EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.

Slides:



Advertisements
Similar presentations
Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
Advertisements

DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,
Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management Hands-on David García Aristegui.
Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management David García Aristegui Grid.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Grid Data Management Assaf Gottlieb - Israeli Grid NA3 Team EGEE is a project funded by the European Union under contract IST EGEE tutorial,
E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE gLite Data Management System Yaodong Cheng CC-IHEP, Chinese Academy.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.
LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Data Grid Services/SRB/SRM & Practical Hai-Ning Wu Academia Sinica Grid Computing.
EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware Data Management in gLite.
EGEE-III INFSO-RI Enabling Grids for E-sciencE Nov. 18, EGEE and gLite are registered trademarks gLite Middleware Usage Dusan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.
Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,
INFSO-RI Enabling Grids for E-sciencE Experiences with LFC and comparison with RNS Erwin Laure Jean-Philippe.
E-science grid facility for Europe and Latin America Data Management Services E2GRIS1 Rafael Silva – UFCG (Brazil) Universidade Federal.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Data Management cluster summary Krzysztof Nienartowicz JRA1 All Hands meeting, Helsinki.
INFSO-RI Enabling Grids for E-sciencE Αthanasia Asiki Computing Systems Laboratory, National Technical.
INFSO-RI Enabling Grids for E-sciencE Αthanasia Asiki Computing Systems Laboratory, National Technical.
EGEE is a project funded by the European Union under contract IST Grid Data Management Roberto Barbera Univ. Of Catania and INFN
Managing Data DIRAC Project. Outline  Data management components  Storage Elements  File Catalogs  DIRAC conventions for user data  Data operation.
SEE-GRID-SCI Storage Element Installation and Configuration Branimir Ackovic Institute of Physics Serbia The SEE-GRID-SCI.
INFSO-RI Enabling Grids for E-sciencE Introduction Data Management Ron Trompert SARA Grid Tutorial, September 2007.
Enabling Grids for E-sciencE EGEE-II INFSO-RI Medical Data Manager 1 Dicom retrieval : overview of the DPM One command line to retrieve a file:
Database authentication in CORAL and COOL Database authentication in CORAL and COOL Giacomo Govi Giacomo Govi CERN IT/PSS CERN IT/PSS On behalf of the.
FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Data Management Components Presenter.
INFSO-RI Enabling Grids for E-sciencE SRMv2.2 in DPM Sophie Lemaitre Jean-Philippe.
EGEE-II INFSO-RI Enabling Grids for E-sciencE P-GRADE overview and introduction: workflows & parameter sweeps (Advanced features)
Distributed Data Access Control Mechanisms and the SRM Peter Kunszt Manager Swiss Grid Initiative Swiss National Supercomputing Centre CSCS GGF Grid Data.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite configuration (plans) Robert Harakaly.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Data Management cluster summary David Smith JRA1 All Hands meeting, Catania, 7 March.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Data management in EGEE.
INFSO-RI Enabling Grids for E-sciencE University of Coimbra gLite 1.4 Data Management System Salvatore Scifo, Riccardo Bruno Test.
INFSO-RI Enabling Grids for E-sciencE University of Coimbra Data Management System gLite – LCG – FiReMan Salvatore Scifo INFN Catania.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Architecture of LHC File Catalog Valeria Ardizzone INFN Catania – EGEE-II NA3/NA4.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Algiers, EUMED/Epikh Application Porting Tutorial, 2010/07/04.
Introduction to Storage Element Hsin-Wei Wu Academia Sinica Grid Computing Center, Taiwan.
Security recommendations DPM Jean-Philippe Baud CERN/IT.
Grid Data Management Assaf Gottlieb Tel-Aviv University assafgot tau.ac.il EGEE is a project funded by the European Union under contract IST
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Data Management Maha Metawei
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America LFC Server Installation and Configuration.
Scuola Grid INFN, Trieste, 1-12 Dic Managing Confidential Data in the gLite Middleware – The Secure Storage.
2 nd EGEE/OSG Workshop Data Management in Production Grids 2 nd of series of EGEE/OSG workshops – 1 st on security at HPDC 2006 (Paris) Goal: open discussion.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SE Security Rémi Mollon, Ákos Frohner EGEE'08,
Enabling Grids for E-sciencE INFSO-RI Virtual Ids and VOMS integration DPM supports virual Ids and VOMS : –each user/group is internally mapped.
INFSO-RI Enabling Grids for E-sciencE Security needs in the Medical Data Manager EGEE MWSG, March 7-8 th, 2006 Ákos Frohner on behalf.
EGEE Data Management Services
Jean-Philippe Baud, IT-GD, CERN November 2007
gLite Basic APIs Christos Filippidis
Status of the SRM 2.2 MoU extension
The lightweight Grid-enabled Disk Pool Manager (DPM)
Java API del Logical File Catalog (LFC)
Cross-health enterprises Medical Data Management on the EGEE grid
Scuola Grid INFN, Martina Franca, Nov
Comparison of LCG-2 and gLite v1.0
Encrypted Data Store, Hydra & Delegation Interface
Hands-On Session: Data Management
Data Management cluster summary
Data services in gLite “s” gLite and LCG.
gLite Data and Metadata Management
INFNGRID Workshop – Bari, Italy, October 2004
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith CERN & EGEE-JRA1/SA3 Data Management Team EGEE Workshop on Management of Rights in Production Grids

