INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SCAS Progress Oscar Koeroo.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Authz work in GGF David Chadwick
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
INFSO-RI Enabling Grids for E-sciencE gLExec, SCAS and the paths forward Introduction to pilot jobs and gLExec and SCAS framework.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
March 2, 20101/20 An XACML profile and implementation for Authorization Interoperability An XACML profile and implementation for Authorization Interoperability.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile ( Bonus material about the implementation) Oscar Koeroo.
INFSO-RI Enabling Grids for E-sciencE AuthZ Interop: A common XACML Profile and its current implementation Oscar Koeroo.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks glexec/SCAS pilot service Status and short-term.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE Padova site report Massimo Sgaravatto On behalf of the JRA1 IT-CZ Padova group.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
G-PBox Facts and status JRA1 Authz Coord Meeting January CNAF/INFN Bologna Andrea Ferraro.
Argus EMI Authorization Integration
f f FermiGrid – Site AuthoriZation (SAZ) Service
AuthZ Interop report out
Overview OSG & EGEE Authorization Models
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE SCAS Progress Oscar Koeroo

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb index The architecture The paper work The implementation

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The architecture

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb L&L plug-ins (regular set of plug-ins) L&L plug-ins (regular set of plug-ins + GPbox) Our current architecture LCAS + LCMAPS Glite: Compute Element or Storage Element edg-gk glexec edg-gridftpgt4-interface pre-WS GT4 gk, gridftp, opensshd LCAS + LCMAPS Worker node glexec L&L plug-ins (regular set of plug-ins) Issues with this setup: share/distribute the gridmapdir for mapping consistency share/distribute the configurations for the nodes share/distribute authorization files, like grid/groupmapfiles and a blacklisting file Scaling issues; lots of node will probably overload an NFS server GPbox infrastructure [xacml]

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb pre-WS GT4 gk,gridftp, opensshd The (old) big picture SAML-XACML Query OSG EGEE glexec edg-gk edg-gridftpd gt4-interface pre-WS GT4 gk, gridftp, opensshd dCache Common SAML XACML library L&L plug-in: SAML-XACML Prima + gPlazma: SAML-XACML LCAS + LCMAPS CREAM Pilot job on Worker Node (both EGEE and OSG) Site Central: LCAS + LCMAPS L&L plug-ins (regu. set) Site Central: GUMS (+ SAZ) SAML-XACML interface Common SAML XACML library Front-end node (CE, SE, WN, etc.) gJAF / Globus AuthZ

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb How it should work (conceptual) SAML-XACML interface Globus SAML XACML library Site Central LCAS + LCMAPS or GUMS and SAZ SAML-XACML PEP (L&L plug-in or PRIMA) Globus SAML XACML library Set of Obligations Obligation handler[N] SAML-XACML Query Q: map.user.to.some.poolOblg: user001, somegrp R:

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The paper work

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The AuthZ workgroup The group members: –OSG: Igor Sfiligoi, Gabriele Garzoglio, Ted Hesselroth, Jay Packard, John Hover, Mine Altunay, Valery Sergeev, John Weigand, Keith Chadwick, Tanya Levshina –EGEE: Oscar Koeroo, Yuri Demchenko, Håkon Sagehaug –EGEE / INFN: Alberto Forti, Andrea Ferraro, Vincenzo Ciaschini, Valerio Venturi –Globus: Rachana Ananthakrishnan, Frank Siebenlist, Joe Bester Will include the Condor team in the near future –Discussions underway to support their requirements –Condor contacts:  Ian Alderman, Zackery Miller

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Main discussion points PEP & PDP interaction –Different types of PEPs will need to interact with the PDP (SCAS)  Gatekeeper: PRIMA or LCMAPS backend  GridFTPd: PRIMA or LCMAPS backend  Glexec-on-{CE|WN}  dCache  … –The information that is contained in the request and response –Regardless of where the application that implements the PEP is created –How to get the required authorization information from the PEP Upgradeability –Changes in the attribute (datatype, value form., name(space)) –Changes in the obligations, regarded as a set of attributes

