Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA:

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.

OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

OSG Abhishek Rana Frank Würthwein UCSD.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Ted Hesselroth, OSG Site Administrators Meeting, December 13, 2007 Abhishek Singh Rana and Frank Wuerthwein UC San Diego dCache in OSG 1.0 and SRM 2.2.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

CHEP 2006 Mumbai INDIA February Frank Würthwein and Abhishek Singh Rana Edge Services Framework for EGEE, LCG and OSGwww.opensciencegrid.org The.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Open Science Grid Consortium Storage on Open Science Grid Placing, Using and Retrieving Data on OSG Resources Abhishek Singh Rana OSG Users Meeting July.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo.

Argus EMI Authorization Integration

StoRM: a SRM solution for disk based storage systems

f f FermiGrid – Site AuthoriZation (SAZ) Service

AuthZ Interop report out

Overview OSG & EGEE Authorization Models

Presentation transcript:

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA: grid-aware Pluggable AuthoriZation Management (Introducing Role-based Access Control in dCache) Abhishek Singh Rana UC San Diego Frank Würthwein UC San Diego The XVth International Conference on Computing in High Energy and Nuclear Physics (CHEP’06) February 15, 2006 TIFR, Mumbai

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February RANA, Abhishek Singh (University of California, San Diego, CA, USA) WÜRTHWEIN, Frank (University of California, San Diego, CA, USA) PERELMUTOV, Timur (Fermi National Accelerator Laboratory, Batavia, IL,USA) KENNEDY, Robert (Fermi National Accelerator Laboratory, Batavia, IL, USA) BAKKEN, Jon (Fermi National Accelerator Laboratory, Batavia, IL, USA) SKOW, Dane (Fermi National Accelerator Laboratory, Batavia, IL, USA) FISK, Ian (Fermi National Accelerator Laboratory, Batavia, IL, USA) FUHRMANN, Patrick (DESY, Hamburg, Germany) ERNST, Michael (DESY, Hamburg, Germany) Authors

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Outline OSG AuthZ approach gPlazma architecture gPlazma implementation Example of end-to-end AuthZ for CEs and SEs Status Future Work

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February OSG AuthZ Approach VO-Global specification of privilege attributes per Role. Site central mapping of Role to site’s implementation of privilege attributes. Local enforcement of privilege attributes. Use of VOMS extended X.509 Attribute Certificate specification for defining extra attributes (FQANs or Fully Qualified Attribute Names). Based on RFC FQANs contain Role and VO membership information for a User.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February OSG AuthZ Approach VO defines Roles and associated privileges by specifying expected functionality. –E.g. cmssoft may install software in area that is read-only by all cmsuser jobs running on site/campus. –E.g. cmsphedex may have special access to SRM/dCache system. Site maps VO scope identities to local scope identities. –Site wide management of mapping. –Service level granularity of mapping. Site enforces VO privilege policies within local scope identities. Authorization = (VO-allowed) && !(Site-vetoed)

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes PDP PEP PDP PEP Policy Enforcement PointPolicy Decision Point PDP

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GridFTP Callout Future Additions Site Assertion Future Additions VO Identity Mapping Client Priorities Bias: ACCESS Priority: 2 Apply: Authorization Response: AuthZ Record SRM Door VO Role Mapping AuthZ (gPLAZMA native) GridFTP Door … GUMS-based VO Role Mapping AuthZ Legacy Grid AuthN (gridmapfile) Legacy Storage AuthZ (dcache.kpwd) Switches Authorization Services Plugins VO Identity Mapping Service Storage Metadata AuthZ SRM Callout Storage Provider’s Policies https/SOAP SAML gPLAZMA Architecture Bias: DENIAL Priority: 1 Apply: Assertion Response: Allow OR Deny

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation a 4b 4c 4d

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Example of end-to-end AuthZ for CEs and SEs

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February SE: SRM-dCache Different doors for different authz methods. Same underlying local authz mechanism. Can be mapped to site’s UID/GID domain. Or be restricted to SRM-dCache only. Examples: –USCMS-VO at FNAL: Site UID domain. –CDF-VO at FNAL: Site Kerberos domain.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February SE: SRM-dCache gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach. 1.gPLAZMA authenticates. 2.gPLAZMA uses PRIMA Java SAML libraries to form a SAML query and contacts Storage Authz Service. 3.Storage Authz Service contacts GUMS and Storage Metadata Service. 4.GUMS translates {DN, Membership, Role} to Username. 5.Storage Metadata Service translates Username to Storage-privilege Set. 6.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}. 7.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role}. 8.Storage Authz Service forms a User Authorization Record into a SAML response and sends it back to gPLAZMA at SE.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout PEP Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite PEP Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout OGSA AuthZ interface gPLAZMALite Authorization Services suite Storage Authorization Service

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA grid-aware Pluggable Authorization Management System GUMS Grid User Management System SAZ Site Authorization Service VOMS Virtual Organization Membership Service gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA A System for Privilege Management and Authorization in Grids

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA Abhishek Singh Rana, UCSD Timur Perelmutov, FNAL GUMS Gabriele Carcassi, BNL SAZ Vijay Sekhri, FNAL John Weigand, FNAL SRM-dCache DESY/FNAL teams VOMS INFN teams, Italy gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA Markus Lorch, VT

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Status gPLAZMA native role-based authz mode deployed at USCMS tier-2 production site at UCSD. Work in progress for deployment at tier-1 at FNAL. GUMS role-based authz mode in final stages of development/packaging. Deployment and usage of all modes on USCMS production dCache sites expected before Service Challenge 4.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Known Limitations Not (yet) implemented for dcap. Scalability of site central call-out not yet understood.(gPLAZMA native a viable fallback) vi/emacs is only administrative interface. Options for communicating desired policies from VO to site are less than satisfactory. (general problem of role based authz!)

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Future Work Add MySQL based backend to replace storage authz records configuration file. Complete gPLAZMA for dcap. Understand scalability of site-wide call-out. Add XACML based authorization engine to dynamically assign storage authz mappings at Site. Explore XACML/SAML rule-based policy declaration (VO-level) and policy computation (Site-level).

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February Thank You.