SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733.

Slides:



Advertisements
Similar presentations
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
INTRODUCTION TO WEB DATABASE PROGRAMMING
REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
OSG Public Storage and iRODS
SVOPME: Scalable Virtual Organization Privilege Management Environment Nanbor Wang 1, Balamurali Ananthan 1, Gabriele Garzoglio 2, Steven Timm 2 1 Tech-X.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Nicholas LoulloudesMarch 3 rd, 2009 g-Eclipse Testing and Benchmarking Grid Infrastructures using the g-Eclipse Framework Nicholas Loulloudes On behalf.
Module 9 Configuring Messaging Policy and Compliance.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
The Network Performance Advisor J. W. Ferguson NLANR/DAST & NCSA.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Microsoft Management Seminar Series SMS 2003 Change Management.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
1 Andrea Sciabà CERN Critical Services and Monitoring - CMS Andrea Sciabà WLCG Service Reliability Workshop 26 – 30 November, 2007.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
SVOPME – A Scalable Virtual Organization Privileges Management Environment Phase I Project Review and Phase II Project Kickoff Oct 28, FNAL, Batavia,
International Symposium on Grid Computing (ISGC-07), Taipei - March 26-29, 2007 Of 16 1 A Novel Grid Resource Broker Cum Meta Scheduler - Asvija B System.
Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.
The SEE-GRID-SCI initiative is co-funded by the European Commission under the FP7 Research Infrastructures contract no Workflow repository, user.
GraDS MacroGrid Carl Kesselman USC/Information Sciences Institute.
Nanbor Wang, Balamurali Ananthan Tech-X Corporation Gerald Gieraltowski, Edward May, Alexandre Vaniachine Argonne National Laboratory 2. ARCHITECTURE GSIMF:
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
April 25, 2006Parag Mhashilkar, Fermilab1 Resource Selection in OSG & SAM-On-The-Fly Parag Mhashilkar Fermi National Accelerator Laboratory Condor Week.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
INFSO-RI Enabling Grids for E-sciencE DGAS, current status & plans Andrea Guarise EGEE JRA1 All Hands Meeting Plzen July 11th, 2006.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
RI EGI-TF 2010, Tutorial Managing an EGEE/EGI Virtual Organisation (VO) with EDGES bridged Desktop Resources Tutorial Robert Lovas, MTA SZTAKI.
SAM architecture EGEE 07 Service Availability Monitor for the LHC experiments Simone Campana, Alessandro Di Girolamo, Nicolò Magini, Patricia Mendez Lorenzo,
SVOPME A Scalable Virtual Organization Privileges Management Environment CHEP 2009 Mar 24, 2009 Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733 Eileen.
Open Science Grid Consortium Storage on Open Science Grid Placing, Using and Retrieving Data on OSG Resources Abhishek Singh Rana OSG Users Meeting July.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
How to connect your DG to EDGeS? Zoltán Farkas, MTA SZTAKI
Leigh Grundhoefer Indiana University
Chapter 2: Operating-System Structures
Outline Chapter 2 (cont) OS Design OS structure
Chapter 2: Operating-System Structures
Presentation transcript:

SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733 Nanbor Wang Gabriele Garzoglio Balamurali Ananthan Steven Timm Tanya Levshina Tech-X Corporation Fermi National Accelerator Laboratory

2/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Outlines Project overview –What SVOPME tries to address Architecture and implementations Outlook and planning

3/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment What are VO Privileges? VOs use resources VOs wish to define usage policies for various resources for different users within the VOs – Example 1: Production team members submit jobs with higher priority – Example 2: Software team members can write to disk area for software installations VOs define user privileges at different resources to comply with the expressed usage policies However, VOs do not manage/configure all Grid sites Grid sites provide resources Grid sites may want to provide different services to different VOs – Example 3: site X has a special agreement with VO Y; therefore, jobs from VO Y might have higher priority than others Grid sites help VOs to enforce their usage policies by managing user privileges Grid sites don’t define VOs’ usage policies Site and VO Challenge: Enforcing heterogeneous VO privileges on multiple Grid sites to provide uniform VO Policies across the Grid (ad hoc solution: verbal communication) Virtual Organizations: Grid Sites:

