180 likes | 202 Vues
Learn about VOMS services for user privilege management in grid computing. Explore VOMRS/VOMS installations and future plans for enhanced grid security and VO management.
E N D
OSG Update Bob Cowles bob.cowles@slac.stanford.edu Many of the pictures courtesy of Abhishek Rana EGEE MiddleWare Security Group Meeting 7 – Amsterdam – 14-15 December 2005
OSG use of VOMS • A VO service (one per VO) that provides extended proxies with signed group and role membership • Vincenzo Ciaschini, INFN - Karoly Lorentey, et al MWSG7
Use case • A VO compiles a list of users that can use data production resources • When acting as data production coordinator, the user gets a “token” from the VO, that states he is authorized to act in that role • The user presents that token to the site when submitting a job or initiating a file transfer • The services maps the user to a different account based on the role • The different account allows access to restricted resources or a different class of service (i.e. file access, higher queue priorities, special pool of machines, …) MWSG7
VOMS An example voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host MWSG7
VOMRS • VO service that manages the registration process, and feeds the list of currently approved members to VOMS • VOMRS 1.2.0 has been released on October 4th, 2005 (new features, bug fixes, oracle support) • VOMRS 1.2.1 _GLITE (glite 1.4 package + gLite patches) has been released on November 15th , 2005 • VOMRS is installed at: • Fermilab (10 installations) • BNL (2 installations) • CERN (8 installations) • Texas Tech University (2 installations) • University of Melbourne (1 installation) MWSG7
VOMRS/VOMS fits … MWSG7
Security Infrastructure Security Infrastructure Security Infrastructure Security Infrastructure Security Infrastructure VOMRS/VOMS within the scope of GRID Services Common Middleware & Services GRID Middleware & Interfaces Authentication & Authorization Authentication & Authorization Virtual Organization Administration PRIMA GUMS VOMRS VOMS SAZ MWSG7
VOMRS (Scope and Services) Scope: investigate and implement both policy-related and technical requirements for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. • implements a registration workflow that requires • email verification of identity • VO usage policy acceptance • membership approval by designated VO representatives/administrators • management of multiple grid certificates per user • selection of groups and roles by user and management of groups and group role assignments by various VO administrators. • maintains a VO membership status and a certificate level status for each member, with VO-level control of a member's privileges and membership. • send email notifications when selected changes are made about a member's VO membership status and/or when required by members or administrators. • provides for VO control over its trusted set of Certificate Authorities (CA). • interface (optional) to local systems with personnel information (e.g., the CERN Human Resource Database, SAM DB), and pulling or pushing relevant member information from/to them. • VOMRS membership data can be configured to synchronize with the VOMS system (developed jointly for DataTAG by INFN and for DataGrid by CERN) with all approved members' certificates and privileges. MWSG7
Plans for 2006 Development: • Working on new release v1.2.2 • VOMRS/SAM Registration support • Bug fixes Maintenance and Support: • Fermi Grid support • On going work with LCG Task Force: • Migration from LDAP VO to VOMRS • Performance issues CERN Human Resource DB • Oracle issues • Working on integration with VDT MWSG7
PRIMA & GUMS • PRIMA: The gatekeeper callout module that is able to contact a site Authorization service to retrieve the mapping • GUMS: A site Authorization service that manages site-wide mapping MWSG7
Privilege Fits … Facilitates Job Priority And Storage Access Privilege Infrastructure Naturally fits Here. Could help Facilitate MWSG7
Scope & Services • The primary goal of this phase of the project was to deliver the execution call-out for finer-grained authorization of processing resources • Generate an extended proxy based on role information stored in VOMS • Module to parse extended attribute certificates • Communicate the information to a identity mapping service in a secure manner • Return the information to the Globus gatekeeper • Map the user to a specified UID MWSG7
Status • Privilege has delivered an infrastructure that has been deployed on OSG • The authorization system has been deployed on all CMS-T2 centers, the T1 at FNAL, FermiGrid, BNL, etc. • CMS and ATLAS have defined roles that can be implemented within VOMS • VOMS extended proxy is parsed by the PRIMA callout and given to GUMS for authentication • User is either assigned to a specified account or a pool of accounts. • Pool mapping is maintained persistently between sessions • Release for pre-web service globus-gatekeeper callout is stable • Relatively light operations support • A couple of tickets a month, so far rapidly solved • The infrastructure does the basic elements from the initial proposal for the processing gatekeeper. • Room for performance and functionality improvements, but fast enough for now MWSG7
Privilege Plans There are 3 significant pieces of work facing the Privilege Developers • Implementation of the callout for storage • This is work that we expected to have completed already. Slowed due to communication and available effort issues. • The gPlasma Architecture designed by Ahbishek Rana at UCSD with help from CCF should allow the same consistent mapping received by the Globus-Gatekeeper to be available to the SRM interface • Expected for scale deployment at FNAL by the end of the year • The desire to deploy the GT4 Web services requires a callout for privilege • Gabriele C. and G., and Vikram have made good progress • Currently waiting on a patch from Globus • Progress is somewhat dependent on others • Hopefully a production release by early January • The final piece of work is a detailed survey of deployment experiences and an understanding of the level of adoption on OSG sites • Documentation Project MWSG7
GUMS References • http://grid.racf.bnl.gov/GUMS/ • OpenSAML renaming http://grid.racf.bnl.gov/GUMS/components/privilege/opensaml.html • VOMS version problem http://grid.racf.bnl.gov/GUMS/troubleshootingFaq.html#VOMS1x MWSG7
OSG and EGEE/LCG • VOMS • Smooth transitions between versions are extremely important • Integral part of future development • Key to interoperability with EGEE • LCAS • Need to highlight (resolve?) compatibility issues with PRIMA/GUMS MWSG7
OSG – Other Issues • Interest in GLexec w/GUMS & PRIMA • Great interest in user traceability • http://grid.racf.bnl.gov/GUMS/troubleshootingFaq.html#logs • Bridging portals and inter-grid • Only service cert presented at boundary • What are the high-level and low-level req’ts? • Need to participate in vulnerability work • EGEE policy web pages • Uniform format / template? • Mix human / machine readable? MWSG7