Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith.

Published byLynne Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith CERN & EGEE-JRA1/SA3 Data Management Team David.Smith@cern.ch EGEE Workshop on Management of Rights in Production Grids

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 2 Overview Scope of this talk is gLite 3.0 data management components in the context of rights management –gLite 3.0 is a combination software from LCG-2.7, gLite 1.5 and other projects –One user community in particular is also using some other components from gLite 1.5  Will mention gLite I/O and fireman (file catalog) in connection with BIOMED VO Components in gLite 3.0 relating to rights management: –Encrypted Data Storage (EDS) tools and keystore service  Provides encryption and decryption of data  Keystore stores the EDS cipher keys –Components providing access control list support:  EDS keystore  The LCG file catalog (LFC)  The disc pool manager (DPM)

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 3 EDS and the keystore EDS handles encryption/decryption of data –Employs symmetric ciphers via openssl –Uses a keystore database via a service called Hydra –EDS available as an API. Also as a CLI tool that also manages I/O access via the gLite 1.5 component gLite I/O  Will soon provide CLIs for keystore manipulation and encryption/decryption of files without gLite I/O layer  In the future will make tools available that have I/O access via GFAL integrated Hydra - The EDS keystore –Is a metadata catalog service –Is used to store  key, key length, openssl cipher name and cipher IV as necessary –Has ACLs on entries to allow fine grained access control  Has 3 sets of Perms (8 bits) for user, group, others  plus ACLs: Perms on a principal (user DN or VOMS group)

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 4 EDS Tools in use Medical community is the main EDS user –Have strict privacy requirements –Currently using EDS with glite I/O and fireman  gLite I/O and fireman provide a “wrapping” of the storage element (SE) to allow fine grained file access independent of the SE’s functionality  Community has their own storage element (SE) called DICOM-SE –Files stored on a DICOM-SE are stored in the clear –Encrypted before leaving DICOM-SE, so  DICOM-SE registers key in Hydra  Data are stored on normal SEs on the grid encrypted  Decrypted in memory of final application by EDS routines

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 5 Example: EDS in use Accessing encrypted data on a standard SE –Note in this example: –authorization decision enforcement at the gLite I/O server  Ensures fine grained access control to files –Encryption also works for output data SE SRM gridftp I/O gLite I/O Hydra KeyStore FiReMan (file ACL) keysfile ACL file

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 6 The LHC File Catalog LFC uses ACLs to allow restriction of access to the file catalog –Catalog associates a logical filename (LFN) and unique identifier (GUID) to a file entry –File entry holds information on zero or more physical replicas –LFNs reside in hierarchical namespace –Symbolic links may point LFNs –A fixed number of system metadata entries per file –A small amount (one field) of user attached metadata per file

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 7 Relationships in the Catalog GUID Xxxxxx-xxxx-xxx-xxx- System Metadata “size” => 10234 “cksum_type” => “MD5” “cksum” => “yy-yy-yy” Symlink /grid/dteam/mydir/mylink Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Replica srm://host.example.com/foo/bar host.example.com Symlink /grid/dteam/mydir/mylink Symlink /grid/dteam/mydir/mylink LFN /grid/dteam/dir1/dir2/file1.root

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 8 Authorization in the LFC DNs are mapped to an internal ID: usually called a virtual ID Virtual UID is created on the fly the first time the system receives a request for this DN A given user may have one DN and several roles, so a given user may be mapped to one UID and several GIDs Currently only the primary role is used Support for normal proxies and VOMS proxies Administrative tools available to update the DB mapping table: –To create VO groups in advance –To keep same UID when DN changes –To get same UID for a DN and a Kerberos principal

