A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Data Management Expert Panel - WP2. WP2 Overview.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Chapter 5 Database Application Security Models

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

MACIASZEK, L.A. (2001): Requirements Analysis and System Design. Developing Information Systems with UML, Addison Wesley Chapter 6 - Tutorial Guided Tutorial.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

The huge amount of resources available in the Grids, and the necessity to have the most up-to-date experimental software deployed in all the sites within.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA gLite Information System Pedro Rausch IF.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

December 17, 2015 A Secure VO Software for ATLAS Grid User Management Dantong Yu Brookhaven National Lab.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.

USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our.

The OSG and Grid Operations Center Rob Quick Open Science Grid Operations Center - Indiana University ATLAS Tier 2-Tier 3 Meeting Bloomington, Indiana.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

April 25, 2006Parag Mhashilkar, Fermilab1 Resource Selection in OSG & SAM-On-The-Fly Parag Mhashilkar Fermi National Accelerator Laboratory Condor Week.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

1 A Scalable Distributed Data Management System for ATLAS David Cameron CERN CHEP 2006 Mumbai, India.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Tutorial on Science Gateways, Roma, Catania Science Gateway Framework Motivations, architecture, features Riccardo Rotondo.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid is a Bazaar of Resource Providers and.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

OGF PGI – EDGI Security Use Case and Requirements

A Model for Grid User Management

Update on EDG Security (VOMS)

Presentation transcript:

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab

6/16/2015 CHEP 03, La Jolla 2 Outline  Motivation and System Requirements  GUMS (Grid User Management System)  System Design and Framework  System Components  System Installation  Current Status, Existing Issues  Future Works

6/16/2015 CHEP 03, La Jolla 3 GUMS: Scope & Limitations  Develop Model for Distributed User Registration  Work With Existing VO Management Tools  Help Define Requirements for New & Improved VO Tools  Focus on Site Tools for User Management

6/16/2015 CHEP 03, La Jolla 4 User Registration  Many Sites Require Pre-registration of Users  Sites Will Need to Serve Large Sets of Users  Users Will Need Access to a Large Number of Sites  Sites and VOs Will Need to Work Out User Registration Mechanisms

6/16/2015 CHEP 03, La Jolla 5 Registration Requirements  Site Requirements  Collect Sufficient Information About User and Registration Chain  Provide Information to Site in Secure, Trusted, Auditable Manner  “Reasonably” Static User List  Store History Information, Keep Updated User Information, User Membership  User Requirements  Register Once Per Virtual Organization  Registration Must Be “Reasonably” Local  “Reasonable” and Static Number of Data Items  VO Requirements  Sites Must Have “Reasonably” Complete and Up-to-date User List  Extensibility of Including More Information

6/16/2015 CHEP 03, La Jolla 6 Automated Registration  Software Tools – The Easy Part  VO User Registry – N Column Database; Several Approaches: VOMS, VO Server Software  Local User Registration Authorities – M Column Database and Configurable Tool for Periodically Pushing Users Up to VO or Regional Authority  Site – User Database, Configurable Tool to Periodically Pull User Info From One or More Vos, Perform Local Account Mapping, Creating Grid-mapfile  Trust Relationships – The Hard Part  A VO Structure Needs to Be Created That Will Enforce Agreed Registration Requirements  Every Site Must Be Able To Trust Every Registrar  Protect User Privacy

6/16/2015 CHEP 03, La Jolla 7 Virtual Organization GUMS: A scalable Grid User Management System User info UNM

6/16/2015 CHEP 03, La Jolla 8 Schematic Diagram VO User Registry Database Regional Registration Authority? Local Registration Authority VO #3 … VO #2 Database Site User Info Database Local Policy Local Accont Management grid-mapfile Site Push Pull Push

6/16/2015 CHEP 03, La Jolla 9 Grid User Management System Architecture VO server User info importer Grid-Mapfile Generation Module Account Creation And Mapping grid-mapfile Cron Job Banned User Synchronize New user Membership User left VO CRL Download User Info User info Mapping Tables Update Cron Job

6/16/2015 CHEP 03, La Jolla 10 GUMS COMPONENTS  User Info Importer  Pull User Information Multiple VO User Databases (LDAP, RDB)  Write User Information Into Local Database, Update User Membership  Command Line Tool in the Current System: getVOusers  Invoke Local Tools That Track and Manage Local Accounts  New Users: Interacts With Local User Manage System to Request New Accounts for the Users  Old Users: Interacts With Local User Manage System to Update User Authorization ( Group Membership, for Example)  Maintain the Banned User Lists  Tools Implemented: initdb, getVOousers, updategroup  Interface Into GRID Security System  For Globus Gatekeeper, Generate a Grid-mapfile From Local Database  Tools Implemented: generate_gridmapfile

6/16/2015 CHEP 03, La Jolla 11 Current Status and Known Issues  Status:  System Software Available to All USATLAS Testbed Sites  Ready to Run, Detailed Man Page  Four VO Servers Are Used:  USATLAS VO SERVER group ldap://spider.usatlas.bnl.gov:6200/ ou=us-atlas,o=atlas,dc=ppdg- datagrid,dc=org  ATLAS VO SERVER group ldap://grid- vo.nikhef.nl:389/ou=testbed1, o=atlas,dc=eu-datagrid,dc=org  EDG VO SERVER group ldap://grid- vo.cnaf.infn.it/ou=group1, o=datatag,dc=org  GLUE SCHEMA TESTBED group ldap://rod.mcs.anl.gov/ou=group1, o=glue,c=us  Issues:  Incomplete User Information Collected by VO Server, VO Servers Must Be Extended to Keep More User Information  Lack of Security in Authentication  Use Anonymous Mode to Access ldap Based VO Server: GSI?  Plain Password Authenticate With MYSQL-based Local Database

6/16/2015 CHEP 03, La Jolla 12 Current Status  The First Stage Development Is Completed  Available to Be Download:  Ready to Run, Detailed Man Page  Characteristics  Tractable, Flexible  Satisfy the User Registration Requirements  GUMS Can Easily Support Large Numbers of Users to Access Multiple Grid Sites  Easy Installation and Management  User Base Is Still Small Enough for Traditional Registration Methods Which Can Be Used in Parallel With Distributed/automated Tools

6/16/2015 CHEP 03, La Jolla 13 Future Plan  Security Module Replaces the Plain Password/anonymous Authentication  Mysql (the Lastest Production Release) Supports SSL Encrypted Connection and X509 Certificates. We Are Looking Into Using GSI Enabled MYSQL Server As Our Local User DB  Web Interface to Manage GUMS  Having a Real User Management System Will Expose Issues/problems and Begin Building Trust Infrastructure  Force Some Sites to Start Addressing Remote User Registration Issues  Create and Deploy User Management Tools at Some ATLAS Sites To Work With ATLAS VO in Computing Exercises, for example: Data Challenge & Reconstruction