1 / 18

OSG Update

OSG Update. Bob Cowles bob.cowles@slac.stanford.edu Many of the pictures courtesy of Abhishek Rana EGEE MiddleWare Security Group Meeting 7 – Amsterdam – 14-15 December 2005. OSG use of VOMS. A VO service (one per VO) that provides extended proxies with signed group and role membership

otishuber
Download Presentation

OSG Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSG Update Bob Cowles bob.cowles@slac.stanford.edu Many of the pictures courtesy of Abhishek Rana EGEE MiddleWare Security Group Meeting 7 – Amsterdam – 14-15 December 2005

  2. OSG use of VOMS • A VO service (one per VO) that provides extended proxies with signed group and role membership • Vincenzo Ciaschini, INFN - Karoly Lorentey, et al MWSG7

  3. Use case • A VO compiles a list of users that can use data production resources • When acting as data production coordinator, the user gets a “token” from the VO, that states he is authorized to act in that role • The user presents that token to the site when submitting a job or initiating a file transfer • The services maps the user to a different account based on the role • The different account allows access to restricted resources or a different class of service (i.e. file access, higher queue priorities, special pool of machines, …) MWSG7

  4. VOMS An example voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host MWSG7

  5. VOMRS • VO service that manages the registration process, and feeds the list of currently approved members to VOMS • VOMRS 1.2.0 has been released on October 4th, 2005 (new features, bug fixes, oracle support) • VOMRS 1.2.1 _GLITE (glite 1.4 package + gLite patches) has been released on November 15th , 2005 • VOMRS is installed at: • Fermilab (10 installations) • BNL (2 installations) • CERN (8 installations) • Texas Tech University  (2 installations) • University of Melbourne (1 installation) MWSG7

  6. VOMRS/VOMS fits … MWSG7

  7. Security Infrastructure Security Infrastructure Security Infrastructure Security Infrastructure Security Infrastructure VOMRS/VOMS within the scope of GRID Services Common Middleware & Services GRID Middleware & Interfaces Authentication & Authorization Authentication & Authorization Virtual Organization Administration PRIMA GUMS VOMRS VOMS SAZ MWSG7

  8. VOMRS (Scope and Services) Scope: investigate and implement both policy-related and technical requirements for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. • implements a registration workflow that  requires • email verification of identity • VO usage policy acceptance • membership approval by designated VO representatives/administrators • management of multiple grid certificates per user • selection of groups and roles by user and management of groups and group role assignments by various VO administrators. • maintains a VO membership status and a certificate level status for each member, with VO-level control of a member's privileges and membership.  • send email notifications when selected changes are made about a member's VO membership status and/or when required by members or administrators.  • provides for VO control over its trusted set of Certificate Authorities (CA). • interface (optional) to local systems with personnel information (e.g., the  CERN Human Resource Database, SAM DB), and pulling or pushing relevant member information from/to them. • VOMRS membership data can be configured to synchronize with the VOMS system (developed jointly for DataTAG by INFN and for DataGrid by CERN) with all approved members' certificates and privileges. MWSG7

  9. VOMRS & Grid VO Management (ex) MWSG7

  10. Plans for 2006 Development: • Working on new release v1.2.2 • VOMRS/SAM Registration support • Bug fixes Maintenance and Support: • Fermi Grid support • On going work with LCG Task Force: • Migration from LDAP VO to VOMRS • Performance issues CERN Human Resource DB • Oracle issues • Working on integration with VDT MWSG7

  11. PRIMA & GUMS • PRIMA: The gatekeeper callout module that is able to contact a site Authorization service to retrieve the mapping • GUMS: A site Authorization service that manages site-wide mapping MWSG7

  12. Privilege Fits … Facilitates Job Priority And Storage Access Privilege Infrastructure Naturally fits Here. Could help Facilitate MWSG7

  13. Scope & Services • The primary goal of this phase of the project was to deliver the execution call-out for finer-grained authorization of processing resources • Generate an extended proxy based on role information stored in VOMS • Module to parse extended attribute certificates • Communicate the information to a identity mapping service in a secure manner • Return the information to the Globus gatekeeper • Map the user to a specified UID MWSG7

  14. Status • Privilege has delivered an infrastructure that has been deployed on OSG • The authorization system has been deployed on all CMS-T2 centers, the T1 at FNAL, FermiGrid, BNL, etc. • CMS and ATLAS have defined roles that can be implemented within VOMS • VOMS extended proxy is parsed by the PRIMA callout and given to GUMS for authentication • User is either assigned to a specified account or a pool of accounts. • Pool mapping is maintained persistently between sessions • Release for pre-web service globus-gatekeeper callout is stable • Relatively light operations support • A couple of tickets a month, so far rapidly solved • The infrastructure does the basic elements from the initial proposal for the processing gatekeeper. • Room for performance and functionality improvements, but fast enough for now MWSG7

  15. Privilege Plans There are 3 significant pieces of work facing the Privilege Developers • Implementation of the callout for storage • This is work that we expected to have completed already. Slowed due to communication and available effort issues. • The gPlasma Architecture designed by Ahbishek Rana at UCSD with help from CCF should allow the same consistent mapping received by the Globus-Gatekeeper to be available to the SRM interface • Expected for scale deployment at FNAL by the end of the year • The desire to deploy the GT4 Web services requires a callout for privilege • Gabriele C. and G., and Vikram have made good progress • Currently waiting on a patch from Globus • Progress is somewhat dependent on others • Hopefully a production release by early January • The final piece of work is a detailed survey of deployment experiences and an understanding of the level of adoption on OSG sites • Documentation Project MWSG7

  16. GUMS References • http://grid.racf.bnl.gov/GUMS/ • OpenSAML renaming http://grid.racf.bnl.gov/GUMS/components/privilege/opensaml.html • VOMS version problem http://grid.racf.bnl.gov/GUMS/troubleshootingFaq.html#VOMS1x MWSG7

  17. OSG and EGEE/LCG • VOMS • Smooth transitions between versions are extremely important • Integral part of future development • Key to interoperability with EGEE • LCAS • Need to highlight (resolve?) compatibility issues with PRIMA/GUMS MWSG7

  18. OSG – Other Issues • Interest in GLexec w/GUMS & PRIMA • Great interest in user traceability • http://grid.racf.bnl.gov/GUMS/troubleshootingFaq.html#logs • Bridging portals and inter-grid • Only service cert presented at boundary • What are the high-level and low-level req’ts? • Need to participate in vulnerability work • EGEE policy web pages • Uniform format / template? • Mix human / machine readable? MWSG7

More Related