Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004.

Published byGabriel Toby Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004."— Presentation transcript:

1 Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004

2 Outline What GUMS is How it is used at BNL What the current functionalities are Roadmap and future

3 GUMS … … is a site tool ATLAS VOMS Brookhaven National Lab BNL GUMS CERN GUMS site VO ATLAS CMS VOMS VO CMS

4 GUMS … … translates a Grid identity to a local identity (certificate -> local user) BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource Resource AuthZ Service – Grid Identity Mapping Simpler case show, equivalent to grid-mapfile

5 GUMS … … is centralized: one server per site BNL GUMS Grid resource Grid resource Grid resource Grid resource Allows to control identity mapping from a single place Keeps the site consistent

6 GUMS … … allows a site policy Test servers for USATLAS Allow: All LCG test VO mapped to ‘lcgt’ All USATLAS group mapped to ‘usatlast’ Allow: Members of Grid3 VO mapped with accounts taked from a pool Members on a special list from a database mapped to ‘special’ Grid3 production servers Other machines Allow: Members of … mapped to … All groups and mappings definitions are specified in a single XML file

7 Use at BNL since May 2004 ATLAS VO STAR VO PHENIX VO … VO GUMS server Grid resource Grid resource Grid resource mapfile cache GUMS DB GUMS contacts VO servers and update local database with members GUMS generates the maps according to the policy and stores it in a special DB table The gatekeepers contact the database to retireve their mapping 1. 2. 3. 1. 2. 3.

8 Use at BNL GUMS Policy example <userGroup className='gov.bnl.gums.LDAPGroup' server='grid-vo.nikhef.nl' query='ou=usatlas,o=atlas,dc=eu-datagrid,dc=org‘ persistanceFactory='mysql' name='usatlas' /> <userGroup className='gov.bnl.gums.VOMSGroup' url='https://vo.racf.bnl.gov:8443/edg-voms-admin/star/services/VOMSAdmin‘ persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/> … …

9 Open architecture All critical pieces are defined through interfaces and specified in the configuration Persistence Factory persistence impl. persistence impl. UserGroup Account Mapper GroupMapper HostGroup * Allows integration with site specific services (i.e. HR databases, LDAP, information services, …): 1.Implement the interface (only dependency on GUMS) 2.Put jar in the lib folder 3.Modify the policy file

10 Features implemented Persistence: –MySQL UserGroups: –LDAP VO, VOMS, manual list of users (persistence) AccountMappers: –Group account, best effort NIS mapping, account pool, manual mapping (persistance) All are being used at BNL

11 Future plans Version 1.0 will be ready by OSG-0 release (February 2005) Target functionalities: –Account pooling Tested already setup within grid3 –Web service interface for GUMS –Role based authorization part of Privilege Project, joint USATLAS and USCMS project

12 Account Pooling A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts Will allow BNL cybersecurity to perform auditing To go in production we need: 1.Assign the group id after the assignment 2.Make sure it doesn’t disrupt accounting and applications … grid0009 grid0010 grid0011 grid0012 grid0013 grid0014 grid0015 grid0016 grid0017 … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /DC=org/DC=doegrids/OU=People/CN=Dantong Yu /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu /DC=org/DC=doegrids/OU=People/CN=Dantong Yu

13 GT3 GUMS service Use gatekeeper call-out to contact GUMS directly ATLAS VO STAR VO PHENIX VO … VO GUMS server Grid resource Grid resource Grid resource GUMS DB

14 Role based authorization Use of callout and of VOMS extended proxy BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi usatlasprod Grid resource /VO=ATLAS/Group=USATLAS/Role=production-leader

Download ppt "Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Magda – Manager for grid-based data Wensheng Deng Physics Applications Software group Brookhaven National Laboratory.

Magda – Manager for grid-based data Wensheng Deng Physics Applications Software group Brookhaven National Laboratory.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
MySQL and GRID Gabriele Carcassi STAR Collaboration 6 May 2002 - Proposal.

MySQL and GRID Gabriele Carcassi STAR Collaboration 6 May Proposal.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI-508833 Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.

A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Similar presentations

Ads by Google