4/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Motivations of SVOPME With the growth in Grid usage, both the numbers of VOs and Grid-sites increase Serious scalability problems in propagating VO privilege policies SVOPME: –Provide the tools and infrastructure to help VOs express their policies Sites support a VO –Reuse proven administrative solutions – we adopt common system configuration patterns currently in use in major grid sites … CMSUSATLAS CompBioGrid STAR LIGO Fermilab SDSSiVDGL FERMIGRIDCMS-T2 LIGO-MIT GPFARM UCSDT2UC-ATLAS ASGC STAR-BNL Address scalability

5/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Modern User Privilege Management Moving away from the use of gridmap files to VOMS/GUMS role-based privilege management –Eliminate the need for multiple user certificates –Similar trend can be observed in EGEE (LCAS/LCMAPS + SCAS and VOMS) Managing requests priority for both SE and CE The OSG Authorization Infrastructure

6/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME Helps VO’s Propagate Privilege Policies to Grid Sites SVOPME aims to replace the verbal interaction between VO and site admin’s with automated workflows VO’s intended privilege policies are clearly defined –Using eXtensible Access Control Markup Language (XACML) –No ambiguity –Allow programmatic verification of policies –XACML is also used by AuthZ Interoperability project Site’s actual policies can be verified SVOPME provides recommendations to site configurations for better VO supports VO Privilege Policies Site Privilege Policies Site Configurations Configuration Recommendations Propagate Verify Synthesize SVOPME Concept Diagram

7/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Survey of Resources and Policies Managed on the Grid Resources –OS protection (account types: group or pool) –Batch system –File system –External storage (SRM/dCache) –Network access (inbound/outbound) –Edge services Policies expressed by the Site –Timed availability (execution time slots for certain VO users) Policies expressed by both –Disk quota –File retention period –Network (inbound/outbound) access control Policies expressed by the VO –Account type –Intra-VO relative priority in batch system –Directory access (group privacy) permissions –Job pre-emption (Consecutive execution period) –Suspension/resumption of jobs –User file privacy –Two roles to share the same GID –Repeat execution (Allowing restart or not in batch system) ? Highlighted policies are supported

8/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME Architecture VO Privilege Policy Editor XACML VO Privilege Policies XACML VO Requests VO Storage Elements Computing Elements VO Administrator Grid Probe XACML Effective Site Access Policies Policy Advisor Policy Comparer Creates/Edits Synthesizes Crawls Uses Compliance Report Generates Suggested Changes Site Administrator Applies Uses Grid Site SVOPME Application XACML Document Text Document

9/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME VO Tools VO Privilege Policy Editor XACML VO Privilege Policies XACML VO Requests VO VO Administrator Creates/Edits Uses VOMS Client VOMS Server Request Archiver Comparer Client Time-stamped Zip Archieves Reads Creates Uses Latest Invokes Grid site comparer service Uses Retrieves VO Groups/Roles VO HTTP Server Published via

10/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment XACML VO Policy Editor (Domain Specific) XACML is –An XML-based language for specifying access control policies –Suitable for machine processing (deciding permissions on actions) –Way too generic to reason an arbitrary policy SVOPME –Takes a domain specific approach –Defines a set of “profiles” of meta-policies –Each meta-policy defines a type of policy VO can define –For example: Account Mapping Policy - Group X should run with pool account The VOMS client obtains information about all the Group/Role and the number of users from the VOMS server on VO editor’s behave. Support for new policy types can be added as “Policy Template” plug-in’s VO Administrator can create and edit a set of policies Reject contradicting policies – (will leverage Model checking Grid Policies by JeeHyun)

11/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO Policy Editor Screenshot

12/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO Policy Data Management The Editor stores the policies and verification requests under predefined directories Request Archiver collects and zips up verification requests into time-stamped zip files –Can be used by sites to examine their compliance –Time-stamped request zip archives are made available to site via a simple web page –Sites can scan the page and determine the latest version VO admins and users can use Comparer Client to contact and check a site’s support to VO policies

13/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Mechanism for Synthesizing Grid Site Privilege Policies “Grid Probe” in a nutshell –Policy building and configuration crawling functions are separated –Depending on the target privilege, different info is necessary: there are multiple crawling executables –Invoked by different cron tasks with diff privileges –Dump the info as simple text files at a specific directory –Allow site-specific probes Configuration checked –Condor/GUMS config –Disk quota/directory permissions Policy Builder –Parses the intermediate configuration info –Synthesizes the effective privilege policies of a site into XACML policies Disk Quota Probe Intermediate Config Info Policy Builder XACML Effective Site Access Policies Synthesizes Grid Probe

