The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009.

Slides:



Advertisements
Similar presentations
LCG Tiziana Ferrari - SC3: INFN installation status report 1 Service Challenge Phase 3: Status report Tiziana Ferrari on behalf of the INFN SC team INFN.
Advertisements

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
11 SERVER CLUSTERING Chapter 6. Chapter 6: SERVER CLUSTERING2 OVERVIEW  List the types of server clusters.  Determine which type of cluster to use for.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Module 12: Designing an AD LDS Implementation. AD LDS Usage AD LDS is most commonly used as a solution to the following requirements: Providing an LDAP-based.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
16 th May 2006Alessandra Forti Storage Alessandra Forti Group seminar 16th May 2006.
YAN, Tian On behalf of distributed computing group Institute of High Energy Physics (IHEP), CAS, China CHEP-2015, Apr th, OIST, Okinawa.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.
Large Scale Test of a storage solution based on an Industry Standard Michael Ernst Brookhaven National Laboratory ADC Retreat Naples, Italy February 2,
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
Developing & Managing A Large Linux Farm – The Brookhaven Experience CHEP2004 – Interlaken September 27, 2004 Tomasz Wlodek - BNL.
09/02 ID099-1 September 9, 2002Grid Technology Panel Patrick Dreher Technical Panel Discussion: Progress in Developing a Web Services Data Analysis Grid.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
The Replica Location Service The Globus Project™ And The DataGrid Project Copyright (c) 2002 University of Chicago and The University of Southern California.
Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
HLRmon accounting portal DGAS (Distributed Grid Accounting System) sensors collect accounting information at site level. Site data are sent to site or.
OSG Abhishek Rana Frank Würthwein UCSD.
CHAPTER 7 CLUSTERING SERVERS. CLUSTERING TYPES There are 2 types of clustering ; Server clusters Network Load Balancing (NLB) The difference between the.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
The CMS Top 5 Issues/Concerns wrt. WLCG services WLCG-MB April 3, 2007 Matthias Kasemann CERN/DESY.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
StoRM + Lustre Proposal YAN Tian On behalf of Distributed Computing Group
Authentication Services Grid security concepts and tools D. Cesini (INFN-CNAF), V.Ciaschini (INFN-CNAF), A.Paolini (INFN-CNAF) INFN Grid School, CNAF,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI solution for high throughput data analysis Peter Solagna EGI.eu Operations.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
CASTOR: possible evolution into the LHC era
Jean-Philippe Baud, IT-GD, CERN November 2007
AuthN and AuthZ in StoRM A short guide
StoRM: a SRM solution for disk based storage systems
Practicals on VOMS and MyProxy
StratusLab Final Periodic Review
StratusLab Final Periodic Review
Pass Oracle 1Z0-499 Exam with Valid 1Z0-499 Exam Question Answers - Dumps4download
Patrick Dreher Research Scientist & Associate Director
The New Virtual Organization Membership Service (VOMS)
INFNGRID Workshop – Bari, Italy, October 2004
Security Requirements Analysis for Large-scale Distributed Systems
Installation/Configuration
Presentation transcript:

The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009

What is VOMS VOMS is… –An Attribute Authority. –A VO Management System. –A source of trust for authorization. VOMS is not… –A policy system. –An AuthN/AuthZ framework.

VOMS: The problem In a grid environment, VOs tend to be extremely large and change frequently. –Hundreds or even thousands of users. Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. It is not scalable to manage them by hand

VOMS: The solution Organize users into groups and grant them roles. –Allows for full Role Based Access Control authorization. Also, adds other general-purpose attributes.

VOMS Architecture VOMSDB VOMS-ADMIN Secure

Who uses VOMS? voms.gridpp.ac.uk 19 VOs, –301 users –2 servers

DPM, dCache, SRM what are they Storage Element: DPM and dCache – disk caching front­end – End user interface to write and read cached files Storage Resource Manager –Provides a consistent interface to underlying storage systems.

Tier2 SE Combine hundreds of commodity disk servers to get a huge terabyte scale data store Storage site gains increased fault tolerance Allows several copies of a single file for distributed data access Internal load balancing using cost metrics and transfers between the site's pools Automatic file replication on high load (dCache)

Manchester Tier2 SE Combines about 160 TB of disk space on 900 nodes Maintained and monitored around the clock Upgrading and tuning annually

This year plans New storage hardware installation Migration from dCache to DPM Improving and tuning of the DPM/dCache performance via configuration Monitoring and automation of the cluster maintenance including SE's, Computer Elements VOMS etc.

Thank you

VOMS data format Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. –The exact profile is described here: –ACs are the natural choice in a X.509 world. The grid is a X.509 world. The provided clients insert the AC in a non-critical extension of the user proxy. –Immediate compatibility with non-VOMS aware software.

What is a proxy? A proxy is a short-lived certificate that has as issuer a user certificate. –Standardized in RFC –Commonly used throughout the grid for authentication and authorization purposes.

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Subject

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s issuer

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Certificate’s subject

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Type of proxy

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s key strength

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Location

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s validity

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 VO Name

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Data

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Group membership

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 General-Purpose attributes

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 AC validity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.