Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA:

Published byVincent Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA:"— Presentation transcript:

1 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA: grid-aware Pluggable AuthoriZation Management (Introducing Role-based Access Control in dCache) Abhishek Singh Rana UC San Diego rana@fnal.gov Frank Würthwein UC San Diego fkw@fnal.gov The XVth International Conference on Computing in High Energy and Nuclear Physics (CHEP’06) February 15, 2006 TIFR, Mumbai

2 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 2 RANA, Abhishek Singh (University of California, San Diego, CA, USA) WÜRTHWEIN, Frank (University of California, San Diego, CA, USA) PERELMUTOV, Timur (Fermi National Accelerator Laboratory, Batavia, IL,USA) KENNEDY, Robert (Fermi National Accelerator Laboratory, Batavia, IL, USA) BAKKEN, Jon (Fermi National Accelerator Laboratory, Batavia, IL, USA) SKOW, Dane (Fermi National Accelerator Laboratory, Batavia, IL, USA) FISK, Ian (Fermi National Accelerator Laboratory, Batavia, IL, USA) FUHRMANN, Patrick (DESY, Hamburg, Germany) ERNST, Michael (DESY, Hamburg, Germany) Authors

3 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 3 Outline OSG AuthZ approach gPlazma architecture gPlazma implementation Example of end-to-end AuthZ for CEs and SEs Status Future Work

4 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 4 OSG AuthZ Approach VO-Global specification of privilege attributes per Role. Site central mapping of Role to site’s implementation of privilege attributes. Local enforcement of privilege attributes. Use of VOMS extended X.509 Attribute Certificate specification for defining extra attributes (FQANs or Fully Qualified Attribute Names). Based on RFC-3281. FQANs contain Role and VO membership information for a User.

5 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 5 OSG AuthZ Approach VO defines Roles and associated privileges by specifying expected functionality. –E.g. cmssoft may install software in area that is read-only by all cmsuser jobs running on site/campus. –E.g. cmsphedex may have special access to SRM/dCache system. Site maps VO scope identities to local scope identities. –Site wide management of mapping. –Service level granularity of mapping. Site enforces VO privilege policies within local scope identities. Authorization = (VO-allowed) && !(Site-vetoed)

6 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 6 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes

7 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 7 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes PDP PEP PDP PEP Policy Enforcement PointPolicy Decision Point PDP

8 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 8 GridFTP Callout Future Additions Site Assertion Future Additions VO Identity Mapping Client Priorities Bias: ACCESS Priority: 2 Apply: Authorization Response: AuthZ Record SRM Door VO Role Mapping AuthZ (gPLAZMA native) GridFTP Door … GUMS-based VO Role Mapping AuthZ Legacy Grid AuthN (gridmapfile) Legacy Storage AuthZ (dcache.kpwd) Switches Authorization Services Plugins VO Identity Mapping Service Storage Metadata AuthZ SRM Callout Storage Provider’s Policies https/SOAP SAML gPLAZMA Architecture Bias: DENIAL Priority: 1 Apply: Assertion Response: Allow OR Deny

9 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 9 SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005 Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation

10 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 10 SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005 Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation 1 2 34 4a 4b 4c 4d 5 7 6 8 9 10 11 12 13

11 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 11 Example of end-to-end AuthZ for CEs and SEs

12 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 12 SE: SRM-dCache Different doors for different authz methods. Same underlying local authz mechanism. Can be mapped to site’s UID/GID domain. Or be restricted to SRM-dCache only. Examples: –USCMS-VO at FNAL: Site UID domain. –CDF-VO at FNAL: Site Kerberos domain.

13 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 13 SE: SRM-dCache gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach. 1.gPLAZMA authenticates. 2.gPLAZMA uses PRIMA Java SAML libraries to form a SAML query and contacts Storage Authz Service. 3.Storage Authz Service contacts GUMS and Storage Metadata Service. 4.GUMS translates {DN, Membership, Role} to Username. 5.Storage Metadata Service translates Username to Storage-privilege Set. 6.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}. 7.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role}. 8.Storage Authz Service forms a User Authorization Record into a SAML response and sends it back to gPLAZMA at SE.

14 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 14 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service

15 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 15 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service

16 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 16 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

17 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 17 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout PEP Storage Authorization Service

18 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 18 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

19 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 19 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite Storage Authorization Service

20 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 20 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite PEP Storage Authorization Service

21 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 21 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout OGSA AuthZ interface gPLAZMALite Authorization Services suite Storage Authorization Service

22 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 22 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA grid-aware Pluggable Authorization Management System GUMS Grid User Management System SAZ Site Authorization Service VOMS Virtual Organization Membership Service gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA A System for Privilege Management and Authorization in Grids

23 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 23 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA Abhishek Singh Rana, UCSD Timur Perelmutov, FNAL GUMS Gabriele Carcassi, BNL SAZ Vijay Sekhri, FNAL John Weigand, FNAL SRM-dCache DESY/FNAL teams VOMS INFN teams, Italy gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA Markus Lorch, VT

24 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 24 Status gPLAZMA native role-based authz mode deployed at USCMS tier-2 production site at UCSD. Work in progress for deployment at tier-1 at FNAL. GUMS role-based authz mode in final stages of development/packaging. Deployment and usage of all modes on USCMS production dCache sites expected before Service Challenge 4.

25 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 25 Known Limitations Not (yet) implemented for dcap. Scalability of site central call-out not yet understood.(gPLAZMA native a viable fallback) vi/emacs is only administrative interface. Options for communicating desired policies from VO to site are less than satisfactory. (general problem of role based authz!)

26 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 26 Future Work Add MySQL based backend to replace storage authz records configuration file. Complete gPLAZMA for dcap. Understand scalability of site-wide call-out. Add XACML based authorization engine to dynamically assign storage authz mappings at Site. Explore XACML/SAML rule-based policy declaration (VO-level) and policy computation (Site-level).

27 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 27 Thank You.

Download ppt "Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA:"

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Similar presentations

Ads by Google