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 2 Overview Scope of this talk is gLite 3.0 data management components in the context of rights management –gLite 3.0 is a combination software from LCG-2.7, gLite 1.5 and other projects –One user community in particular is also using some other components from gLite 1.5  Will mention gLite I/O and fireman (file catalog) in connection with BIOMED VO Components in gLite 3.0 relating to rights management: –Encrypted Data Storage (EDS) tools and keystore service  Provides encryption and decryption of data  Keystore stores the EDS cipher keys –Components providing access control list support:  EDS keystore  The LCG file catalog (LFC)  The disc pool manager (DPM)

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 3 EDS and the keystore EDS handles encryption/decryption of data –Employs symmetric ciphers via openssl –Uses a keystore database via a service called Hydra –EDS available as an API. Also as a CLI tool that also manages I/O access via the gLite 1.5 component gLite I/O  Will soon provide CLIs for keystore manipulation and encryption/decryption of files without gLite I/O layer  In the future will make tools available that have I/O access via GFAL integrated Hydra - The EDS keystore –Is a metadata catalog service –Is used to store  key, key length, openssl cipher name and cipher IV as necessary –Has ACLs on entries to allow fine grained access control  Has 3 sets of Perms (8 bits) for user, group, others  plus ACLs: Perms on a principal (user DN or VOMS group)

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 4 EDS Tools in use Medical community is the main EDS user –Have strict privacy requirements –Currently using EDS with glite I/O and fireman  gLite I/O and fireman provide a “wrapping” of the storage element (SE) to allow fine grained file access independent of the SE’s functionality  Community has their own storage element (SE) called DICOM-SE –Files stored on a DICOM-SE are stored in the clear –Encrypted before leaving DICOM-SE, so  DICOM-SE registers key in Hydra  Data are stored on normal SEs on the grid encrypted  Decrypted in memory of final application by EDS routines

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 5 Example: EDS in use Accessing encrypted data on a standard SE –Note in this example: –authorization decision enforcement at the gLite I/O server  Ensures fine grained access control to files –Encryption also works for output data SE SRM gridftp I/O gLite I/O Hydra KeyStore FiReMan (file ACL) keysfile ACL file

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 6 The LHC File Catalog LFC uses ACLs to allow restriction of access to the file catalog –Catalog associates a logical filename (LFN) and unique identifier (GUID) to a file entry –File entry holds information on zero or more physical replicas –LFNs reside in hierarchical namespace –Symbolic links may point LFNs –A fixed number of system metadata entries per file –A small amount (one field) of user attached metadata per file

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 7 Relationships in the Catalog GUID Xxxxxx-xxxx-xxx-xxx- System Metadata “size” => “cksum_type” => “MD5” “cksum” => “yy-yy-yy” Symlink /grid/dteam/mydir/mylink Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Symlink /grid/dteam/mydir/mylink Symlink /grid/dteam/mydir/mylink LFN /grid/dteam/dir1/dir2/file1.root

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 8 Authorization in the LFC DNs are mapped to an internal ID: usually called a virtual ID Virtual UID is created on the fly the first time the system receives a request for this DN A given user may have one DN and several roles, so a given user may be mapped to one UID and several GIDs Currently only the primary role is used Support for normal proxies and VOMS proxies Administrative tools available to update the DB mapping table: –To create VO groups in advance –To keep same UID when DN changes –To get same UID for a DN and a Kerberos principal

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 9 LFC Access Control Lists LFC support Posix ACLs based on virtual ids –Access Control Lists on files and directories –Default Access Control Lists on directories: they are inherited by the sub-directories and files under the directory Example –lfc-mkdir /grid/dteam/jpb –lfc-setacl -m d:u::7,d:g::7,d:o:5 /grid/dteam/jpb –lfc-getacl /grid/dteam/jpb # file: /grid/dteam/jpb # owner: /C=CH/O=CERN/OU=GRID/CN=Jean-Philippe Baud 7183 # group: dteam user::rwx group::r-x #effective:r-x other::r-x default:user::rwx default:group::rwx default:other::r-x

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 10 DPM The LFC forms the Name Server component of the DPM –Maps the path found in the SURL to locations within the DPM Grid ClientData ServerSRM ServerName ServerDisk Pool ManagerDisk SystemGridftp ClientRFIO ClientSRM ClientNS Database DPM Database DPM DaemonNS DaemonRFIO Daemon Gridftp Server RFIO Client Request Daemon SRM Daemon

Enabling Grids for E-sciencE EGEE-II INFSO-RI EGEE Workshop on Management of Rights in Production Grids 11 Summary gLite 3.0 and rights management –Encryption of data with EDS –ACLs based on user DN and VOMS attributes (if present) in Hydra, LFC and DPM –gLite 3.0 does not explicitly provide file level ACLs for arbitrary storage  One user community is currently using gLite I/O and the fireman file catalog to do so

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.