vo privilege activity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
VO Privilege Activity PowerPoint Presentation
Download Presentation
VO Privilege Activity

Loading in 2 Seconds...

play fullscreen
1 / 30

VO Privilege Activity - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

VO Privilege Activity. VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid-enabled resources and services Started Spring 2004 Sposored by US CMS (Fermilab) and US ATLAS (BNL) People: Fermilab, BNL, PPDG

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VO Privilege Activity' - flavio


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
vo privilege activity1
VO Privilege Activity
  • The VO Privilege Project develops and implements fine-grained authorization to grid-enabled resources and services
  • Started Spring 2004
  • Sposored by US CMS (Fermilab) and US ATLAS (BNL)
  • People: Fermilab, BNL, PPDG
  • Technologies: VOMS, VOMRS, Gridmap and SRM/DCache callout interface, GUMS, gPLAZMA, and SAZ
vo privilege activity motivations
VO Privilege ActivityMotivations
  • Improve user account assignment at grid sites
    • Make user-to-account mapping flexible and dynamic, using remote Grid Identity Mapping Services
    • Base user-to-account mapping on both user role and least privilege access
  • Reduce account management administrative overhead
vo privilege activity architecture
VO Privilege ActivityArchitecture

Local or Remote Client

Proxy with VO

Membership | Role Attributes

VOMS

Site

Globus Gatekeeper PRIMA

callout

Site-wide Mapping Service

CE

PRIMA

C SAML

libraries

GUMS

PRIMA

Authorization

Service

Auxiliary Mapping

Service

gPLAZMA

Storage

metadata

SRM-GridFTP gPLAZMA

callout

SE

gPLAZMA

PRIMA

Java SAML

Site-wide Assertion

Service

SAZ

gPLAZMALite

Authorization

Services suite

the resource selection activity
The Resource Selection Activity
  • The Resource Selector is a component of the OSG Job Management Infrastructure.
  • The project started in Sep 2005 with a planned duration of 9 months
  • Sponsored by PPDG as a DZero contribution to the Common Project
  • People: Fermilab, OSG TG-MIG group, PPDG
the resource selection activity motivations
The Resource Selection ActivityMotivations
  • A Resource Selector allows…
    • …expressing requirements on the resources in the job description
      • without a Resource Selector, the user is responsible for selecting the resource for the job
    • …the user to refer to abstract characteristics of the resources in the job description
      • without a Resource Selector, the user must use concrete resource attribute values in the job description (e.g. to initialize the job environment)
the resource selection activity deliverables
The Resource Selection ActivityDeliverables
  • The Resource Selection Activity has two major goals
    • Enable OSG resource usage by DZero. Jobs will be prepared and data will be handled by the SAM-Grid.
    • Develop and deploy a Resource Selection Service that VOs with requirements on job management similar to DZero can use.
the resource selection activity architecture

job

job

What Gate?

classads

Gate 3

classads

classads

classads

Gate2

Gate1

Gate3

CEMon

CEMon

CEMon

jobs

jobs

jobs

info

info

info

CE

CE

CE

job-managers

job-managers

job-managers

job-managers

job-managers

job-managers

job-managers

job-managers

job-managers

CLUSTER

CLUSTER

CLUSTER

The Resource Selection ActivityArchitecture

Info

Gatherer

Condor

Match Maker

Condor

Scheduler

osg auditing activity1
OSG Auditing Activity
  • The activity develops a system to record a suitable audit trail for grid services
    • Audit trail is a set of log entries to determine who did what, when, where and how
    • Audit trail is critical for both debugging and security investigations
  • Started Winter 05
osg auditing goals
OSG AuditingGoals
  • Provide tools to the site to gather audit events, process them, correlate them, in order to facilitate post-mortem investigations and malicious use detection
    • Security concerns impose that a site auditing service could allow queries that do not expose much data (e.g. yes/no question such as: did this DN submit more than 10 jobs in the past 24 hours?). The feasibility/utility of across-site auditing is under investigation.
  • Determining what has happened in a GRID environment
    • Chain of events to follow: user contacts a resource broker, which submits to a gatekeeper, which starts a batch job, which execute on a node, which starts a file transfer, …
auditing at a site an example
Auditing at a site(an example)

Site

Cyber security

GK

GRAM

Parsing

AuditingService

Centralized

logging

GridFTP

Allows to search through events and make correlation. The user will use a GUI or command line tools to navigate through the data, and will retrieve pointers to the actual log entries when needed.

Some sites already have a way to collect and store logs, based on syslog or other standard practices. We want to leverage and integrate within the framework.

We need to make sure the services actually provide enough information.

osg accounting activity1
OSG Accounting Activity
  • The goal of the activity is to develop a system to track the consumption of OSG services and resources user by user
  • Sponsored by SLAC, Fermilab and PPDG
  • Started Summer 2005
  • More Info: google “osg accounting”
osg accounting activity motivation
OSG Accounting ActivityMotivation

The OSG infrastructure must provide its users with precise and reliable information about resources consumption.

Availability of such information will

  • allow resource providers to directly link resources consumption with VOs and science projects goals,
  • improve resource planning and organization at the resource providers sites
  • eventually, support automatic resource allocations and consumption based on an economic model.
osg edge services framework activity1
OSG Edge Services Framework Activity
  • In OSG, services on the “Edge” of the Grid/Fabric site boundaries grant users access to site private services.
  • Started in September 2005.
  • Collaboration: Physicists, Computer Scientists & Engineers, Software Architects.
  • People: USALTLAS, USCMS, Globus Alliance, ANL, U. Chicago, UC San Diego
  • Web collaborative area –

http://osg.ivdgl.org/twiki/bin/view/EdgeServices

osg edge services framework activity vision
OSG Edge Services Framework Activity Vision

OSG site provides access to a shared compute & storage cluster via two types

of services. Those shared between VOs, and those that are VO specific.

VO specific service deployment is made possible via a shared services framework.

osg edge service framework activity motivation
OSG Edge Service Framework ActivityMotivation
  • OSG has many VOs each with many different requirements
  • Resources may be partitioned into specific, VO-dedicated servers along side shared, open grid services used by many VOs.
  • Each VO may want to use different software to implement any particular kind of an edge service
  • Each VO may put different requirements on edge service in terms of resource usage.
esf phase 1
ESF - Phase 1

Role=VO Admin

CMS

ESF

XEN vm

Based on XEN

&

Gt4 work spaces

CE

SE

Site

esf phase 11
ESF - Phase 1

Role=VO Admin

CMS

ESF

dom0

CE

SE

Site

esf phase 12
ESF - Phase 1

Role=VO Admin

ESF

dom0

CE

SE

Site

esf phase 13
ESF - Phase 1

Role=VO Admin

ESF

dom0

CE

SE

Site

esf phase 14
ESF - Phase 1

Role=VO Admin

ESF

CMS

dom0

CE

SE

Site

esf phase 15
ESF - Phase 1

Role=VO User

ESF

XEN

domU

dom0

CMS

CE

SE

Site

esf phase 16
ESF - Phase 1

Role=VO User

ESF

domU

dom0

CMS

CE

SE

Site

esf phase 17
ESF - Phase 1

Role=VO User

ESF

domU

dom0

CMS

CE

SE

Site