Vo membership registration workflow policies and vomrs software vox project
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) PowerPoint PPT Presentation


  • 66 Views
  • Uploaded on
  • Presentation posted in: General

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project). Tanya Levshina Fermilab. Presentation overview. Introduction Stakeholders, team and collaborators VOX components VO Membership Registration Service Identifying the workflow VO Concepts Roles

Download Presentation

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Vo membership registration workflow policies and vomrs software vox project

VO Membership RegistrationWorkflow, Policies and VOMRS software(VOX Project)

Tanya Levshina

Fermilab


Presentation overview

Presentation overview

  • Introduction

  • Stakeholders, team and collaborators

  • VOX components

  • VO Membership Registration Service

  • Identifying the workflow

  • VO Concepts

  • Roles

  • VOMRS Architecture

  • Association with EDG VOMS

  • WEBUI Screenshots

  • What’s next?

  • Summary

User Registration/VO management/AuthZ workshop at CERN


Introduction

Introduction

US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab,

the VOX Project (VO Management Service eXtension), to

investigate and implement the requirements, both policy-related

and technical, for admitting collaborators into a VO, and facilitating

and monitoring their authorization to access the available grid

resources.

This effort has resulted in a study and understanding of the

necessary workflow, and the creation of a prototype

VO Membership Registration Service (VOMRS), which is a

principal component of the VOX project.

User Registration/VO management/AuthZ workshop at CERN


Stakeholders team and collaborators

Stakeholders, Team and Collaborators

  • Stakeholders:

    • US CMS (L. Bauerdick)

    • Fermilab Computing Facility (D. Skow)

    • iVDGL (R. Gardner)

    • SDSS (J. Annis)

  • Team:

    • T. Levshina – Fermilab

    • L. Grundhoefer – iVDGL

    • A. Heavey (technical writer) – Fermilab

    • V. Sekhri – SDSS/iVDGL, Fermilab

    • J. Weigand – Fermilab

    • Y. Wu – Fermilbab

  • Collaborators

    • BNL(R. Baker, D. Yu) – VOMRS architecture, registration process, common interfaces

    • EDG/Data Tag (V. Ciaschini, A. Frohner) – VOMS core and admin software

    • VDT (U of Wisconsin), Virginia Tech (Markus Lorch) - ongoing communication and agreements with Globus on gatekeeper and authorization callouts

User Registration/VO management/AuthZ workshop at CERN


Vox project

VOX Project

Local Center

Registration

Service

VOX Goals:

  • to understand and model the registration workflow

  • to provide VO registration mechanism

  • to negotiate and monitor member authorization to grid resources

  • End Goal:To facilitate the remote participation of physicists in effective and timely analysis of data from the LHC experiments during DC04.

VOMRS

VOMS

EDG

Fermilab

GridCluster

LRAS

Gatekeeper &

callouts

SAZ

User Registration/VO management/AuthZ workshop at CERN


Vox components

VOX Components

  • VOMRS (VO Membership Registration Service) provides a registration service that

    • allows a single point of registration with a VO

    • facilitates, negotiates and monitors the process of a member’s authorization to grid resources

    • provides centralized storage of membership information and a means to query said information

  • LRAS (Local Resource Authorization Service) automates and facilitates the process of managing fine grain access to a local grid element

    • stores a subset of VO membership information and maps a VO member to a local account

  • Gatekeeper authorization callouts (in agreement with standard adopted by Globus, EDG, FNAL, and Virginia Tech).

  • SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources

  • VOMS EDG Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. VOMS EDG Core service gives out extended proxy upon member’s request.

User Registration/VO management/AuthZ workshop at CERN


Vomrs identifying the workflow

VOMRS: Identifying the workflow

  • Understand that VO registration is a multi-level process (institution, grid site, country, VO).

  • Identify necessary elements of the registration procedure and develop a model workflow.

  • Identify administrative roles and responsibilities.

  • Identify various implications of our model on sites and site policies.

  • Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

User Registration/VO management/AuthZ workshop at CERN


Vo concepts i

VO Concepts (I)

  • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job …

  • Experiment:

    represents research activities that are specific to a particular VO.

  • Group:

    an experiment contains groups. Group may have sub-groups.

  • Institution:

    is an organization whose members participate in experiments within a

    particular VO.

  • Grid site:

    is an institution that provides grid resources. Each site has policies

    that require specific personal information.

  • Grid job submission rights:

    distinguishes between members who can submit grid jobs and those

    who can only perform administrative tasks.

User Registration/VO management/AuthZ workshop at CERN


Vo concepts ii

VO Concepts (II)

  • Personal information:

    private and public data about an individual that is collected by

    the VO.

