Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Slides:



Advertisements
Similar presentations
Open Science Grid Living on the Edge: OSG Edge Services Framework Kate Keahey Abhishek Rana.
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
SAMGrid as a Stakeholder of FermiGrid Valeria Bartsch Computing Division Fermilab.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Grid User Management System Gabriele Carcassi HEPIX October 2004.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Grid Authorization Landscape and Futures Von Welch NCSA
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
OSG Abhishek Rana Frank Würthwein UCSD.
Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.
Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
CHEP 2006 Mumbai INDIA February Frank Würthwein and Abhishek Singh Rana Edge Services Framework for EGEE, LCG and OSGwww.opensciencegrid.org The.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
Open Science Grid Consortium Storage on Open Science Grid Placing, Using and Retrieving Data on OSG Resources Abhishek Singh Rana OSG Users Meeting July.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Towards Dynamic Database Deployment LCG 3D Meeting November 24, 2005 CERN, Geneva, Switzerland Alexandre Vaniachine (ANL)
VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
StoRM: a SRM solution for disk based storage systems
A gLite Authorization Framework
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium Multi-Site VOs and Multi-VO Sites in Open Science Grid Abhishek Singh Rana UC San Diego Frank Wuerthwein UC San Diego GridWorld/GGF15 October 3-6, 2005 Boston, MA, USA Community Activity: Leveraging Site Infrastructute for Multi-Site Grids

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 2 Collaborative Effort Open Science Grid RBAC, Security and Policy Frameworks Privilege Project PPDG Common USATLAS USCMS Fermi National Lab Brookhaven National Lab U California San Diego Virginia Tech Technical Lead: Ian Fisk, FNAL Technical Coordinator: Dane Skow, FNAL

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 3 Outline Concepts & Goals. Examples –Compute Element. –Storage Element. –User work space at a compute node.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 4 OSG Approach: Concepts Global specification of privilege requirements per Role. Site central mapping of Role to implementation of privilege requirements. Local enforcement of privilege requirements.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 5 Multi-Site VO CE SE Site CE SE Site CE SE Site CE SE Site CE SE Site

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 6 Multi-VO Site CE SE Site

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 7 A Multi-VO Multi-Site Grid CE SE Site CE SE Site CE SE Site CE SE Site CE SE Site CE SE Site CE SE Site CE SE Site

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 8 OSG Approach VO defines Roles and associated privileges by specifying expected functionality. –E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus. –E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus. Site maps VO scope identities to local scope identities. –Site wide management of mapping. –Service level granularity of mapping. Site enforces VO privilege policies within local scope identities. Authorization = !(Site-vetoed) && (VO-allowed)

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 9 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 10 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes PDP PEP PDP

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 11 Example: Compute Element

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 12 CE: Globus and Condor PRIMA and GUMS provide CE authz in OSG approach. PRIMA authenticates. GUMS translates {DN, Membership, Role} to Username. System translates Username to site-wide {UID}.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 13 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service PRIMA C SAML libraries CE Globus Gatekeeper PRIMA callout Deployed at many sites/campuses with static UIDs as well as UID pools.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 14 Example: Storage Element

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 15 SE: SRM-dCache Different doors for different authz methods. Same underlying local authz mechanism. Can be mapped to site’s UID/GID domain. Or be restricted to SRM-dCache only. Examples: –USCMS-VO at FNAL: Site UID domain. –CDF-VO at FNAL: Site Kerberos domain.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 16 SE: SRM-dCache gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach. gPLAZMA authenticates. Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service. GUMS translates {DN, Membership, Role} to Username. System optionally translates Username to site-wide {UID, GID}. gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set. Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}. Storage-privilege Set is User-level ACL governed by {DN, Membership, Role}.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 17 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA PRIMA Authorization Service Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 18 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA PRIMA Authorization Service Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout OGSA AuthZ interface gPLAZMALite Authorization Services suite

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 19 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA PRIMA Authorization Service Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout PRIMA A System for Privilege Management and Authorization in Grids gPLAZMA grid-aware Pluggable Authorization Management System GUMS Grid User Management System SAZ Site Authorization Service VOMS Virtual Organization Membership Service gPLAZMALite Authorization Services suite

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 20 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA PRIMA Authorization Service Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout PRIMA Markus Lorch, VT gPLAZMA Abhishek Singh Rana, UCSD Timur Perelmutov, FNAL GUMS Gabriele Carcassi, BNL SAZ Vijay Sekhri, FNAL John Weigand, FNAL SRM-dCache DESY/FNAL teams VOMS INFN teams, Italy gPLAZMALite Authorization Services suite

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 21 VO control of ACLs. –All files are owned by VO. –Simple solutions. –VO PDP, separated from Resource. Site control of ACLs. –All files are owned by {DN, Membership, Role} of a User. –Site SE enforces global (VO) and local (site) policies. –Global & local policies are used together to aid in isolation of privileges, grant privacy to user, and perform fine-grained security. –Demands sophisticated solutions. –Site PDP, closer to Resource. SE ACLs: VO versus Site Control

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 22 Example: User work space

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 23 Consider a simple goal… If a user credential gets compromised, the miscreant must be restricted to exploiting stolen credentials to only run the user’s application. What would this require? –Slicing of a Resource, on demand. –PEP closer to such finer slices of a Resource. –Customized (possibly transient) slices. –Isolation of environment of such a slice. A resource slice and applications make a work space.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 24 User work space Concepts –TID (Transactional Identity) = {DN, Membership Profile, Set of Roles} –Thus, TID is VO & “application type” specific. –TID functions as a tag for work space characteristics. –Site central mapping service translates TID into work space characteristics. –Compute node local service provisions work space according to characteristics.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid Consortium 25 Summary of OSG Approach Global specification of privilege requirements per role. –Means to do so are lacking today! Site central mapping of role to implementation of privilege requirements. –Simple solutions in production usage. Local enforcement of privilege requirements. –Simple solutions in production usage. –Moving forward to designing more advanced solutions.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.