Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Published byBarnaby Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007."— Presentation transcript:

1 Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007 Overview Charter & Stakeholders Architecture Deployment Performance Collaboration & Recent Focus

2 Mar 28, 20072/9 VO Services Project Gabriele Garzoglio Project Charter The project provides an infrastructure to manage user registration and implement fine-grained authorization to access rights on computing and storage resources. Authorization is linked to identities and extended attributes. Mapping is dynamic and supports pool accounts. Enforcement of access rights is implemented using UID/GID pairs. The infrastructure aims at reducing administrative overhead. Authorization service is central at the site. The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG.

3 Mar 28, 20073/9 VO Services Project Gabriele Garzoglio Stakeholders Stakeholders giving requirements: US CMS and US ATLAS. Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG since 2003 Different institutions are responsible for the maintenance of different components Core software distributed via VDT

4 Mar 28, 20074/9 VO Services Project Gabriele Garzoglio synchronizes VO Services Architecture GUMS server maintains identity / attribute mapping for all the gateways at a site gPlazma server (not shown) enhances UID/GID mapping with service-specific parameters (e.g. root path for SE). SAZ checks black/white lists Periodically, GUMS synchronizes with VOMS users/groups User identity and attributes are maintained in VOMS through VOMRS Users interact with VOMS to get attribute-enhanced credentials Gateway software (CE and SE) performs –identity mapping call-out through the PRIMA module –access control call-out through the SAZ module

5 Mar 28, 20075/9 VO Services Project Gabriele Garzoglio Deployment The authorization system (GUMS) has been deployed at O(10) OSG sites –US CMS T2 centers and T1 at FNAL –US ATLAS T2 centers and T1 at BNL –FermiGrid (includes SAZ) et al. VOMRS deployed at –Fermilab: 14 VO with > 5,000 users –CERN: 9 VO with >2,500 users –BNL: 2 VO –Evaluations: 2 VO @ TTU & 2 VO @ U. of Melbourne

6 Mar 28, 20076/9 VO Services Project Gabriele Garzoglio GUMS & SAZ at FermiGrid Fixed GUMS memory leak Access denied to non-VOMS proxy. GUMS scales well to ~480,000 calls/day (20k calls / hours). Turn ON SE call-out (gPlazma). SE callout > 80% Total callout. 2007

7 Mar 28, 20077/9 VO Services Project Gabriele Garzoglio Collaboration with Globus and EGEE Current AuthZ call-out library (PRIMA) is based on SAML v1.1 + XACML extensions –Standardization was tough to achieve. Now working with Globus and EGEE to introduce a common/standard AuthZ call-out library for PRIMA/GUMS/SAZ (OSG) & LCAS/LCMAPS (EGEE). Globus AuthZ library is based on SAML2 / XACML2. Planned integration with Globus: Apr 2007. OSG and EGEE AuthZ services thereafter.

8 Mar 28, 20078/9 VO Services Project Gabriele Garzoglio Recent Focus Improve operations by improving –robustness: configuration management –usability: user interface –validation processes across components Helping LIGO with AuthN/Z requirement for the OSG Supporting site security for late-binding job using gLexec Working with SE groups to refine mapping policies

9 Mar 28, 20079/9 VO Services Project Gabriele Garzoglio Conclusions The privilege infrastructure provides user registration and role-based fine-grained authorization for access to grid-enabled resources. GUMS is deployed on the OSG by US CMS, US ATLAS, et al. VOMRS is deployed at FNAL, BNL, CERN for 25+ VOs We promote the adoption of standards for AuthZ Services

Download ppt "Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007."

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.

Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.
2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Similar presentations

Ads by Google