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The docs The documents in work –“XACML-SAML profile” (done)  Profiles the use of XACML and SAML –“An XACML Attribute and Obligation Profile for AuthZ Interoperability in Grids” (reaching v1.0)  Profiles the use of the attributes and obligations in the XACML request & response protocol

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Request: Subject –Subject-id: X.509 DN (OpenSSL oneline notation) –Subject-issuer: X.509 Issuer DN (OpenSSL oneline notation) –Subject-Certificate-Serial-Number –Subject-vo –VOMS-signing-subject: X.509 DN (OpenSSL oneline notation) –VOMS-signing-issuer: X.509 DN (OpenSSL oneline notation) –VOMS-dns-port –VOMS-FQAN –VOMS-Primary-FQAN –Subject End-entity X509v3 Certificate Policies OIDs –CA serial number –Certificate chain (experimental)

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Request: Action –Run Job Queued: “queue”  Particularly via a CE to a Batch system –Run Job Now: “execute-now”  On a CE; that’s the fork invokation  On a WN; direct execution –Access file: “access”  No granularity in (specific) file permission (like read/write)

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Request: Resource –CE: Computing Element resource type –WN: Worker Node resource type –SE: Storage Element resource type –Host DNS name

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Request: Environment –Supported obligations 1.Handling of returned obligations is mandatory at the PEP 2.The supported obligations are send to the PDP as advisory information to avoid returning useless obligations  see previous statement –Pilot job invoker identity  This means all Subject attributes of the pilot job identity  Policy statement example: “The VO of the pilot job invoker and real user job MUST be the same”

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Response: Obligations (0) UIDGID  UID (integer): Unix User ID local to the PEP  GID (integer): Unix Group ID local to the PEP –Must be consistent with: Username (if receiving both) Username  Username (string): Unix username or account name local to the PEP. –Must be consistent with: Username (if receiving both) SecondaryGIDs –Multi recurrence  GID (integer): Unix Group ID local to the PEP AFSToken  AFSToken (string) in base64: AFS Token passed as a string

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Response: Obligations (1) RootAndHomePaths  RootPath (string): this parameter defines a sub-tree of the whole file system available at the PEP. The PEP should mount this sub-tree as the “root” mount point (‘/’) of the execution environment. This is an absolute path.  HomePath (string): this parameter defines the path to home areas of the user accessing the PEP. This is a path relative to RootPath. –Needs obligation(s): UIDGID or Username StorageAccessPriority  Priority (integer): an integer number that defines the priority to access storage resources. –Needs obligation(s): UIDGID or Username

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Open to discussion Explicit declaration of an multi-user pilot job scenario? Were do we send the RSL string? –Action? –Environment? Requirements from the Condor team? –Condor’s canonical –Problem with the subject-id being used for the X.509 subject DN

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The implementation

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb It works! Localhost (low latency, but having the laptop hardware as a bottleneck) –Optimum rate (with SSL) was:  Nominal: 7Hz  Burst: 20Hz  Interval between bursts: 12 seconds

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb New components in CVS & Etics org.glite.security.saml2-xacml2-c-lib-R_0_0_2_1 –This is version alpha from Globus –Contains:  the gSOAP stuff  SAML2-XACML2 schema  Helper functions  Optional overriding of network layer  Pushes registered obligations in the Environment of the Request org.glite.security.lcmaps-plugins-scas-client-HEAD –Depends on saml2-xacml2-c-lib –Implements the client code for the protocol  Uses the network layer overriding to implement SSL/TLS –Implements the handlers for the supported obligations

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb Todo Tying the loose ends together –The LCMAPS plugin is kinda ready  Integrated test: gLExec will be used to stress test the framework –The prototype SCAS service should be ready any day  Expecting first CVS checking of it next week, if all works as promised  Expecting pretty nice performance Simple tests showed to exceed the CERN requirement –Name spaces for the attributes and identifiers in all sections  Having a discussion now about this topic to include OGF in the process  We’ll use ‘something’ in the meanwhile

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb ?

Enabling Grids for E-sciencE INFSO-RI SCAS Progress, JRA1-AH Amsterdam 22 Feb The implementation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.