1 / 19

XACML and G-PBox update

XACML and G-PBox update. MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini. XACML Updates. XACML extensions (1). We need requests to refer to more than a resource Otherwise WMS would get unacceptable delays But XACML Requests may refer to just one resource. Solution:

ferrol
Download Presentation

XACML and G-PBox update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini

  2. XACML Updates

  3. XACML extensions (1) • We need requests to refer to more than a resource • Otherwise WMS would get unacceptable delays • But XACML Requests may refer to just one resource. • Solution: • Specify multiple resources in the <Resource> tag by using the ‘#’ separator. • If an attribute should get different values for the different resources, also separate them with ‘#’. • Advantages: • Normal syntax is also allowed. The PDP remains standard compliant. • Disadvantages: • Requires a bit of extra code in the PDP.

  4. XACML extensions (2) • Our policies are parameterized, with parameter values coming from external sources. • The PDP needs to be informed of the fact. • Solution: • We marked the external parameters with the “it:infn:pbox:external:<parameter name>:<parameter source>” AttributeID. • Example: it:infn:pbox:external:grid-se-available:griditse01.cnaf.infn.it • Advantages: • The PDP can clearly know what parameters it must look for. • Fully standard policies are still supported. • The policies can be received by another PDP and not cause errors. Simply, they would not find the parameter needed and so not apply. • Disadvantages: • Extra code in the PDP

  5. G-PBox Updates

  6. G-PBox update • First version in the EGEE CVS (org.glite.gpbox.*) • An update will be committed soon. • RB-PEP and CE-PEP development has started. • VOMS Integration

  7. Admin Interface

  8. Admin Interface

  9. Admin Interface

  10. Admin Interface

  11. Admin Interface

  12. Admin Interface

  13. G-PBox VOMS Integration • A user can express policies using the admin interface. • The admin interface shows the VO name, groups and resources. • VO name and VO groups are retrieved from a VOMS server by G-PBox via GSI. • Only certified PBox servers can ask VOMS.

  14. Request Convert and filter RB Integration Attributes List of resources WMS PBox Convert XACML reqs List of resources after policy enforcement XACML response • All the responses must be converted in a “readable” format for the WMS • The policy enforcing process is the merging process between the resource list of the WMS and the set of responses of the PBox.

  15. CE Integration • Really primitive: • Just LCAS/LCMAPS plugin to delegate the choice of the user mapping account to G-PBox. • Still, it has its uses! (no *mapfile whatsoever) • We plan on better integration with new CEs, and are in contact with CREAM developers to do this.

  16. Policies supported • Policy requests regarding multiple resources! • No updates, really: • ACLs • Static policies, • Priority policies.

  17. CEHIGH Policies Group A : high priority CEs Group B : low priority CEs Group C : deny everywhere CELOW G-PBox Priority use case (1)) VOMS and G-PBox (for Job submission Policies) VOMS server Group A RB Group B PBox Group C

  18. G-PBox Priority Use Case (2) • Sources: ATLAS and CMS • This is ready and will be tested on a dedicated testbed starting next week. • Reasons for this implementation: • A CE is a QUEUE => The choice of the queue, and hence the priority must be delegated to the RB. • A Priority element is already present in the Glue Schema => It must only be filled.

  19. Further development: • Integration with accounting and monitoring, as planned, to implement dynamic policies. • Software consolidation for EGEE deadline (15/10/05)

More Related