1 / 8

Authorization in L&B

Authorization in L&B. Daniel Kouřil, CESNE T MWSG meeting , Zurich, 31/3/2009. Logging and Bookkeeping. Monitoring system to track jobs in production for many years designed to be able to process 1M jobs per day hundreds of LB events per second Currently for jobs passing via WMS

marlee
Download Presentation

Authorization in L&B

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorization in L&B Daniel Kouřil, CESNET MWSG meeting, Zurich, 31/3/2009

  2. Logging and Bookkeeping • Monitoring system to track jobs • in production for many years • designed to be able to process 1M jobs per day • hundreds of LB events per second • Currently for jobs passing via WMS • ongoing discussions with CREAM • recently adapted to monitor PBS and Condor jobs, too • Two basic L&B components • LB messaging infrastructure • LB server storing and processing job related data • Query interface • complex queries on jobs and their status • Notifications • sent by LB server on changes To change: View -> Header and Footer

  3. Gathering L&B data • LB collects events from individual Grid components • information about a important point in the job‘s lifetime • transfer between components, start runnning, done, ... • Instrumentation of components • events sent as messages to the LB server • own messaging infrastructure • secure (protection, authN) and reliable (fault-tolerancy) • notifications use this messaging infrastructure too • events are tied with job (using the jobid) • job registration • Push model • events are sent by the components (mostly WMS) upon changes • instrumented components or reading log files • no useless polling To change: View -> Header and Footer

  4. L&B Infrastructure To change: View -> Header and Footer

  5. L&B Architecture To change: View -> Header and Footer

  6. Authorizing consumers • Users can only access their jobs by default • ACL can be specified by users • Specifying subject names or VOMS attributes • Simple UI to manipalate the ACLs, output in GACL • Super-users • Specified by L&B server administrators • Subject names or VOMS attributes (LB 2.0) • Simple policy language used • Generalized „super-users“ • Work in progress • Broader access to job information • RTM monitoring • Policy language not set yet To change: View -> Header and Footer

  7. Authorizing producers • No explicit authZ in L&B v1.x • LCAS-based authZ introduced in L&B 2.0 • Custom L&B LCAS module specifying events and clients • Enables to define trusted networks of loggers • Simple policy langauge: RegJob = { * } * = { /DC=cz/DC=cesnet-ca/O=University of West Bohemia/CN=scientific.civ.zcu.cz } ... • language may change before release To change: View -> Header and Footer

  8. Trusted loggers • Loggers specified using subject names • VOMS support would be more convenient • Currently no support for VOMS attributes for services • Loggers always act as client for L&B server • Especially important when L&B used in incident resolution • L&B contain many interesting details about users‘ activities • Work in OSCT to trace users based on L&B data • L&B information must be reliable enough • originated from trusted components To change: View -> Header and Footer

More Related