a vo oriented authn authz approach n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A VO-Oriented AuthN/AuthZ Approach PowerPoint Presentation
Download Presentation
A VO-Oriented AuthN/AuthZ Approach

Loading in 2 Seconds...

play fullscreen
1 / 15

A VO-Oriented AuthN/AuthZ Approach - PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on

A VO-Oriented AuthN/AuthZ Approach. Vincenzo Ciaschini EGEE 2 nd User Forum Manchester, 9-11 May, 2007. Problem Statement. User AuthN/AuthZ management on the grid is rapidly changing and evolving VOs define/use/modify groups and roles.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A VO-Oriented AuthN/AuthZ Approach' - babu


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a vo oriented authn authz approach

A VO-Oriented AuthN/AuthZ Approach

Vincenzo Ciaschini

EGEE 2nd User Forum

Manchester, 9-11 May, 2007

problem statement
Problem Statement

User AuthN/AuthZ management on the grid is rapidly changing and evolving

  • VOs define/use/modify groups and roles.
  • VOs require different execution priorities for different users.
  • VOs require dedicated resources for specific users in delicate periods (see Data Challenges, etc.)
  • funding agencies can force constraints affecting resource allocations.
  • sites may want to enforce site-specific policies.

2nd EGEE User Forum (9-11/5/07)

an authn authz infrastructure
An AuthN/AuthZ infrastructure

Hi AA!

Can you give me all my groups/roles membership?

AA

groups/roles

Hi PDP!

Can you give me all policies concerning group/roles of the user?

PDP

WMS/CE/SE

policies

2nd EGEE User Forum (9-11/5/07)

voms aa g pbox pdp
VOMS(AA) / G-PBox (PDP)

VOMS

VO

G-PBox

VO

USER

G-PBox

G-PBox PLUGIN

WMS

SITE

G-PBox

G-PBox

SITE

G-PBox LCAS PLUGIN

CE

G-PBox LCAS PLUGIN

G-PBox LCAS PLUGIN

CE

CE

2nd EGEE User Forum (9-11/5/07)

policy classification
Policy classification
  • Site policies (originated by sites)
    • Ban-list
  • VO policies (originated by VOs)
    • Intra-VO priorities

2nd EGEE User Forum (9-11/5/07)

site policies ban lists
Site policies: Ban lists
  • Banning users:
    • The site admin writes a policy banning a user or a group.
    • The ban policy gets communicated back to the VO G-PBox.
    • Whenever a job is sent to WMS, policy evaluation happens and resources where the user is banned do not receive the job.

VO G-PBox

Job

WMS

Site G-PBox

2nd EGEE User Forum (9-11/5/07)

vo policies intra vo priorities 1 2
VO policies: Intra-VO priorities (1/2)
  • Step 1:
    • Define a set of shares on CEs which implement the required priorities.
    • Publish into the IS the shares that are supported (without publishing details, i.e: policies, about how they are used).
    • This has already been solved and implemented!
  • Step 2:
    • Send a Job to a CE which implements the correct share.
    • Let the CE map the job on the correct share.

2nd EGEE User Forum (9-11/5/07)

vo policies intra vo priorities 2 2
VO policies: Intra-VO priorities (2/2)
  • Mapping jobs to shares: a G-PBox solution.
    • The VO writes policies mapping VO groups into share names.
    • The sites write policies mapping share names into actual batch system shares.
    • The VO sends their mapping policies to the site. The two get combined.
    • Whenever a job is sent to a CE, evaluation happens and the job is mapped to the right account.

VO G-PBox

Site G-PBox

CE

Job

2nd EGEE User Forum (9-11/5/07)

g pbox and ce
G-PBox and CE

/atlas/analisys

?

CE

Atlas_mid

Atlas_mid

LSF

QUEUE

2nd EGEE User Forum (9-11/5/07)

g pbox and wms
G-PBox and WMS

/atlas/analysis

VO G-PBox

?

ATLAS WMS

Layer

G-PBox Plugin

ACBR: analysis

ATLAS

CE

ATLAS

CE

ATLAS

CE

ATLAS

CE

ATLAS

CE

ACBR: analisys

ACBR: students

ACBR: analisys

ACBR: students

ACBR: analisys

2nd EGEE User Forum (9-11/5/07)

advantages
Advantages
  • VO policies management
    • If VO admins want to change relative priorities of different groups, all they need to do is change their policy in their VO, everything else is done by the system
  • Site independence and privacy
    • Sites do not need to publish (ex BDII) the details of their internal setup
    • Sites are free to change their site-specific policies according to local constraints and rules

2nd EGEE User Forum (9-11/5/07)

screenshots
Screenshots

2nd EGEE User Forum (9-11/5/07)

screenshots1
Screenshots

2nd EGEE User Forum (9-11/5/07)

screenshots2
Screenshots

2nd EGEE User Forum (9-11/5/07)

the team
The Team
  • Vincenzo Ciaschini
  • Andrea Ferraro
  • Alberto Forti
  • Antonia Ghiselli
  • Alessandro Italiano
  • Davide Salomoni

2nd EGEE User Forum (9-11/5/07)