1 / 14

Grid User Management System

Grid User Management System. Gabriele Carcassi CHEP04 29 September 2004. Outline. What GUMS is How it is used at BNL What the current functionalities are Roadmap and future. GUMS …. … is a site tool. CMS. ATLAS. CMS VOMS. ATLAS VOMS. VO. VO. Brookhaven National Lab. CERN. BNL

shelby-pearson
Télécharger la présentation

Grid User Management System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid User Management System Gabriele Carcassi CHEP04 29 September 2004

  2. Outline • What GUMS is • How it is used at BNL • What the current functionalities are • Roadmap and future

  3. GUMS … • … is a site tool CMS ATLAS CMSVOMS ATLASVOMS VO VO Brookhaven National Lab CERN BNL GUMS CERN GUMS site site

  4. GUMS … • … translates a Grid identity to a local identity (certificate -> local user) /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi Resource AuthZ Service – Grid Identity Mapping Simpler case show, equivalent to grid-mapfile

  5. GUMS … • … is centralized: one server per site Grid resource Grid resource Grid resource Grid resource BNL GUMS Allows to control identity mapping from a single place Keeps the site consistent

  6. GUMS … • … allows a site policy Grid3 production servers Allow: Members of Grid3 VO mapped with accounts taked from a pool Members on a speciallist from a database mapped to ‘special’ Test servers for USATLAS Allow: All LCG test VO mapped to ‘lcgt’ All USATLAS group mapped to ‘usatlast’ Allow: Members of … mapped to … All groups and mappings definitions are specified in a single XML file Other machines

  7. Use at BNL since May 2004 Grid resource … VO PHENIX VO STAR VO ATLASVO Grid resource Grid resource 1. GUMS server 3. 2. GUMS DB mapfile cache 1. GUMS contacts VO servers and update local database with members 3. The gatekeepers contact the database to retireve their mapping 2. GUMS generates the maps according to the policy and stores it in a special DB table

  8. Use at BNL GUMS Policy example <gums> <persistanceFactories> <persistenceFactory name='mysql' className='gov.bnl.gums.MySQLPersistanceFactory' /> </persistanceFactories> <groupMappings> <groupMapping name='usatlasPool'> <userGroup className='gov.bnl.gums.LDAPGroup' server='grid-vo.nikhef.nl' query='ou=usatlas,o=atlas,dc=eu-datagrid,dc=org‘ persistanceFactory='mysql' name='usatlas' /> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.AccountPoolMapper' persistanceFactory='mysql' name='bnlPool' /> <accountMapping className='gov.bnl.gums.GroupAccountMapper' groupName='usatlas1' /> </compositeAccountMapping> </groupMapping> <groupMapping name='star'> <userGroup className='gov.bnl.gums.VOMSGroup' url='https://vo.racf.bnl.gov:8443/edg-voms-admin/star/services/VOMSAdmin‘ persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.NISAccountMapper' jndiNisUrl='nis://nis2.somewhere.com/rhic.bnl.gov' /> </compositeAccountMapping> </groupMapping> … </groupMappings> <hostGroups> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='star*.somewhere.gov' groups='star' /> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='gums.somewhere.gov' groups='star,phenix,usatlasPool' /> … </hostGroups> </gums>

  9. Open architecture • All critical pieces are defined through interfaces and specified in the configuration UserGroup persistence impl. Persistence Factory <creates> GroupMapper <creates> Account Mapper persistence impl. * HostGroup • Allows integration with site specific services • (i.e. HR databases, LDAP, information services, …): • Implement the interface (only dependency on GUMS) • Put jar in the lib folder • Modify the policy file

  10. Features implemented • Persistence: • MySQL • UserGroups: • LDAP VO, VOMS, manual list of users (persistence) • AccountMappers: • Group account, best effort NIS mapping, account pool, manual mapping (persistance) • All are being used at BNL

  11. Future plans • Version 1.0 will be ready by OSG-0 release (February 2005) • Target functionalities: • Account pooling • Tested already setup within grid3 • Web service interface for GUMS • Role based authorization • part of Privilege Project, joint USATLAS and USCMS project

  12. Account Pooling • A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi grid0009 /DC=org/DC=doegrids/OU=People/CN=Dantong Yu grid0010 grid0011 /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu grid0012 grid0013 /DC=org/DC=doegrids/OU=People/CN=Dantong Yu grid0014 grid0015 • Will allow BNL cybersecurity to perform auditing • To go in production we need: • Assign the group id after the assignment • Make sure it doesn’t disrupt accountingand applications grid0016 grid0017 …

  13. GT3 GUMS service • Use gatekeeper call-out to contact GUMS directly Grid resource … VO PHENIX VO STAR VO ATLASVO Grid resource Grid resource GUMS server GUMS DB

  14. Role based authorization • Use of callout and of VOMS extended proxy /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /VO=ATLAS/Group=USATLAS/Role=production-leader Grid resource BNL GUMS usatlasprod

More Related