  • Notification Event:

    an action taken by the registration software that notifies

    interested members of a change within the VO and describes

    any required responses if any.

  • Role:

    defines actions that a VO Member can perform within the VO.A

    VO member can have one or more roles.

User Registration/VO management/AuthZ workshop at CERN


Roles i

Roles (I)

  • Applicant:

    • An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved.

  • Member:

    • An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group.

  • VO administrator:

    • A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles.

User Registration/VO management/AuthZ workshop at CERN


Roles ii

Roles (II)

  • Institutional VO representative:

    • Vouches for the identity of an applicant.

    • Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution.

  • Grid site administrator:

    • Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site

    • Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site.

  • Local resource provider:

    • Administers authorization of a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc)

User Registration/VO management/AuthZ workshop at CERN


Roles iii

Roles (III)

  • Group owner:

    • Creates groups and subgroups within the experiment.

    • Assigns/revokes group manager/owner role to a member of the VO.

    • A Group owner is a Group manager as well.

    • A Group owner owns the group if he owns any of ancestor group.

  • Group managers:

    • Assigns/removes members to/from the group he manages

User Registration/VO management/AuthZ workshop at CERN


Registration flow

Registration Flow

Institution

notify

approve

Member

VO Central Node

EDG VOMS

Proxy Server

Representative

register

query

Applicant

synchronize

notify

approve

notify

approve

VOMRS

notify

approve

Grid Site

Grid Site

notify

approve

Site Admin

Site Admin

LRPS

LRPS

User Registration/VO management/AuthZ workshop at CERN


Vomrs architecture

VOMRS Architecture

Member

Server

CLI

GSI

Event

Manager

Client

IF

Synchronizer

EDG VOMS

ADMIN API

Registrar

EDG Trust

Manager

WEB

CLIENT

VOMRS

DB

EDG VOMS

DB

Web

Services

/Servlets

User Registration/VO management/AuthZ workshop at CERN


Association with edg voms

Association with EDG VOMS

  • EDG VOMS is used currently as a significant part of VOX project:

    • Extended Proxy generation

    • Gridmapfile generation for local grid resource

    • Query to get members, groups, roles by authorization services on local grid clusters

  • VOMS & VOMRS have some overlap in functionalities and stored data, but

    • VOMRS is a registration service that is accessed infrequently by people (not hosts)

    • VOMS is a service that provides member with  extended proxy and should sustain heavy load. It allows access by registered hosts.

    • VOMRS keeps a lot of information about members and VO entities (institutions, sites, etc). Member information is persistent.

    • VOMS keeps minimum information related to member (dn,ca, group, role). Member has to be deleted in order to deny him access to the Grid.

  • VOMRS Synchronizer is responsible for updating VOMS database

User Registration/VO management/AuthZ workshop at CERN


Vomrs webui registration of a new user

VOMRS WEBUI (Registration of a new user)

User Registration/VO management/AuthZ workshop at CERN


Vomrs webui registration

VOMRS WEBUI(registration)

User Registration/VO management/AuthZ workshop at CERN


Vomrs webui member search

VOMRS WEBUI(member search)

User Registration/VO management/AuthZ workshop at CERN


Vomrs webui subscribe to event

VOMRS WEBUI (subscribe to event)

Date: Fri, 05 Dec 2003 13:43:20 -0600

From: [email protected]

Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS

To: [email protected]

Dear Administrator,

We have received a request from a person with Distinguished Name

/DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073

issued by Certificate Authority

/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1

to join VO USCMS.You may approve or deny user access.

VO Administrator

User Registration/VO management/AuthZ workshop at CERN


What s next

What’s Next?

  • Now that we have a model, we need to work with others to get input to take it to next step and to create a workflow that everyone can use

  • Standardize the terminology, especially for administrative roles and responsibilities

  • Improvement of VOMRS

    • Database (move to Oracle)

    • Documentation

    • Packaging

  • VOMS/VOMRS

    • Need to define stable interfaces between VOMRS & VOMS

    • Solve issues with VOMS installation/upgrade (takes too much time and effort – very possibly due to lack understanding on our part)

User Registration/VO management/AuthZ workshop at CERN


Summary

Summary

We greatly appreciate discussions, support and software

contributions provided by our collaborators.

We all have spent substantial time and effort understanding the

issues involved, modeling the workflow and developing a system

to implement it. There are a lot of issues that remain.

We believe that all will benefit from collaboration on this

project.

  • More info:

    http://www.uscms.org/s&c/VO

  • E-mail:

    [email protected]

User Registration/VO management/AuthZ workshop at CERN


  • Login