Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Slides:

Advertisements

Similar presentations

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

10/24/2015OSG at CANS1 Open Science Grid Ruth Pordes Fermilab

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Mar 28, 20071/18 The OSG Resource Selection Service (ReSS) Gabriele Garzoglio OSG Resource Selection Service (ReSS) Don Petravick for Gabriele Garzoglio.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/18 Status of the Adoption of a SAML-XACML Profile.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Open Science Grid Open Science Grid: Beyond the Honeymoon Dane Skow Fermilab September 1, 2005.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Apr 26, 20071/3 OSG Executive Board Meeting Gabriele Garzoglio OSG Executive Board Meeting Gabriele Garzoglio VO Services, PL Computing Division, Fermilab.

Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center February.

Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.

OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.

An Introduction to Campus Grids 19-Apr-2010 Keith Chadwick & Steve Timm.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

April 25, 2006Parag Mhashilkar, Fermilab1 Resource Selection in OSG & SAM-On-The-Fly Parag Mhashilkar Fermi National Accelerator Laboratory Condor Week.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

April 18, 2006FermiGrid Project1 FermiGrid Project Status April 18, 2006 Keith Chadwick.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

A Model for Grid User Management

f f FermiGrid – Site AuthoriZation (SAZ) Service

AuthZ Interop report out

Presentation transcript:

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007 Overview Charter & Stakeholders Architecture Deployment Performance Collaboration & Recent Focus

Mar 28, 20072/9 VO Services Project Gabriele Garzoglio Project Charter The project provides an infrastructure to manage user registration and implement fine-grained authorization to access rights on computing and storage resources. Authorization is linked to identities and extended attributes. Mapping is dynamic and supports pool accounts. Enforcement of access rights is implemented using UID/GID pairs. The infrastructure aims at reducing administrative overhead. Authorization service is central at the site. The project is responsible for the development and maintenance of the infrastructure and for assisting with the deployment and support on the OSG.

Mar 28, 20073/9 VO Services Project Gabriele Garzoglio Stakeholders Stakeholders giving requirements: US CMS and US ATLAS. Joint Project of Fermilab, BNL, PPDG, Virginia Tech, UCSD, OSG since 2003 Different institutions are responsible for the maintenance of different components Core software distributed via VDT

Mar 28, 20074/9 VO Services Project Gabriele Garzoglio synchronizes VO Services Architecture GUMS server maintains identity / attribute mapping for all the gateways at a site gPlazma server (not shown) enhances UID/GID mapping with service-specific parameters (e.g. root path for SE). SAZ checks black/white lists Periodically, GUMS synchronizes with VOMS users/groups User identity and attributes are maintained in VOMS through VOMRS Users interact with VOMS to get attribute-enhanced credentials Gateway software (CE and SE) performs –identity mapping call-out through the PRIMA module –access control call-out through the SAZ module

Mar 28, 20075/9 VO Services Project Gabriele Garzoglio Deployment The authorization system (GUMS) has been deployed at O(10) OSG sites –US CMS T2 centers and T1 at FNAL –US ATLAS T2 centers and T1 at BNL –FermiGrid (includes SAZ) et al. VOMRS deployed at –Fermilab: 14 VO with > 5,000 users –CERN: 9 VO with >2,500 users –BNL: 2 VO –Evaluations: 2 TTU & 2 U. of Melbourne

Mar 28, 20076/9 VO Services Project Gabriele Garzoglio GUMS & SAZ at FermiGrid Fixed GUMS memory leak Access denied to non-VOMS proxy. GUMS scales well to ~480,000 calls/day (20k calls / hours). Turn ON SE call-out (gPlazma). SE callout > 80% Total callout. 2007

Mar 28, 20077/9 VO Services Project Gabriele Garzoglio Collaboration with Globus and EGEE Current AuthZ call-out library (PRIMA) is based on SAML v1.1 + XACML extensions –Standardization was tough to achieve. Now working with Globus and EGEE to introduce a common/standard AuthZ call-out library for PRIMA/GUMS/SAZ (OSG) & LCAS/LCMAPS (EGEE). Globus AuthZ library is based on SAML2 / XACML2. Planned integration with Globus: Apr OSG and EGEE AuthZ services thereafter.

Mar 28, 20078/9 VO Services Project Gabriele Garzoglio Recent Focus Improve operations by improving –robustness: configuration management –usability: user interface –validation processes across components Helping LIGO with AuthN/Z requirement for the OSG Supporting site security for late-binding job using gLexec Working with SE groups to refine mapping policies

Mar 28, 20079/9 VO Services Project Gabriele Garzoglio Conclusions The privilege infrastructure provides user registration and role-based fine-grained authorization for access to grid-enabled resources. GUMS is deployed on the OSG by US CMS, US ATLAS, et al. VOMRS is deployed at FNAL, BNL, CERN for 25+ VOs We promote the adoption of standards for AuthZ Services