SVOPME A Scalable Virtual Organization Privileges Management Environment CHEP 2009 Mar 24, 2009 Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733 Eileen.

Slides:



Advertisements
Similar presentations
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Advertisements

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
UML - Development Process 1 Software Development Process Using UML (2)
Overview of the Database Development Process
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.
OSG Public Storage and iRODS
SVOPME: Scalable Virtual Organization Privilege Management Environment Nanbor Wang 1, Balamurali Ananthan 1, Gabriele Garzoglio 2, Steven Timm 2 1 Tech-X.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)
Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Using GStat 2.0 for Information Validation.
SVOPME – A Scalable Virtual Organization Privileges Management Environment Phase I Project Review and Phase II Project Kickoff Oct 28, FNAL, Batavia,
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GraDS MacroGrid Carl Kesselman USC/Information Sciences Institute.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
April 25, 2006Parag Mhashilkar, Fermilab1 Resource Selection in OSG & SAM-On-The-Fly Parag Mhashilkar Fermi National Accelerator Laboratory Condor Week.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
SAM architecture EGEE 07 Service Availability Monitor for the LHC experiments Simone Campana, Alessandro Di Girolamo, Nicolò Magini, Patricia Mendez Lorenzo,
DGAS Distributed Grid Accounting System INFN Workshop /05/1009, Palau Giuseppe Patania Andrea Guarise 6/18/20161.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Argus EMI Authorization Integration
Jean-Philippe Baud, IT-GD, CERN November 2007
OGF PGI – EDGI Security Use Case and Requirements
Leigh Grundhoefer Indiana University
Presentation transcript:

SVOPME A Scalable Virtual Organization Privileges Management Environment CHEP 2009 Mar 24, 2009 Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733 Eileen Berman [ ] (Fermilab) on behalf of Nanbor Wang [ ] (Tech-X Corporation) & Gabriele Garzoglio [ ] (for the VO Services project, Fermilab)

2/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Outlines Project overview –What SVOPME tries to address Proof of concept –Design and capability of the prototype tools Outlook and planning –Plans for a production quality tool

3/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment What are VO Privileges? VOs use resources VOs wish to define usage policies for various resources for different users within the VOs – Example 1: Production team members submit jobs with higher priority – Example 2: Software team members can write to disk area for software installations VOs define user privileges at different resources to comply with the expressed usage policies However, VOs do not manage/configure all Grid sites Grid sites provide resources Grid sites may want to provide different services to different VOs – Example 3: site X has a special agreement with VO Y; therefore, jobs from VO Y might have higher priority than others Grid sites help VOs to enforce their usage policies by managing user privileges Grid sites don’t define VOs’ usage policies Site and VO Challenge: Enforcing heterogeneous VO privileges on multiple Grid sites to provide uniform VO Policies across the Grid (ad hoc solution: verbal communication) Virtual Organizations: Grid Sites:

4/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Motivations of SVOPME With the growth in Grid usage, both the numbers of VOs and Grid-sites increase Serious scalability problems in propagating VO privilege policies SVOPME: –Provide the tools and infrastructure to help VOs express their policies Sites support a VO –Reuse proven administrative solutions – we adopt common system configuration patterns currently in use in major grid sites … CMSUSATLAS CompBioGrid STAR LIGO Fermilab SDSSiVDGL FERMIGRIDCMS-T2 LIGO-MIT GPFARM UCSDT2UC-ATLAS ASGC STAR-BNL Address scalability

5/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Modern User Privilege Management Moving away from the use of gridmap files to VOMS/GUMS role-based privilege management –Eliminate the need for multiple user certificates –Similar trend can be observed in EGEE (LCAS/LCMAPS + SCAS and VOMS) Managing requests priority for both SE and CE The OSG Authorization Infrastructure

6/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Proof of Concept: Prototype Implementation Provide validation of the overall approach Design suitable XML schemas for describing policies –This project adopts XACML –Allows aggregation of policies –XACML is also used by AuthZ Interoperability project (see CHEP 09 Talk) Determine the information needed in VO and site policies –Compiled a list of resources and policies A prototype environment for synthesizing administrative directives and verifying VO policies VO Privilege Policies Site Privilege Policies Site Configurations Configuration Recommendations Propagate Verify Synthesize SVOPME Concept Diagram

