Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem,

Slides:



Advertisements
Similar presentations
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Advertisements

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
VO Support and directions in OMII-UK Steven Newhouse, Director.
ICENI: An Open Grid Services Architecture Implemented with Jini William Lee, Nathalie Furmento, Anthony Mayer, Steven Newhouse and John Darlington London.
Data Management Expert Panel - WP2. WP2 Overview.
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
The EC PERMIS Project David Chadwick
Technology on the NGS Pete Oliver NGS Operations Manager.
OxGrid, A Campus Grid for the University of Oxford Dr. David Wallom.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team
15th January, NGS for e-Social Science Stephen Pickles Technical Director, NGS Workshop on Missing e-Infrastructure Manchester, 15 th January, 2007.
Future UK e-Science Grid Middleware Dr Steven Newhouse London e-Science Centre Department of Computing, Imperial College London.
ICENI Overview & Grid Scheduling Laurie Young London e-Science Centre Department of Computing, Imperial College.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Performance Architecture within ICENI Dr Andrew Stephen M c Gough Laurie Young, Ali Afzal, Steven Newhouse and John Darlington London e-Science Centre.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
GridSAM - A Standards Based Approach to Job Submission Through Web Services William Lee and Stephen McGough London e-Science Centre Department of Computing,
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Scheduling Architecture and Algorithms within ICENI Laurie Young, Stephen McGough, Steven Newhouse, John Darlington London e-Science Centre Department.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Predictable Workflow Deployment Service Stephen M C Gough Ali Afzal, Anthony Mayer, Steven Newhouse, Laurie Young London e-Science Centre Department of.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Utility Computing: Security & Trust Issues Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
The National Grid Service Mike Mineter.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
RealityGrid: An Integrated Approach to Middleware through ICENI Prof John Darlington London e-Science Centre, Imperial College London, UK.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Workflow Enactment in ICENI Dr Andrew Stephen M C Gough Laurie Young, Ali Afzal, Steven Newhouse and John Darlington London e-Science Centre 2 nd September.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Current Globus Developments Jennifer Schopf, ANL.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.
Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
A Model for Grid User Management
Update on EDG Security (VOMS)
Presentation transcript:

Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

2 Overview Using Virtual Organisation Management (VOM) portal How VOM portal can be utilised for –Managing Globus Toolkit enabled resources –Configuring Community Authorisation Service –Administering ICENI Related Work Conclusions

3 Why do we need VO Management? VO’s consists of –dynamic set of distributed resources. –distributed user base. –distributed management infrastructure.

4 Contd… VO’s need to provide services for –User authentication and authorisation –Defining and enforcing access control and usage policies Every project is having to develop it’s own customised VO management setup Need to replace current manual processes which do not scale well »policy based automated systems

5 Virtual Organisation Management ( VOM) portal Portal for remote VO management. Grid service to download and upload information into the VOM database. Client tools to interact with the service through Grid Security Infrastructure (GSI) authenticated network connections. VOM Portal facilitates –User registration into VO using grid certificates. –Resource Access Control –Resource Usage Accounting and Reporting.

6 VOM Roles Ordinary users belonging to a VO/community & wanting to use grid resources. Resource managers wanting to make their grid enabled machines accessible to a VO/community. Administrators of a VO managing access control & monitoring usage of constituent users & resources.

7 VOM Usage: User Precondition: should have a certificate issued by CA accepted by VO. Registers with VO –Request propagated to VO Admin & on approval to respective resource managers for account creation. Views his usage log on web. Does not need to chase each site/resource in VO & sign separate usage policy forms.

8 VOM Usage: Resource Manager Precondition: –Should have a certificate issued by CA accepted by VO. –Manages/owns a grid-enabled resource Setup access control and logging capability by deploying client on his grid-enabled resource. Approve/Reject/Disable user access. Can view own usage stats/graphs.

9 VOM Usage: VO Administrator Precondition: –should have a certificate issued by CA accepted by VO. Approve user enrolment requests through web page. Manage constituent resources. Monitor usage of various users/resources or whole VO. View stats/graphs of historical VO usage.

10 User Interface Workflow

11 VOM Implementation Server –Java servlets hosted in Tomcat container –GT3 based web service –Apache with mod_jk Tomcat support Client –Java based –Connects to web service using secure (GSI) connection

12 Managing Globus Toolkit enabled resources Resource access control –through automated grid-map file management Resource Usage Logging and Reporting –through instrumented job-managers provided Resource owner needs to setup respective clients, which connect to the VOM server over a secure connection

13 Resource Access Control

14 Resource Usage Service

15 Configuring Community Authorisation Service Allows resource providers to specify fine-grained access control for the community rather than individual users  Community manages itself grid-proxy-init –––––> cas-proxy- init

16 Configuring CAS CAS lacks a web interface for configuring VO’s trust relationships VOM provides a source of authenticated & authorised users The VO admin uses CAS to setup the VO's trust relationships (e.g. adding new users and objects) and to grant them fine-grained access control to the VO's resources.

17 Administering ICENI Each resource running ICENI has a –Domain Manager: implements fine-grained access control policies relating to the resources in the private administrative domain –Policy Manager: used to define access control policy at role, group, organisation or individual user level –Identity Manager: used to authenticate users accessing resources, and authorise them against the access policy defined by the resource

18 ICENI Architecture Resource Manager Policy Manager CR SR Identity Manager Domain Manager CR SR Gateway between private and public regions Public Resource Browser Public Computational Community SR CR Public Computational Community SR Private Administrative Domain SR CR Resource Broker Application Design Tools Component Design Tools Application Mapper Web Services Gateway Applicatio n Portal Private Computational Resource Software Resources Network Resources Storage Resources JavaCoG Globus

19 Contd… ICENI Role Management GUI VOM Admin can also switch roles/groups a user belongs to within ICENI. –Needs a ICENI plugin installed on VOM server.