14/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Analyzing Site Configurations VO Request Retriever –Checks if the local VO verification requests is up-to- date –Cache the new verification requests if needed Policy Comparer and Advisor –Test compliance by testing the verification requests one-by-one –Since all requests and policies are based on our XACML profiles, reports and advises can be derived XACML Effective Site Access Policies Policy Advisor Policy Comparer Uses Compliance Report Generates Suggested Changes VO Request Retriever XACML VO Verification Requests VO HTTP Server Checks timestamp Caches if necessary

15/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Comparer  Example output: [java] VO/Grid Grid Accounts Policy Comparison [java] [java] /TECHX/Role=User is mapped to 1 account(s) on the Grid site. Passed! [java] No Account Mapping Policies for /TECHX/VISITORS were found on the Grid site.  Policy Comparer Grid Service –Allow VO users to check privilege policy compliance at a site –Instead of cached verification requests, users supply a list of verification requests related to policies of interests –SVOPME provides a policy comparer client as part of the VO tools –Currently only provide text reports – should provide a mechanism for further automate the information gathering

16/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Advisor  Provide advice for the Grid site administrator on what amendments need to be done on the Site; such that the Grid site complies with the VO policies  Example output:  VO requested 3 accounts for VISITORS role via VO policies  Site-policies derived from GUMS do not match [java] VO/Grid Grid Accounts Policy Advices [java] [java] No matching Grid Accounts Policy was found for /TECHX/VISITORS on the Grid site. Create a mapping in GUMS config such that /TECHX/VISITORS be mapped to at least 3 account(s) [java] TECHX/Role=VO-Admin mapped to 1 account(s) (techxVOadmin) on the Grid site, is not suffient enough. Needs to be mapped to atleast 3 accounts.

17/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Advantages for VOs and Sites VO’s No need to run ad-hoc jobs to figure out what policies are enforced and what not Provides templates to define commonly used policies Automates most of the communication with Sites that support the VO Provides the basis for the negotiation of privileges at sites that provide opportunistic access Sites Sites can advertise and prove that a VO is supported Sites that want to support a VO have a semi-automated mechanism to enforce the VO policies Privilege enforcement remains responsibility of the Site, informed by formal VO policy assertions

18/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Experiments on FermiGrid’s Integrated TestBed Using “Dzero” and “Engage” VO’s privileges as a real-world examples Validation requests are copied over to the site (FGITB) using the “Retriever” tool Two different probes run with different privileges “Engage” VO will continue to expand and incorporate other smaller sub-VO’s Was able to detect several anomalies –Enhanced disk quota probes – multiple filesystems –Re-wrote quota/filesystem probe to use python – easier for admins to examine –Detected one missing account mapping –Legacy pool account configurations Separating probes allows easy adaption to site with unconventional confiurations

19/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Extending Meta-Policies Steps to extend SVOPME to support new privilege policy profiles –Define what access right the policy type would control (subject, action, etc.) –Define how the XACML policy would look like –Extend the VO Editor to support the policy type –Extend Grid Probe to crawl relevant resource configs –Extend Policy Comparer/Advisor to interpret the test results Currently, it’s not so trivial to extend the supported meta-policies (profiles) Need to refactor design to guide developers –Using interfaces –Using generic classes

20/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Directions We are recruiting VO’s and sites to deploy SVOPME to production Grids Ongoing enhancements –VO-side needs to be able to deal with multiple grid sites for policy compare –Grid-side needs to be able to organize multiple VO info –Overall site status chart for VO’s –Code refactoring Prioritize further improvements to the tools based on feedbacks –Correctness Comparer may need to be changed to only return a list of allow/deny decisions Currently, only examine compliance, not redundant policies –Additional meta-policies –Better defined dataflow/tools –Adopting OSG AuthZ profiles

21/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Conclusions SVOPME ensure uniform access to resources by providing an infrastructure to propagate, verify, and enforce VO policies at Grid sites SVOPME integrates with the OSG Authorization Infrastructure We continue to enhance SVOPME design and implementations We are soliciting interested VO’s and sites to deploy SVOPME in a production environment We love to hear your comments and suggestions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.