Presentation is loading. Please wait.

Presentation is loading. Please wait.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

Published byGordon Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring."— Presentation transcript:

1 VO Privilege Activity

2 The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring 2004 Sposored by US CMS (Fermilab) and US ATLAS (BNL) People: Fermilab, BNL, PPDG Technologies: VOMS, VOMRS, Gridmap and SRM/DCache callout interface, GUMS, gPLAZMA, and SAZ

3 VO Privilege Activity Motivations Improve user account assignment at grid sites –Make user-to-account mapping flexible and dynamic, using remote Grid Identity Mapping Services –Base user-to-account mapping on both user role and least privilege access Reduce account management administrative overhead

4 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA PRIMA Authorization Service Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite VO Privilege Activity Architecture

5 Resource Selection Service (ReSS) Activity

6 The Resource Selection Activity The Resource Selector is a component of the OSG Job Management Infrastructure. The project started in Sep 2005 with a planned duration of 9 months Sponsored by PPDG as a DZero contribution to the Common Project People: Fermilab, OSG TG-MIG group, PPDG

7 The Resource Selection Activity Motivations A Resource Selector allows… –…expressing requirements on the resources in the job description without a Resource Selector, the user is responsible for selecting the resource for the job –…the user to refer to abstract characteristics of the resources in the job description without a Resource Selector, the user must use concrete resource attribute values in the job description (e.g. to initialize the job environment)

8 The Resource Selection Activity Deliverables The Resource Selection Activity has two major goals 1.Enable OSG resource usage by DZero. Jobs will be prepared and data will be handled by the SAM-Grid. 2.Develop and deploy a Resource Selection Service that VOs with requirements on job management similar to DZero can use.

9 The Resource Selection Activity Architecture Condor Match Maker Info Gatherer classads CEMon CE Gate1 job-managers jobsinfo CLUSTER CEMon CE Gate2 job-managers jobsinfo CLUSTER CEMon CE Gate3 job-managers jobsinfo CLUSTER classads Condor Scheduler job What Gate? Gate 3 job

10 OSG Auditing Activity

11 The activity develops a system to record a suitable audit trail for grid services –Audit trail is a set of log entries to determine who did what, when, where and how –Audit trail is critical for both debugging and security investigations Started Winter 05

12 OSG Auditing Goals Provide tools to the site to gather audit events, process them, correlate them, in order to facilitate post-mortem investigations and malicious use detection –Security concerns impose that a site auditing service could allow queries that do not expose much data (e.g. yes/no question such as: did this DN submit more than 10 jobs in the past 24 hours?). The feasibility/utility of across-site auditing is under investigation. Determining what has happened in a GRID environment –Chain of events to follow: user contacts a resource broker, which submits to a gatekeeper, which starts a batch job, which execute on a node, which starts a file transfer, …

13 Auditing at a site (an example) Grid FTP … GK GRAM Centralized logging Parsing Auditing Service Allows to search through events and make correlation. The user will use a GUI or command line tools to navigate through the data, and will retrieve pointers to the actual log entries when needed. We need to make sure the services actually provide enough information. Some sites already have a way to collect and store logs, based on syslog or other standard practices. We want to leverage and integrate within the framework. Site Cyber security

14 OSG Accounting Activity

15 The goal of the activity is to develop a system to track the consumption of OSG services and resources user by user Sponsored by SLAC, Fermilab and PPDG Started Summer 2005 More Info: google “osg accounting”

16 OSG Accounting Activity Motivation The OSG infrastructure must provide its users with precise and reliable information about resources consumption. Availability of such information will allow resource providers to directly link resources consumption with VOs and science projects goals, improve resource planning and organization at the resource providers sites eventually, support automatic resource allocations and consumption based on an economic model.

17 OSG Accounting Activity Architecture

18 OSG Accounting Activity

19 OSG Edge Services Framework Activity

20 In OSG, services on the “Edge” of the Grid/Fabric site boundaries grant users access to site private services. Started in September 2005. Collaboration: Physicists, Computer Scientists & Engineers, Software Architects. People: USALTLAS, USCMS, Globus Alliance, ANL, U. Chicago, UC San Diego Web collaborative area – http://osg.ivdgl.org/twiki/bin/view/EdgeServices

21 OSG Edge Services Framework Activity Vision OSG site provides access to a shared compute & storage cluster via two types of services. Those shared between VOs, and those that are VO specific. VO specific service deployment is made possible via a shared services framework.

22 OSG Edge Service Framework Activity Motivation OSG has many VOs each with many different requirements Resources may be partitioned into specific, VO- dedicated servers along side shared, open grid services used by many VOs. Each VO may want to use different software to implement any particular kind of an edge service Each VO may put different requirements on edge service in terms of resource usage.

23 ESF - Phase 1 ESF SECE Site CMS Role=VO Admin XEN vm Based on XEN & Gt4 work spaces

24 ESF - Phase 1 ESF SECE Site CMS Role=VO Admin dom0

25 ESF - Phase 1 ESF SECE Site Role=VO Admin dom0

26 ESF - Phase 1 ESF SECE Site Role=VO Admin dom0

27 ESF - Phase 1 ESF SECE Site CMS Role=VO Admin dom0

28 ESF - Phase 1 ESF SECE Site CMS Role=VO User domU dom0 XEN

29 ESF - Phase 1 ESF SE Site CMS Role=VO User CE dom0 domU

30 ESF - Phase 1 ESF SECE Site CMS Role=VO User dom0 domU

Download ppt "VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring."

Similar presentations

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.

Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Workload Management Workpackage Massimo Sgaravatto INFN Padova.

Workload Management Workpackage Massimo Sgaravatto INFN Padova.
Workload Management Massimo Sgaravatto INFN Padova.

Workload Management Massimo Sgaravatto INFN Padova.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.

Virtual Infrastructure in the Grid Kate Keahey Argonne National Laboratory.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

Similar presentations

Ads by Google