VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb

MWSG Meeting, CERN, Feb /21 Current status Included in EGEE RC1 tag. Passed Stress test from JRA3. Included in LCG 2.4 Included in VDT Used in INFN-Grid since July 2004 (release 2.1.0)

MWSG Meeting, CERN, Feb /21 INFN-Grid experience - Core Four VOs running: cdf, compchem, infngrid, planck. Less than 300 certificates/month generated. Problems:  Error messages are unclear.  In earlier days, sometimes the server hanged. Same problem found by EGEE. Fixed in newer releases, and the fix is committed on the EGEE CVS.  Voms-proxy-init by itself works, but creates standard, non voms- enabled proxies, leading to job failure for VOMS-only VOs. A warning message will be printed on screen warning the user of the fact.

MWSG Meeting, CERN, Feb /21 INFN-Grid experience - Admin Versions and used throughout the experience to administrate VOMS. Some problems have been found. The most notable:  The user search feature still does not work correctly.  The limit of 6 characters for a VO name. Here in INFN-Grid we have longer names: infngrid and compchem.  Removing a role from a user removed also the user himself. In 0.7.1, not verified for

MWSG Meeting, CERN, Feb /21 Future Plans From now to the end of the EGEE project

MWSG Meeting, CERN, Feb /21 Summary DB Replica. Oracle Support. Multiple DNs. APIs. Fake proxy creation tool. Certificate SN tracking. Miscellanea.

MWSG Meeting, CERN, Feb /21 DB Replica A replica system has very recently been released.  Only one master, multiple slaves.  Done using the DB replica mechanism.  Clients can contact indifferently every server.  Load balancing is done automatically by the client program. Just specify –voms, and the client will contact one server at random among those serving the vo In fact, it has already been committed, but the documentation is incomplete

MWSG Meeting, CERN, Feb /21 Oracle support Requirement from LCG DB support for VOMS will be in the form of plugins.  A plugin library will be available for each DB server type.  Initial distribution will contain MySQL and Oracle.  The plugin interface will be published. Interaction with replicas:  First version: Only replicas between the same DB type.  Following version: Will make use of a multi-DB replica system.  One such system that will be investigated is Constanza.

MWSG Meeting, CERN, Feb /21 Multiple DNs (1/7) Problem statement: Users may have more than one certificate.  Current version of VOMS will consider them to belong to different users -> But it is the same user! Or, a certificate may change over time.  And so, an user may lose property of his resources or access to them.

MWSG Meeting, CERN, Feb /21 Multiple DNs (2/7) It will be possible to assign multiple certificates to the same userID (uid).  Will the admin interface work if the auto_increment is dropped from the definition of the uid field in the usr table?  Any certificate will work.  The generated AC will have as holder the certificate used for authentication with the server, but will include all known alternative names.

MWSG Meeting, CERN, Feb /21 Multiple DNs (3/7) Also, a world-wide unique ID will be associated to every user. Based on the creation of a 20-byte secure random number associated to each master VO server. Combined with the user ID inside the VO. Will be guaranteed to last as long as at least one alias of the user will remain registered with the VO. User IDs will never be reused (Karoly?) This, too, will be published in the AC.

MWSG Meeting, CERN, Feb /21 Multiple DNs (4/7) Alias registration: Prerequisites  The user already has at least an alias registered -> Must have been added by the admin.  The user hold the private key of the new credential.

MWSG Meeting, CERN, Feb /21 Multiple DNs (5/7) Alias registration: specifics  Done through a command line utility.  The user to the VOMS server.  The user Authenticates via GSI with the old credentials.  A challenge/response protocol is used to authenticate with the new credentials, inside the already established connection.  If all goes well, a row is added to the usr table, with the same user ID.

MWSG Meeting, CERN, Feb /21 Multiple DNs (6/7) Alias Cancellation: prerequisites  The user must still hold either the credential being deleted, or a credential aliased with the one to delete. Alias Cancellation: specifics  The user authenticates via GSI to the VOMS server.  The user sends the name of the alias to be removed, in the form of an (invalid?) certificate.  If the user holds the specified alias, then it is removed.  WARNING: It is possible to remove all aliases! Maybe force at least one to remain?

MWSG Meeting, CERN, Feb /21 Multiple DNs (7/7) Command line implementation advantages:  Can be scripted.  Does not require support of uncommon protocols like HTTPG  Can be easily used in a web interface via CGI Disadvantages:  Requires giving the server write access on the usr table Workaround: Create a new ‘alias’ table to only contain new alias, and work on it ONLY. Has the additional advantage of ensuring that the user cannot delete himself from the VO.

MWSG Meeting, CERN, Feb /21 APIs Unify the C and C++ APIs into the same library. Add function to create a proxy from the APIs.  Right now, it can create ACs, but not include them into valid proxies. Add Java APIs  Need to create ACs and proxies from Java. Drop support for pre-AC servers.  N.B: After a year of ‘deprecated’ status, This will be removed in the next version.

MWSG Meeting, CERN, Feb /21 Fake Proxy Creation Tool There is a need to create VOMS proxies without access to a server for TEST purposes.  Will allow the creation of proxies, both valid and invalid (to verify expected failure cases).  Will allow to specify everything that the ‘normal’ voms-proxy-init allows, plus: The exact list of group/role/capabilities attributes. The fake server certificate. The fake server uri.  First version will permit to include only a single AC.  Following versions will allow inclusions of more ACs in the same proxy.

MWSG Meeting, CERN, Feb /21 Certificate SN tracking LCG requested to keep track of the User’s Certificate Serial Number.  Simple solution: Add a field ‘sn’ to the usr table, and update it every time the user connects to the server. Requires update access to the usr table.  Alternatively, a new ‘(dn, ca, sn)’ type table may be created.

MWSG Meeting, CERN, Feb /21 Miscellanea Documentation improvements. Error messages improvements. Bug Fixes. Support and interaction with Policy management systems. Suggestions?

MWSG Meeting, CERN, Feb /21 Timescale Replica (Done) Voms-fake-init (real soon now) Oracle (April 2005) Multiple DNs (June-July) APIs (….) Bugfixes will be done throughout the whole time.

MWSG Meeting, CERN, Feb /21 Contacts Developers:  Mailing list:  Projects under investigation:  Constanza: