Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

The National Grid Service and OGSA-DAI Mike Mineter

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

Oracle10g RAC Service Architecture Overview of Real Application Cluster Ready Services, Nodeapps, and User Defined Services.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

A DΙgital Library Infrastructure on Grid EΝabled Technology ETICS Usage in DILIGENT Pedro Andrade

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

The huge amount of resources available in the Grids, and the necessity to have the most up-to-date experimental software deployed in all the sites within.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.

VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb

INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

Last update 29/01/ :01 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD CERN VOMS server deployment LCG Grid Deployment Board

1Maria Dimou- cern-it-gd LCG November 2007 GDB October 2007 VOM(R)S Workshop report Grid Deployment Board.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

David Adams ATLAS ATLAS Distributed Analysis (ADA) David Adams BNL December 5, 2003 ATLAS software workshop CERN.

EGEE is a project funded by the European Union under contract IST Experiment Software Installation toolkit on LCG-2

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

The GridPP DIRAC project DIRAC for non-LHC communities.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

1Maria Dimou- cern-it-gd LCG End of the Task Force for VO User Registration of LHC Experiment Users Grid Deployment.

Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED INTERSTAGE BPM ARCHITECTURE BPMS.

INFSO-RI Enabling Grids for E-sciencE File Transfer Software and Service SC3 Gavin McCance – JRA1 Data Management Cluster Service.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

VO Management Tanya Levshina Computing Division, Fermilab.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.

INFSO-RI Enabling Grids for E-sciencE GOCDB2 Matt Thorpe / Philippa Strange RAL, UK.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

WLCG Operations Coordination Andrea Sciabà IT/SDC GDB 11 th September 2013.

GGUS New features and roadmap

Architecture Review 10/11/2004

Jean-Philippe Baud, IT-GD, CERN November 2007

David Kelsey CCLRC/RAL, UK

UVOS and VOMS differences

LCG Security Status and Issues

A Model for Grid User Management

f f FermiGrid – Site AuthoriZation (SAZ) Service

EGEE VO Management.

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Short update on the latest gLite status

Grid Security Jinny Chien Academia Sinica Grid Computing.

Francesco Giacomini – INFN JRA1 All-Hands Nikhef, February 2008

Leigh Grundhoefer Indiana University

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

BMC Automation Portal Update

Presentation transcript:

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey, P. Mhashilkar, R. Pordes, A. Sill, D. Yocum

2/17/2006 CHEP 2006 VOMRS 2 Talk Outline VOMRS Scope Place in the GRID World Architecture Main Features Overview Since Last CHEP Implementation and Distribution Deployment Dependencies and Issues Summary

2/17/2006 CHEP 2006 VOMRS 3 VOMRS Scope VOMRS offers a comprehensive set of services that facilitates secure and authenticated management of VO membership, grid resource authorization and privileges:  implements a registration workflow providing means for collaborators to register with a Virtual Organization (VO)  supports management of multiple grid certificates per member  permits VO-level control of a member's privileges  provides notifications of selected events  supports VO-level control over its trusted set of Certificate Authorities (CA)  permits delegation of responsibilities within the various VO administrators  manages groups and group roles  is capable of interfacing to third-party systems and pulling or pushing relevant member information from/to them

2/17/2006 CHEP 2006 VOMRS 4 VOMRS Place in the GRID World VOMRS VOMS Globus Gatekeeper GUMS Facility Authorization Management Grid Facility Grid Cluster Certificate register submit job callouts membership/ privileges Is authorized? Job Manager Certificate Proxy get proxy job Member membership/ privileges

2/17/2006 CHEP 2006 VOMRS 5 VOMRS Architecture VOMRS Server VOMRS DB VOMRS Admin CLI Member WEB CLIENT gLite VOMS DB gLite Trust Manager GSI Authentication Service Broker Service CLI SOAP+SSL Authentication HTTP+SSL Authentication CERN ORG DB VOMS Admin API LCG ORGDB API Client Host VOMRS Host ORGDB Host SAM DB Host SAM ADMIN API

2/17/2006 CHEP 2006 VOMRS 6 VOMRS Entities Certificate Authorities  Allows list management of CAs accepted in VO  Offers a consistent way of managing membership status for members whose certificate CAs become obsolete or invalid Groups and Group Roles  Supports hierarchy of groups  Allows creation/deletion of group roles  Provides interface to manage groups and group roles Institutions and Sites  Provides interface to manage Institutions and Sites  Requires member affiliation with Institution; expiration date imposed Personal Data Set  Supports real time editing of data set collected during registration  Distinguishes between private and public data, persistent and non persistent data, etc

2/17/2006 CHEP 2006 VOMRS 7 VOMRS Administrators Allows for delegation of responsibilities within the VO: VO Admin responsible for maintaining the VOMRS. A VO admin manages data pertaining to institutions, sites, CAs, members‘ privileges, and can modify the set of personal information required by the VO Representative: responsible for approving/denying applicants' requests for VO membership based on personal knowledge about each individual applicant's identity and institutional affiliation Group Owner and Group Manager: responsible of managing the group's membership. Group Manager can create new subgroups and/or group roles Site Admin and Local Resource Provider: able to access members information

2/17/2006 CHEP 2006 VOMRS 8 Membership Registration In order to access VOMRS a user is required to have a valid certificate whose CA is recognized by the VO Registration consists of two steps:  During Phase I a new user: fills out personal information selects a Representative provides address  After receiving notification, a user proceeds to Phase II, and : signs the Usage Rules for the VO selects group(s) and group role(s) In order to become a VO member with grid resource privileges, the user's registration must be approved by user's Representative or VO Admin.

