29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Slides:



Advertisements
Similar presentations
Security middleware Andrew McNab University of Manchester.
Advertisements

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
Grid Security and VO Management Andrew McNab University of Manchester.
VOMS Alessandra Forti HEP Sysman meeting April 2005.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EDG Security European DataGrid Project Security Coordination Group
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
Security Middleware Andrew McNab University of Manchester.
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
VOMS chapter 1&1/2 Alessandra Forti Sergey Dolgodobrov HEP Sysman meeting 5 December 2005.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
GridSite status Andrew McNab University of Manchester.
Third Party Transfers & Attribute URI ideas
Update on EDG Security (VOMS)
Shiv Kaushal, University of Manchester
Presentation transcript:

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester

29 June 2006 GridSite Andrew McNabwww.gridsite.org Outline What VOMS provides What VOs need to do VO naming VOMS and sites... and jobs... and SRM... application frameworks

29 June 2006 GridSite Andrew McNabwww.gridsite.org What VOMS provides X.509 Attribute Certificates (AC) – ie a digitally signed statement that a user belongs to one or more groups Users fetch a VOMS AC with voms-proxy-init – AC included in proxy that authenticates user to sites – AC proves membership of one or more groups – Users can also request proof of roles within groups In principle, can have ACs from more than one VOMS

29 June 2006 GridSite Andrew McNabwww.gridsite.org What VOs need Their own VOMS service – ie on their own machine, or hosted by a Tier-1/Tier-2 – (GridPP VOMS at Manchester, hosts several VOs.) To decide what groups and roles they need – More can be added at any time To define the procedure for joining the VO – Local contacts? Proof of experiment membership? – LCG VO Policy being drafted: security/documents.html

29 June 2006 GridSite Andrew McNabwww.gridsite.org VO naming Several EDG/EGEE/LCG documents have been produced saying that VO names should be DNS names – eg atlas.cern.ch not just atlas – this will guarantee uniqueness (eg US vs official VOs) – allows for dynamic or lightweight VOs, since CA should only issue a cert for a DNS name to its owner Most of the middleware will accept DNS VO names But some problems with deployment scripts Someone (GridPP?) should do some real world testing

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS on sites This different for different services – Some services (eg WM Proxy, LCAS) can use fine grained access based on GridSite/GACL – Other systems (eg pool groups) can only handle a limited number of VOMS groups/roles: usually just production, software management and all other users VOMS used for two main things – Can users of this VO runs jobs? – Who can access this file?

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and jobs Sites already chose which VOs they support, and can enforce this using VOMS May also want to restrict access to queues and queue privileges But this information is relatively static, and chosen by the site itself as part of its configuration – So current mechanism is sufficient? However, there are systems like GPBox which will allow access policies to be published to sites.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and SRM SRM allows users to set Unix-like permissions for files, in terms of users and groups This is extended to include DN or VOMS roles instead of pure Unix names Finally, this offers a uniform interface to the various ways of controlling access to files on sites – whether Unix files + pool users/groups – GridSite GACL policies etc, But still need tools to use this interface

29 June 2006 GridSite Andrew McNabwww.gridsite.org Applications If VOs decide to use groups and roles, then they need to provide support for this in their application framework (either in software or in documentation) – eg if you want to give write access to an analysis group's data, to the group's managers This is the equivalent of setting umask in Unix, so your files are created with the correct permissions It's not clear how this will be done, but the start of chaotic user analysis jobs will be a big motivator for it

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS implementations INFN CNAF/Bologna – VOMS AC issuing server: the only implementation and derived from Globus gatekeeper – VOMS parser for C/C++: again, depends of Globus libs CERN/KTH (EDG WP2) – Java Security: now part of gLite, and used by gLite Java GridPP Manchester – GridSite for C/C++/scripts: used by Apache based gLite Web Services (WM Proxy) and being taken up by LCAS

29 June 2006 GridSite Andrew McNabwww.gridsite.org Summary VOMS middleware itself and running VOMS Services exist and are pretty complete Finer grained control is becoming available Applications need to decide how they plan to use this these extra options – eg delegate write permissions to analysis subgroups Several implementations exist – including our home-grown GridSite one from GridPP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.