Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
VOMS Alessandra Forti HEP Sysman meeting April 2005.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Next Steps: becoming users of the NGS Mike Mineter
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Next Steps.
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
Access Control for Dynamic Virtual Organisations Duncan Russell, Peter Dew & Karim Djemame University of Leeds.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.
Authentication, Authorisation and Security
Third Party Transfers & Attribute URI ideas
UVOS and VOMS differences
Data services on the NGS
Grid Security Jinny Chien Academia Sinica Grid Computing.
Update on EDG Security (VOMS)
IIS.
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Mapping ELIXIR projects to EGI VOs
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008

Virtual Organisations

4 Dec. 2007(c) The University of Manchester 3 What is a Virtual Organisation  Is it like an organisation, only virtual? –Does it need to be a legal entity? not always but to function fully will probably need at least one legal representative  Is it a group of people? –Does it need to be more than one person?  An inter-organisation entity –Does it need to involve more than one organisation? –Does it need to involve any organisation?  Is it only about people? –Organisations have buildings, computers, data,...

4 Dec. 2007(c) The University of Manchester 4 Defining A VO As A Grid Entity  Lists –of Members of Distinguished Names of Certificates of DNs + the DN of the issuer  Lists express –VO Memberships –Role Memberships –Group Memberships –...  Regulations/T&Cs –Acceptable Use Policy

4 Dec. 2007(c) The University of Manchester 5 Granting A VO Access to the Grid  Copying the lists –of DNs, of Certificates, or of subject and issuer DNs 'Poll' Model  Defining Rules –e.g. Everyone from Manchester and Edinburgh O=Edinburgh, C=UK || O=Manchester, C=UK (NB this doesn't work well in grids)  Ask someone else –Call out to some on-line service, e.g. SAML Requests Pull Model  User Provided Credentials –e.g. Attribute Certificates or SAML Assertions, Push model

4 Dec. 2007(c) The University of Manchester 6 How Do VOs help – List Maintenance  Grid resources grant access based on local policy –Attribute matching against a list, e.g. a bunch of named individuals against a rule e.g. a time constraint  Maintaining lists can be cumbersome –especially if they're dynamic –especially if they need to be in many locations  Delegate list maintenance –Maintain lists of VOs not users Reduces overheads on resources Empowers Project Managers

4 Dec. 2007(c) The University of Manchester 7 How Do VOs help - Accounting  How to get charging right for resource usage –Possibility of using a resource for more than one purpose –(but) DN list based authorisation First “mapping” = Project to charge to  How to assert to which account to charge my usage. –Supply VO membership details or attributes i.e. authorise me to use resource as NNNN from VO MMMM  VO -> Project Mapping?

4 Dec. 2007(c) The University of Manchester 8 VOs and Network Entities  Resources used by the VO –Easiest case: VO = Project, Project requires resources: CPU / Disk / Bandwidth / Detector... Project maintains list of people, their roles and groups Project applies for resources on behalf of its people  Resources provided by the VO –Harder case: VO = Project / Organisation, People and Resource Project requires occasional extra resources / different resources Project can trade their resources

The Virtual Organisation Membership Service

4 Dec. 2007(c) The University of Manchester 10 What is VOMS  The Virtual Organisation Membership Service –One or more databases of users, groups and roles –A set of Web Services to query and administer the these databases –A portal to interface to these Web Services –A GSI service for obtaining “Attribute Certificates” –A bundle of client and administration tools

4 Dec. 2007(c) The University of Manchester 11 VOMS VO  VO Names –usually DNS based names (to avoid name-space conflicts) –e.g. ngs.ac.uk

4 Dec. 2007(c) The University of Manchester 12 VOMS Database  Each VO on a VOMS server has a database –DN –Issuer DN –Groups –Roles –..., , CN, Institute, Phone Number,...

4 Dec. 2007(c) The University of Manchester 13 VOMS Web  Each VOMS has a Web Service interface –Allowing script based access For VO Administration List retrieval (polling)  Each VOMS has a Web Portal interface –Allowing non-technical VO administration Users can request to join a VO VO Managers may add users and change users' roles  Each VO will have a URI: –NGS VO's is pointing a browser at this will reveal the Portal interface

4 Dec. 2007(c) The University of Manchester 14 VOMS and GSI  VOMS works with the Grid Security Infrastructure –A Proxy certificate may contain a VOMS extension –extensions may contain 1 or more “Attribute Certificates” –Resources may extract and use these ACs instead of polling VOMS servers  Each VO on a VOMS server has a VOMS daemon –This is what voms-proxy-init will talk to Clients need configuring –It is used mainly to obtain Attribute Certificates –It is a mutually authenticated connection you and it need to have grid (GSI) credentials

4 Dec. 2007(c) The University of Manchester 15 VOMS and Attribute Certificates  ACs tie a Grid Certificate to Attributes  Attributes are called: –Fully Qualified Attribute Names (FQAN)  FQANs may look like these: –“/ngs.ac.uk/Role=NULL” –“/ngs.ac.uk/SomeGroup/Role=Some Role”  ACs may contain multiple FQANs –The first one is usually taken for authorisation purposes  ACs are signed by the VOMS server (NB to validate the AC one needs the VOMS server certificate)

VOs VOMS and the NGS

4 Dec. 2007(c) The University of Manchester 17 VOs on the NGS  NGS provides a VOMS server –Hosting a VO is separate to an NGS project application may have a VO without any NGS resource allocation Useful not only for NGS but also other grids

4 Dec. 2007(c) The University of Manchester 18 VOMS on the NGS

4 Dec. 2007(c) The University of Manchester 19 VOMS on the NGS – List My Details

4 Dec. 2007(c) The University of Manchester 20 VOMS on the NGS – Apply for Membership

4 Dec. 2007(c) The University of Manchester 21 VOMS on the NGS – List All Members

4 Dec. 2007(c) The University of Manchester 22 VOMS on the NGS – List All Roles

4 Dec. 2007(c) The University of Manchester 23 VOMS on the NGS – Add New Members

4 Dec. 2007(c) The University of Manchester 24 VOMS on the NGS – Configure Access Control

4 Dec. 2007(c) The University of Manchester 25 VOMS on the NGS – Client/Server Config

4 Dec. 2007(c) The University of Manchester 26 VOMS on the NGS – Getting a VOMS Proxy

4 Dec. 2007(c) The University of Manchester 27 VOMS on the NGS – examining a VOMS Proxy

4 Dec. 2007(c) The University of Manchester 28 VOs on the NGS future  NGS currently associates VOs with projects but –project application mechanisms not quite in place today –support of VOs is in development and available only for testing/training purposes, but watch this space!  The NGS is working towards VOs with resources –i.e. to enable NGS Associate and Partner sites resource to trade with each other and with core sites

Research Computing Services University of Manchester

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.