2/17/2006 CHEP 2006 VOMRS 9 WEB UI Example (Registration) Phase I Phase II

2/17/2006 CHEP 2006 VOMRS 10 Notification Events An event in the VOMRS constitutes any changes to: member's status/privileges :  new administrative role is assigned  certificate is suspended  member is assigned to group structure of the VO:  creation of a new group  expiration of a CA  addition of an institution Events can trigger a call to external system via registered interface. Some events can required action to be taken by a VO member:  a Representative is asked to approve/deny registration  a member is asked to sign a new Usage Rules document The events to which member can subscribe depend upon member's roles and membership status.

2/17/2006 CHEP 2006 VOMRS 11 Membership and Certificate Statuses Membership status  New  Approved  Denied  Suspended: member is currently not in good standing in the VO  Expired: occurs when a new Usage Rules document must be signed; member's validity period has expired; member's institutional affiliation has expired Certificate status  New  Approved  Denied  Suspended: the certificate has been somehow compromised  Expired: indicates that certificate issuer does not currently have a valid certificate Multiple certificates per member  Each VO member has at least one registered certificate  A valid member can request additional certificates  Each such request should be approved by VO Admin  Member can access VOMRS by using one of the approved certificates

2/17/2006 CHEP 2006 VOMRS 12 Groups and Group Roles A VO Member can select group and group role association Group Owner, Manager or VO Admin can assign group and group role to any member Group Owner, Manager or VO Admin can block member’s association with any group or group role

2/17/2006 CHEP 2006 VOMRS 13 Interfacing Third Party Software Interfaces can be registered with VOMRS and can be subscribed to receive event notification. Currently there are three known interfaces: “LCG” Registration Type: User's registration in CERN HR DB is verified via query during Phase I of VOMRS registration. No data is downloaded from CERN DB to VOMRS. VOMRS can be configured such that whenever an administrator queries a member's personal data, CERN HR DB is queried and both the VOMRS and CERN DB data display together. “SAM” Registration Type: SAM DB is queried to obtain list of SAM’s group SAM DB is updated by using sam-admin commands when: Member’s status/privileges are changed EGEE VOMS: VOMS is updated by using VOMS API when Member’s status/privileges are changed A group is added/removed A group role is added/removed

2/17/2006 CHEP 2006 VOMRS 14 Access to VOMRS is also available via web services. A certificate (or proxy) signed by a recognized CA is needed. The list of services available for a particular user is defined by user's role and status within VOMRS. Web Service example: #java -Daxis.socketSecureFactory=… -DsslConfigFile=… fnal/vox/vomrs/client/SoapClient getGroups /test /test/development /test/production /test/production/stream1 /test/production/stream2 WEB Services Example

2/17/2006 CHEP 2006 VOMRS 15 Since last CHEP Implemented “LCG” Registration type using LCG Registration API (developed by K.Lorentey) to verify member standing with CERN HR DB Integrated with SAM by using VOMRS-SAM API Implemented Oracle support Implemented two phases of registration that include verification Introduced VO and institutional membership expiration Introduced VO-level management of CAs Implemented selection of groups and group roles by member Added multipart messaging, improved message format Implemented customizable on-line help

2/17/2006 CHEP 2006 VOMRS 16 Implementation and Distribution Implementation details:  Java based ( and higher)  WEB UI uses JavaScript  Configuration scripts are written in python (1.5 and higher)  Configuration files are in xml format  DBMS: Oracle or MySQL Product distribution:  The current distribution of VOMRS software is built with gLite 1.4 trustmanager package and can be synchronized with gLite VOMS.  VOMRS components are distributed using Pacman package manager and are available from the cache:  RPMs are available from:

2/17/2006 CHEP 2006 VOMRS 17 Current Deployment Fermilab:  14 instances that are synchronized with corresponding installation of VOMS ( VDT ). VOMRS and VOMS are running on the same node  Total number of registered users > 5,000 CERN:  4 instances are using “LCG Registration Type” and connect to CERN HR DB  5 instances are using “General Registration Type”  All instances are synchronized with corresponding installation of VOMS (gLite 1.4). VOMRS and VOMS are running on the same node.  Total number of registered users > 190 BNL:  2 instances (all are synchronized with corresponding installation of VOMS). Test installations:  2 instances in Texas Tech University are synchronized with corresponding installation of VOMS (VDT 1.3.7)  1 instance in University of Melbourne (Physics Department)

2/17/2006 CHEP 2006 VOMRS 18 Dependencies and Issues EGEE trustmanager and VOMS admin package support is crucial for VOMRS  Bug fixing is slow (depends on gLite releases and integration in VDT)  Patches should be available much sooner  Good news: We have access to LCG savannah portal that allows us to submit bugs as soon as we find them and monitor the bug fixing progress We are working very closely with LCG VO Management Registration Task Force  LCG VO Managers submitted many constructive requests for improvements and new features. Most have been implemented in previous releases. New requests included: implement a hierarchy of representative associates with country, region and institution improve VOMRS performance add configurable subject in notification s  We are planning to transfer some of the responsibilities for VOMRS support to a yet to be chosen person at CERN  VOMRS/VOMS workshop is planned in March

2/17/2006 CHEP 2006 VOMRS 19 Summary VOMRS is a successfully implemented VO registration service providing the means to better identify and communicate with VO members, and to assign grid privileges to them. Through the use of its multiple administrative roles, VOMRS allows for delegation of responsibilities within the VO while still providing a high level of control over privileges granted. As a highly configurable service, it can meet the needs of a wide variety of VOs, both in terms of membership size and complexity of privileges required. Its installation at numerous sites has resulted in increased requests for additional features to improve management and control of VO membership. Fermilab is committed to future support of this product for the LCG and OSG. A lot of people took part in gathering and understanding requirements, and providing us with valuable feedback. Thanks a lot to all of them! More information can be found: