Presentation is loading. Please wait.

Presentation is loading. Please wait.

VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005.

Published byScot Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005."— Presentation transcript:

1 VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005

2 MWSG Meeting, CERN, Feb. 23-24 2005 - 2/21 Current status Included in EGEE RC1 tag. Passed Stress test from JRA3. Included in LCG 2.4 Included in VDT 1.3.1 Used in INFN-Grid since July 2004 (release 2.1.0)

3 MWSG Meeting, CERN, Feb. 23-24 2005 - 3/21 INFN-Grid experience - Core Four VOs running: cdf, compchem, infngrid, planck. Less than 300 certificates/month generated. Problems:  Error messages are unclear.  In earlier days, sometimes the server hanged. Same problem found by EGEE. Fixed in newer releases, and the fix is committed on the EGEE CVS.  Voms-proxy-init by itself works, but creates standard, non voms- enabled proxies, leading to job failure for VOMS-only VOs. A warning message will be printed on screen warning the user of the fact.

4 MWSG Meeting, CERN, Feb. 23-24 2005 - 4/21 INFN-Grid experience - Admin Versions 0.7.1 and 0.7.5 used throughout the experience to administrate VOMS. Some problems have been found. The most notable:  The user search feature still does not work correctly.  The limit of 6 characters for a VO name. Here in INFN-Grid we have longer names: infngrid and compchem.  Removing a role from a user removed also the user himself. In 0.7.1, not verified for 0.7.5.

5 MWSG Meeting, CERN, Feb. 23-24 2005 - 5/21 Future Plans From now to the end of the EGEE project

6 MWSG Meeting, CERN, Feb. 23-24 2005 - 6/21 Summary DB Replica. Oracle Support. Multiple DNs. APIs. Fake proxy creation tool. Certificate SN tracking. Miscellanea.

7 MWSG Meeting, CERN, Feb. 23-24 2005 - 7/21 DB Replica A replica system has very recently been released.  Only one master, multiple slaves.  Done using the DB replica mechanism.  Clients can contact indifferently every server.  Load balancing is done automatically by the client program. Just specify –voms, and the client will contact one server at random among those serving the vo In fact, it has already been committed, but the documentation is incomplete

8 MWSG Meeting, CERN, Feb. 23-24 2005 - 8/21 Oracle support Requirement from LCG DB support for VOMS will be in the form of plugins.  A plugin library will be available for each DB server type.  Initial distribution will contain MySQL and Oracle.  The plugin interface will be published. Interaction with replicas:  First version: Only replicas between the same DB type.  Following version: Will make use of a multi-DB replica system.  One such system that will be investigated is Constanza.

9 MWSG Meeting, CERN, Feb. 23-24 2005 - 9/21 Multiple DNs (1/7) Problem statement: Users may have more than one certificate.  Current version of VOMS will consider them to belong to different users -> But it is the same user! Or, a certificate may change over time.  And so, an user may lose property of his resources or access to them.

10 MWSG Meeting, CERN, Feb. 23-24 2005 - 10/21 Multiple DNs (2/7) It will be possible to assign multiple certificates to the same userID (uid).  Will the admin interface work if the auto_increment is dropped from the definition of the uid field in the usr table?  Any certificate will work.  The generated AC will have as holder the certificate used for authentication with the server, but will include all known alternative names.

11 MWSG Meeting, CERN, Feb. 23-24 2005 - 11/21 Multiple DNs (3/7) Also, a world-wide unique ID will be associated to every user. Based on the creation of a 20-byte secure random number associated to each master VO server. Combined with the user ID inside the VO. Will be guaranteed to last as long as at least one alias of the user will remain registered with the VO. User IDs will never be reused (Karoly?) This, too, will be published in the AC.

12 MWSG Meeting, CERN, Feb. 23-24 2005 - 12/21 Multiple DNs (4/7) Alias registration: Prerequisites  The user already has at least an alias registered -> Must have been added by the admin.  The user hold the private key of the new credential.

13 MWSG Meeting, CERN, Feb. 23-24 2005 - 13/21 Multiple DNs (5/7) Alias registration: specifics  Done through a command line utility.  The user to the VOMS server.  The user Authenticates via GSI with the old credentials.  A challenge/response protocol is used to authenticate with the new credentials, inside the already established connection.  If all goes well, a row is added to the usr table, with the same user ID.

