GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Slides:



Advertisements
Similar presentations
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Advertisements

Data Management Expert Panel - WP2. WP2 Overview.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Globus Computing Infrustructure Software Globus Toolkit 11-2.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
VOMS Alessandra Forti HEP Sysman meeting April 2005.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.
Grid User Management System Gabriele Carcassi HEPIX October 2004.
GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.
Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
December 26, 2015 RHIC/USATLAS Grid Computing Facility Overview Dantong Yu Brookhaven National Lab.
USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our.
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.
Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.
ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
STAR Scheduling status Gabriele Carcassi 9 September 2002.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.
Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.
Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
A Model for Grid User Management
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Presentation transcript:

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004

Outline GUMS description Status Issues encountered during development and other open issues

What is GUMS? GUMS allows a site to centrally manage the mapping between Grid Identity to local identity according to a site wide policy BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource On *.usatlas.bnl.gov allow: Members of Grid3 VO mapped with accounts taked from a pool Members of a special list from a database mapped to ‘special’ …

Features planned for OSG-0 Account pooling Service implementation Role based authorization

Account Pooling A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts -> This affects applications and accounting Will allow BNL cybersecurity to perform auditing To go in production we need: 1.Assign the group id after the assignment 2.Make sure it doesn’t disrupt accounting and applications … grid0009 grid0010 grid0011 grid0012 grid0013 grid0014 grid0015 grid0016 grid0017 … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /DC=org/DC=doegrids/OU=People/CN=Dantong Yu /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu /DC=org/DC=doegrids/OU=People/CN=Dantong Yu

GUMS service Use gatekeeper call-out to contact GUMS directly ATLAS VO STAR VO PHENIX VO … VO GUMS server Grid resource Grid resource Grid resource GUMS DB A client on the gatekeeper can contact GUMS to retrieve the grid-mapfile or other maps. No role-based authentication in that case.

Role based authorization Use of callout and of VOMS extended proxy BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi usatlasprod Grid resource /VO=ATLAS/Group=USATLAS/Role=production-leader

Components Gatekeeper call-out implementation (C client) – Markus Lorch, Privilege Project GUMS GT3 service that implements callout protocol – Java implementation over GT3 GUMS service (WebService and UI interface for admin commands) – Separate Java web application, no GT3 GUMS Admin – Command line client for WebService door (Java) GUMS Host client – Command line client to retrieve host maps (Java)

Components GUMS Server GUMS Service GUMS GT3 GUMS Admin GRID Resource GK Callout Map this user Contact VO server and refresh user lists Web Browser GUMS client Retrieve map for this host

Status GUMS components are essentially complete. Just needs consolidation. Account pooling: at BNL we have a grid3dev gatekeeper implementing account pools managed by GUMS (through grid- mapfile) since the end of August. It’s suitable to test accounting and applications. No tests have been yet performed so far. Role based authentication working on the testbed. –User retrieves VOMS extended proxy –Submits job to gatekeeper –Gatekeeper call-out contacts GUMS –GUMS returns local user (according to policy) Problems in using GT3 security within the C client (gatekeeper call- out) – not a major issue as we can always use plain web services Implementation for storage callout hasn’t started yet

Security We performed a set of tests to compare GT3 message level security and EGEE (glite) transport level security (plain WS) –req/sec was 17 times better with transport level security For the GUMS Admin Web Services interface, we are using plain SOAP (Axis) with glite transport level security. The Web UI also uses glite transport level security (web interfaces can’t be used with message level security). The interface for the call-out is still targeted to GT3 with message level security, but: problems in C client. What are other people doing?

Logs Not using GT3 logging: not flexible enough –Hides the Log4j implementation, and doesn’t allow to use Syslogd or Mail appenders to forward logs by mail or to syslogd –Not usable for Web UI, which doesn’t use GT3 Different logs for different audience –Developer log: used for debugging, logs internals of the code. –GUMS admin log: logs activity at the functionality level. Complete log is saved to a file, error level entries are sent through mail to the admin. –CyberSecurity log: logs access (read at different level than writes), uses syslogd to integrate with facility logging. For example, if ATLAS VOMS returns no members for a group set in GUMS configuration, no problem at the developer level, but very likely a problem at the admin level.

Experience with GT3 Performance problems in message level security Had to eliminate logging implementation Difficult to integrate: –Configuration files are bundled in libraries, multiple axis libraries when accessing web services Build-process from the tutorial is suitable only for the tutorial (no other examples) Spreads files in various tomcat directories (probable legacy from httpg)

Clustering We are investigating clustering to provide high availability with GUMS. –Tomcat 5 includes a load balancer. –We are also investigating fail-over mechanisms. Still in investigation phase.

Other issues Packaging for OSG –How should the service be packaged? Which type of package, PACMAN? Interaction with accounting service

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.