7/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Survey of Resources and Policies Managed on the Grid Resources –OS protection (account types: group or pool) –Batch system –File system –External storage (SRM/dCache) –Network access (inbound/outbound) –Edge services Policies expressed by the Site –Timed availability (execution time slots for certain VO users) Policies expressed by the VO –Intra-VO relative priority in batch system –Directory access permissions –Consecutive execution period –Suspension/resumption of jobs –Repeat execution (Allowing restart or not in batch system) –User file privacy –Two roles to share the same GID Policies expressed by both –Disk quota –File retention period –Account type –Network (inbound/outbound) access control Highlighted policies are supported SVOPME focuses on VO policies

8/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME Prototype Architecture VO Grid Site XACML VO Policy Editor Grid Probe Policy Comparer Storage Element Actual Site Policies Site Instructions A report on which VO policies are implemented by Grid Site Grid Admin uses these instructions and configures CE and SE accordingly Probe site resources Outputs site policies Executes test queries for every policy such that the response is always a permit. Policy Advisor Compares Produces If response is permit, this VO policy is honored. Otherwise not. Compute Element VOMS Client VO Policies with supporting attributes/Verification Queries Provides info from VOMS server Compares Edits VO Policies Same query sent to the Grid Policy Middleware Component Output Data Output Directive Action Std Grid Service Domain Legend

9/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment The VO Tool – Used by VO-Admin VO Grid Site XACML VO Policy Editor Grid Probe Policy Comparer Storage Element Actual Site Policies Site Instructions A report on which VO policies are implemented by Grid Site Probe site resources Outputs site policies Executes test queries for every policy such that the response is always a permit. Policy Advisor Compares Produces If response is permit, this VO policy is honored. Otherwise not. Compute Element VOMS Client VO Policies with supporting attributes/Verification Queries Provides info from VOMS server Compares Edits VO Policies Middleware Component Output Data Output Directive Action Std Grid Service Domain Legend Same query sent to the Grid Policy Grid Admin uses these instructions and configures CE and SE accordingly

10/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment XACML VO Policy Editor (Domain Specific) XACML is a generic XML-based language for specifying access control policies –Not very human readable –Suitable for machine processing The VO Policy Editor, therefore, allows VO administrators to edit a set of pre-defined VO policies in simple readable forms –For example: Account Mapping Policy Group _____ should run with pool/group account The VOMS client obtains information about all the Group/Role and the number of users from the VOMS server. This information is passed to the VO Policy Editor to avoid operator errors The Editor stores the policies and test queries for verification in XACML format to enable automation Support for new policy types can be added as “Policy Template” plug-in’s We also plan to develop command-line policy editing tools to convert between a text-based policy specification and XACML documents

11/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Prototype VO Policy Editor Screen Shot 1 Select Policy Type to Add Select Policy VO Policy Description

12/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Prototype VO Policy Editor Screen Shot 2 Edit Policy Attributes VOMS Client assists in setting attributes for the policy

13/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Prototype VO Policy Editor Screen Shot 3 Allow XACML view Policy is then converted into XACML template

14/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Three Grid Site Tools – Used by Site-Admin VO Grid Site XACML VO Policy Editor Grid Probe Storage Element Actual Site Policies Site Instructions A report on which VO policies are implemented by Grid Site Grid Admin uses these instructions and configures CE and SE accordingly Probe site resources Outputs site policies Executes test queries for every policy such that the response is always a permit. Policy Advisor Compares Produces If response is permit, this VO policy is honored. Otherwise not. Compute Element VOMS Client VO Policies with supporting attributes/Verification Queries Provides info from VOMS server Compares Edits VO Policies Same query sent to the Grid Policy Middleware Component Output Data Output Directive Action Std Grid Service Domain Legend Policy Comparer

15/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Grid Probe Probes the Grid site local configurations For Phase-I we probe the settings of the GUMS and Condor systems GUMS provides info on account mapping from VO user/role to local UID Condor provides priorities of accounts Generates the equivalent Grid side policies (in XACML)

16/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Advisor  Verify that the Grid site configurations support the VO policies by running the verification queries generated by VO Policy Editor for each VO policy  Provide advice for the Grid site administrator on what amendments need to be done on the Site; such that the Grid site complies with the VO policies  Example output:  VO requested 3 accounts for VISITORS role via VO policies  Site-policies derived from GUMS do not match [java] VO/Grid Grid Accounts Policy Advices [java] [java] No matching Grid Accounts Policy was found for /TECHX/VISITORS on the Grid site. Create a mapping in GUMS config such that /TECHX/VISITORS be mapped to at least 3 account(s) [java] TECHX/Role=VO-Admin mapped to 1 account(s) (techxVOadmin) on the Grid site, is not suffient enough. Needs to be mapped to atleast 3 accounts.

17/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Comparer  Verify that the Grid site configurations support the VO policies by running the verification queries generated by VO Policy Editor for each VO policy  Produces a report for the VO admin on which VO policies are honored by the Grid site and which are not  Example output: [java] VO/Grid Grid Accounts Policy Comparison [java] [java] /TECHX/Role=User is mapped to 1 account(s) on the Grid site. Passed! [java] No Account Mapping Policies for /TECHX/VISITORS were found on the Grid site. [java] /TECHX/Role=Software-Admin is mapped to 1 account(s) on the Grid site. Passed! [java] /TECHX/Role=VO-Admin does not have sufficient accounts on Grid Site. Failed! (Needs to be mapped to at least 3 accounts.) [java] /TECHX is mapped to 1 account(s) on the Grid site. Passed!

18/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Advantages for VOs and Sites Advantages for the VOs No need to run ad-hoc jobs to figure out what policies are enforced and what not Provides templates to define commonly used policies Automates most of the communication with Sites that support the VO Provides the basis for the negotiation of privileges at sites that provide opportunistic access Advantages for the Sites Sites can advertise and prove that a VO is supported Sites that want to support a VO have a semi- automated mechanism to enforce the VO policies Privilege enforcement remains responsibility of the Site, informed by formal VO policy assertions

19/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Workplan Objective 1: Usability –Support a more comprehensive set of VO policies Add support for remaining policies collected in Phase I –Not sure if we want to incorporate site-specified policies or not Collaborate with VOs and key OSG grid sites to gather VO policies needed and how sites could support these policies –Command-line scripting tools Derive a set of policy statements Embed policy statements in generated XACML

20/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Workplan (Cont.) Completing Features and Hardening of prototype tools –Overall Feature enhancements Change to use PolicySets for VOs and grid sites –Allows us to aggregate policies –Supports the semantics of a whole VO or site Modularize components –Support new policies –Support new grid environments and configurations Support customized policies and queries –VO Policy Editor Merge VOMS Client with the Editor Allow opening/editing/saving of existing PolicySet Support browsing of PolicySet Support consistency check of overall VO PolicySet What to do when there’s a mismatch between VO and PolicySet –Grid Probe Support probing of more resources / configurations

21/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Workplan (Cont.) –VO/Grid Policy Comparer/Advisor Currently, we only check for supported policies but not redundant site policies Address security concerns (of site configurations and policy inconsistency, etc.) –Services for VOs and Grid sites to exchange/verify policies Objective 2: Flexibility and Robustness –Modularize system aspects such as Grid configurations and tool stacks –Migrate toward a common Grid XACML profile (Authorization Interoperability Profile) –Identify and implement more privilege policies Site-specific policies Service contracts between sites and VOs?

22/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Workplan (Cont.) Objective 3: Demo the Effectiveness –Integrate with OSG distribution –Develop recommendation for running/using SVOPME tools –Deployment, documentation and customer service

23/23 CHEP09 – SVOPME: A Scalable Virtual Organization Privileges Management Environment Conclusions SVOPME ensure uniform access to resources by providing an infrastructure to propagate, verify, and enforce VO policies at Grid sites SVOPME integrates with the OSG Authorization Infrastructure We are extending and adjusting the scope of the project based on feedback and comments on the prototype tools