept: Use standard policy languages (XACML) to express site and VO policies for our use cases.

15 VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 15 Summary VOMRS and VOMS were developed to address the end-to-end needs for VO membership registration and groupings of common interest within the WLCG and Fermilab contexts. Fermilab is committed to the support and maintenance of VOMRS in the short and longer term. The recent development of new features in VOMS-Admin raises the possibility of rationalizing the support and converging on a single solution by continuing and extending our current collaborations. VO Services Project is constantly evolving and adapting for new use cases.

Download ppt "VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab."

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.

VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Similar presentations

Ads by Google