14 MWSG Meeting, CERN, Feb. 23-24 2005 - 14/21 Multiple DNs (6/7) Alias Cancellation: prerequisites  The user must still hold either the credential being deleted, or a credential aliased with the one to delete. Alias Cancellation: specifics  The user authenticates via GSI to the VOMS server.  The user sends the name of the alias to be removed, in the form of an (invalid?) certificate.  If the user holds the specified alias, then it is removed.  WARNING: It is possible to remove all aliases! Maybe force at least one to remain?

15 MWSG Meeting, CERN, Feb. 23-24 2005 - 15/21 Multiple DNs (7/7) Command line implementation advantages:  Can be scripted.  Does not require support of uncommon protocols like HTTPG  Can be easily used in a web interface via CGI Disadvantages:  Requires giving the server write access on the usr table Workaround: Create a new ‘alias’ table to only contain new alias, and work on it ONLY. Has the additional advantage of ensuring that the user cannot delete himself from the VO.

16 MWSG Meeting, CERN, Feb. 23-24 2005 - 16/21 APIs Unify the C and C++ APIs into the same library. Add function to create a proxy from the APIs.  Right now, it can create ACs, but not include them into valid proxies. Add Java APIs  Need to create ACs and proxies from Java. Drop support for pre-AC servers.  N.B: After a year of ‘deprecated’ status, This will be removed in the next version.

17 MWSG Meeting, CERN, Feb. 23-24 2005 - 17/21 Fake Proxy Creation Tool There is a need to create VOMS proxies without access to a server for TEST purposes.  Will allow the creation of proxies, both valid and invalid (to verify expected failure cases).  Will allow to specify everything that the ‘normal’ voms-proxy-init allows, plus: The exact list of group/role/capabilities attributes. The fake server certificate. The fake server uri.  First version will permit to include only a single AC.  Following versions will allow inclusions of more ACs in the same proxy.

18 MWSG Meeting, CERN, Feb. 23-24 2005 - 18/21 Certificate SN tracking LCG requested to keep track of the User’s Certificate Serial Number.  Simple solution: Add a field ‘sn’ to the usr table, and update it every time the user connects to the server. Requires update access to the usr table.  Alternatively, a new ‘(dn, ca, sn)’ type table may be created.

19 MWSG Meeting, CERN, Feb. 23-24 2005 - 19/21 Miscellanea Documentation improvements. Error messages improvements. Bug Fixes. Support and interaction with Policy management systems. Suggestions?

20 MWSG Meeting, CERN, Feb. 23-24 2005 - 20/21 Timescale Replica (Done) Voms-fake-init (real soon now) Oracle (April 2005) Multiple DNs (June-July) APIs (….) Bugfixes will be done throughout the whole time.

21 MWSG Meeting, CERN, Feb. 23-24 2005 - 21/21 Contacts Developers:  vincenzo.ciaschini@cnaf.infn.it, valerio.venturi@cnaf.infn.it vincenzo.ciaschini@cnaf.infn.itvalerio.venturi@cnaf.infn.it Mailing list:  Voms-users@cnaf.infn.it Voms-users@cnaf.infn.it Projects under investigation:  Constanza: http://infnforge.cnaf.infn.it/projects/constanza/

Download ppt "VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005."

Similar presentations

DataTAG WP4 Meeting CNAF Jan 14, 2003 Interfacing AliEn and EDG 1/13 Stefano Bagnasco, INFN Torino Interfacing AliEn to EDG Stefano Bagnasco, INFN Torino.

DataTAG WP4 Meeting CNAF Jan 14, 2003 Interfacing AliEn and EDG 1/13 Stefano Bagnasco, INFN Torino Interfacing AliEn to EDG Stefano Bagnasco, INFN Torino.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Pharos Uniprint 8.3.

Pharos Uniprint 8.3.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.

Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.

ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
RUG Australia meeting 2012 Feb 6, 2012. V2010.5 Tiers & sequencing suppliers Tiers and sequencing and load balancing  Tiers = groups of suppliers.

RUG Australia meeting 2012 Feb 6, V Tiers & sequencing suppliers Tiers and sequencing and load balancing  Tiers = groups of suppliers.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.
Don Quijote Data Management for the ATLAS Automatic Production System Miguel Branco – CERN ATC

Don Quijote Data Management for the ATLAS Automatic Production System Miguel Branco – CERN ATC
LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,

LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,

Similar presentations

Ads by Google