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 9 LFC Access Control Lists LFC support Posix ACLs based on virtual ids –Access Control Lists on files and directories –Default Access Control Lists on directories: they are inherited by the sub-directories and files under the directory Example –lfc-mkdir /grid/dteam/jpb –lfc-setacl -m d:u::7,d:g::7,d:o:5 /grid/dteam/jpb –lfc-getacl /grid/dteam/jpb # file: /grid/dteam/jpb # owner: /C=CH/O=CERN/OU=GRID/CN=Jean-Philippe Baud 7183 # group: dteam user::rwx group::r-x #effective:r-x other::r-x default:user::rwx default:group::rwx default:other::r-x

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 10 DPM The LFC forms the Name Server component of the DPM –Maps the path found in the SURL to locations within the DPM Grid ClientData ServerSRM ServerName ServerDisk Pool ManagerDisk SystemGridftp ClientRFIO ClientSRM ClientNS Database DPM Database DPM DaemonNS DaemonRFIO Daemon Gridftp Server RFIO Client Request Daemon SRM Daemon

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 EGEE Workshop on Management of Rights in Production Grids 11 Summary gLite 3.0 and rights management –Encryption of data with EDS –ACLs based on user DN and VOMS attributes (if present) in Hydra, LFC and DPM –gLite 3.0 does not explicitly provide file level ACLs for arbitrary storage  One user community is currently using gLite I/O and the fireman file catalog to do so

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Data management in LCG and EGEE David Smith."

Similar presentations

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.

Data Management Expert Panel. RLS Globus-EDG Replica Location Service u Joint Design in the form of the Giggle architecture u Reference Implementation.
DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,

DPM Name Server (DPNS) Namespace Authorization Location of physical files DPM Server Requests queuing and processing Space Management SRM Servers v1.1,
Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management Hands-on David García Aristegui.

Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management Hands-on David García Aristegui.
Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management David García Aristegui Grid.

Workflows over Grid-based Web services General framework and a practical case in structural biology gLite 3.0 Data Management David García Aristegui Grid.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Grid Data Management Assaf Gottlieb - Israeli Grid NA3 Team EGEE is a project funded by the European Union under contract IST-2003-508833 EGEE tutorial,

Grid Data Management Assaf Gottlieb - Israeli Grid NA3 Team EGEE is a project funded by the European Union under contract IST EGEE tutorial,
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.

The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org gLite Data Management System Yaodong Cheng CC-IHEP, Chinese Academy.

EGEE-II INFSO-RI Enabling Grids for E-sciencE gLite Data Management System Yaodong Cheng CC-IHEP, Chinese Academy.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE gLite Data Management Services - Overview Mike Mineter National e-Science Centre, Edinburgh.
LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.

LFC tutorial Jean-Philippe Baud, IT-GT, CERN July 2010.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Data Grid Services/SRB/SRM & Practical Hai-Ning Wu Academia Sinica Grid Computing.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Data Grid Services/SRB/SRM & Practical Hai-Ning Wu Academia Sinica Grid Computing.
EGEE-III INFSO-RI- 222667 Enabling Grids for E-sciencE www.eu-egee.org The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.

EGEE-III INFSO-RI Enabling Grids for E-sciencE The Medical Data Manager : the components Johan Montagnat, Romain Texier, Tristan.
The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.

The LCG File Catalog (LFC) Jean-Philippe Baud – Sophie Lemaitre IT-GD, CERN May 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE middleware Data Management in gLite.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware Data Management in gLite.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE Nov. 18, 2008 www.eu-egee.org EGEE and gLite are registered trademarks gLite Middleware Usage Dusan.

EGEE-III INFSO-RI Enabling Grids for E-sciencE Nov. 18, EGEE and gLite are registered trademarks gLite Middleware Usage Dusan.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE middleware: gLite Data Management EGEE Tutorial 23rd APAN Meeting, Manila Jan.
Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, 13-14 November 2008.

Enabling Grids for E-sciencE Introduction Data Management Jan Just Keijser Nikhef Grid Tutorial, November 2008.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,

INFSO-RI Enabling Grids for E-sciencE gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,

Similar presentations

Ads by Google