20 Related Work VOMS CAS GUMS PERMIS Akenti

21 Virtual Organisation Membership Service (VOMS) Developed for DataTAG by INFN and for DataGrid by CERN Database of user roles and capabilities –Administrative tools –Client interface voms-proxy-init –Uses client interface to produce an attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server –Works with non-VOMS services, but gives more info to VOMS-aware services Allows VOs to centrally manage user roles and capabilities

22 VOMS Shortcomings –Lacks web interface for user/resource registration –Only maintains certificate DN & their assoc. groups info Lacks any other info e.g. personal info, usage logs Does not collect any resource specific, site specific data –Additional attributes in certificates do not conform to any standard => only VOMS enabled software can use it. –Extensions EU Data Grid / LCG –Local Centre Authorisation Service (LCAS) –Local Credential MAPping Service (LCMAPS) –Java based Trust Manager FermiLab as part of US CMS, SDSS, and iVDGL projects –VOM Registration Server(VOM RS) –VOMS eXtension (VOX) e.g. Site AuthoriZation (SAZ) and Local Resource Authorization Service (LRAS)

23 VOM comparison with VOMS VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both provide grid-map file management capability through slightly different ways VOM does not provide attribute certificate generation capability

24 Community Authorisation Service (CAS) v1.0 released with Globus Toolkit version 3.2 Allows resource providers to specify fine-grained access control for the community rather than individual users  Community manages itself grid-proxy-init => cas-proxy-init

25 CAS Shortcomings Functional –Lacks web front-end for user registration –Does not contain any info apart from DN, access rights –Resource logging & account mapping gets complicated due to use of totally new DN by CAS Non-Functional –Takes ultimate control away from site/resource owners, which is not practical in real world scenarios –Built on top of Grid Security Infrastructure (GSI) hence dependency on Globus. –royalty-free license from RSA needed to use it in other projects –Currently only a customised version of grid-ftp (supplied with CAS distribution) supports CAS credentials –Hard to install & configure and more a prototype than a production ready system as claimed

26 VOM comparison with CAS VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both provide resource access control management mechanisms –VOM through grid-map file management –CAS by abstracting the grid identities (i.e. user certificates) and using the community identities at resources as access control mechanisms VOM does not provide new proxy certificate generation capability like CAS.

27 VO #3 … Grid User Management System (GUMS) US Atlas Grid Provides user registration facility. Shortcomings –Lacks a web interface for user/resource registration, currently through . VO User Registry Database VO #2 Database Site User Info Database grid-mapfile Site Pull cron job

28 PrivilEge and Role Management Infrastructure Standards Validation (PERMIS) Privilege Management Infrastructure (PMI) which uses attribute certificates conforming to the X.509 standard Policy driven engine accessible through a java API uses LDAP to store policies and attribute certificates Policies are written in XML PERMIS API Implementation AEF=(application Dependent) Access control Enforcement Function ADF= (application independent) Access control Decision Function Target Present Access Request Decision Request e.g. DN+Access Request Decision e.g. Grant/Deny Access Request LDAP Directories Retrieve Policy and Role ACs RoleActionTarget Adminapprove User rights page

29 PERMIS Shortcomings It just provides an authorisation framework using attribute certificates => policy driven authorisation –Does not store any other data about users e.g. personal, usage etc. –Does not store any data about resources, sites etc. –Not intended to provide overall VO management capability e.g. authentication of users or accounting of user/resource usages

30 Akenti Policy Language Provides a policy language based on XML Can be used for certificate based authorisation Shortcomings –Needs customised front end –No notion of VO Conceptually similar to PERMIS

31 VOM comparison with PERMIS & Akenti VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. Both PERMIS & Akenti provide rich policy authorisation engine. VOM does not provide policy authorisation language, API or engine. => complimentary

32 Open Issues - VO Deployment issues Manchester Oxford Edinburgh NGS London 1 Horizontal (National Grid Service) VERTICALVERTICAL VERTICALVERTICAL Cambridge 1 London 2Cambridge 2

33 Future Work Explicit RBAC using proposed NIST standard Explicit policy management –Separate Contract/SLA for VO, Resource, User joining VO Resource specifies minimum/average/maximum service offered Users specifies average & maximum service expectation Explore use of GLUE information Schema for import/export of user/resource info Explore pure web services implementation

34 Conclusions VOM provides a centralised management interface for managing a VO Can be used for resource access control and usage accounting for the Globus Toolkit Can be used as a secure web interface for configuring CAS Can also be used for role-based identity management in ICENI

35 Acknowledgments Testing and evaluation of software done with the help from members of the UK Grid Engineering Task Force. Deployed across the Level 2 UK e-Science Grid to provide user management and accounting capability ( ). Work done as part of OSCAR-G project funded by DTI, Compusys & Intel (THBB/C/008/00028) CAS evaluation funded by JISC AAA programme

36 Acknowledgements Director: Professor John Darlington Research Staff: –Nathalie Furmento, Stephen McGough, William Lee –Jeremy Cohen, Marko Krznaric, Murtaza Gulamali –Laurie Young, Jeffrey Hau –David McBride, Ali Afzal Support Staff: –Oliver Jevons, Sue Brookes, Glynn Cunin, Keith Sephton Alumni: –Steven Newhouse, Yong Xie, Gary Kong –James Stanton, Anthony Mayer, Angela O’Brien Contact: – 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.