VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Status of the Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware 1/17 Status of the Adoption of a SAML-XACML Profile.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Oct 19, 20101/16 Adoption of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE CHEP 2010 Oct 19, 2010 Gabriele.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

SVOPME – A Scalable Virtual Organization Privileges Management Environment Phase I Project Review and Phase II Project Kickoff Oct 28, FNAL, Batavia,

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.

Jun 18, 20071/26 Security Policies and Middleware in OSG Gabriele Garzoglio Security Policies and Middleware in OSG June 18, 2007 JRA1 All Hands Meeting.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

SVOPME A Scalable Virtual Organization Privileges Management Environment CHEP 2009 Mar 24, 2009 Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733 Eileen.

VO Management Tanya Levshina Computing Division, Fermilab.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

f f FermiGrid – Site AuthoriZation (SAZ) Service

AuthZ Interop report out

Global Banning List and Authorization Service

Leigh Grundhoefer Indiana University

Presentation transcript:

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 2 Outlines VOMRS –Purpose –Scope –Deployment –Convergence with VOMS-Admin –Place in Grid World VO Services: –Gums –gPlazma –SAZ –Authorization Interoperability –SVOPME Project Conclusion

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 3 Virtual Organization Management Registration Service (VOMRS) VOMRS was developed to address the end-to-end needs for VO membership registration and groupings of common interest within the Fermilab and WLCG contexts. Initiated on 1/24/03, first production release - 3/1/2004. Some of the collected requirements were incorporated into Joint Security Policy Group (JSPG) VO Membership Management Policy document. The implementation is in compliance with JSPG requirements.

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 4 VOMRS Scope VOMRS offers a comprehensive set of services that facilitates secure and authenticated management of VO membership, grid resource authorization and privileges: implements a registration workflow supports management of multiple grid certificates per member permits VO-level control of member's privileges provides notifications of selected events supports VO-level control over its trusted set of Certificate Authorities permits delegation of responsibilities within the various VO administrators: –VO Admin –Representative –Group Owner/Group Manager manages groups and group roles –Group/group role definition –Group/group role access –Group role are linked to a specific group –Group/group role assignment request is capable of interfacing to third-party systems –CERN and Fermilab HR databases –DZero SAM –VOMS

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 5 VOMRS Deployment VOMRS is a part of VDT Multiple production installations: –Fermilab: 11 instances. Total number of registered users > 5,000 –CERN: 11 instances. Total number of registered users >4,000 –Also installed at BNL Texas Tech University APAC - University of Melbourne Desy Forschungszentrum Jülich

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 6 VOMS-Admin is emerging: –2.5 version will have a lot of new features. –This raises the possibility of rationalizing the support and converging on a single solution by continuing and extending our current collaboration. There are several crucial features that should be implemented in VOMS-Admin in order to do so: –Persistent member’s status –Member’s institutional expiration –Enhance handling of groups and group roles: Group and group role definitions Opened/Restricted access Possibility to attached a particular role to a specified group continued on the next slide … VOMRS and VOMS-Admin Convergence (I)

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 7 VOMRS and VOMS-Admin Convergence (II) List of required features : –Interfacing third-party services during registration and membership validation –Dynamic list of collected personal information –Registration workflow and event notification –Web UI improvements Online help Sortable, selectable output Ability to execute actions for multiple users simultaneously Required effort estimated by VOMS-Admin developers is about 8-10 FTE months + 2 months for customer feedback and deep testing This effort is coordinated by LCG VO Registration Task Force

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 8 VO Services Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma / Prima ID Mapping? Yes / No + UserName VO Services VOMRSVOMS synch register get voms-proxy Submit request with voms-proxy synch WN gLExec Prima Storage Batch System Submit Pilot OR Job (UID/GID) Access Data (UID/GID) 8 8 Schedule Pilot OR Job 9 Pilot SU Job (UID/GID) 10 VO

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 9 VO Services Project VO Services project provides user registration to VO and fine-grain access authorization to resources. –Gabriele Garzoglio (Fermilab) is project leader. VOMRS forms part of a set of VO services implemented in accordance to the OSG blueprint and targeted to meet the needs of the OSG: –Certificate to User Account Mapping (GUMS) –Authorization for Storage and Compute Services (gPlazma, glExec) –Site Banning Tool (SAZ) Working with Globus, EGEE/gLite and INFN to provide interoperability and consolidate the implementations in the future (Authorization Interoperability Project) Participating in the SVOPME project that provided the prototype tools for automating the process of managing role-based privileges over the Grid, from VOs to Grid sites Adapting VO services to new use cases (e.g. LIGO, Shibboleth based identity management).

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 10 GUMS GUMS (Grid User Management System) maps users' grid credentials to site-specific identities in accordance with the site's grid resource usage policy Replaces the Globus grid-mapfile. Retrieves membership information from a VO server such as LDAP or VOMS. Currently the focus is on operational properties of the tools, such as monitoring, status/availability checks, validity of the authz configuration at a site, etc.

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 11 gPlazma gPlazma (Grid-aware PLuggable AuthoriZation MAnagement) provides the authorization decision and site- specific user information relevant to user’s credential when requested by storage cells (gridFtpdoor, SRM) Retrieves username from GUMS by providing user’s DN and FQAN. Retrieves storage-privilege set {uid,gid, permitted storage area, r/w permissions} form Storage Meta Data Service. Returns a User Authorization Record (a SAML response format) to gPlazma.

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 12 SAZ SAZ (Site Authorization Service ) allows security authorities of the grid site to impose sitewide policy and to control access to the site. Allows administrators to control user access to the site resources. Provides means to retrieve the information about users and their access. Authorizes user by checking –user’s certificate chain –status of VO FQAN provided in extended certificate –user’s access status OSG is interested in this technology to implement a Grid- wide banning tool.

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 13 Authorization Interoperability Activity Started in Oct 2006 as a collaborative effort between the OSG VO Services Project, EGEE, Globus and Condor (joined later) Goal: To provide interoperability between middleware and authorization infrastructures. The common protocol is used by resource getaways, or Policy Enforcement Points (PEP) to interact with Policy Decision Points (PDP) For each access request, the PDP informs the PEP on whether access is granted or denied and, what obligations need to be enforced if access if granted. Obligations are used as a mechanism to restrict privileges at Grid resources. The final design document: “An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids”

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 14 SVOPME Project SVOPME – A Scalable Virtual Organization Privileges Management Environment. –Joint Project : Tech-X Corporation and Fermilab financed by Small Business Innovation Research –Phase I is completed in March 2008 Goal to develop tools and services for automating the process of managing role-based privileges over the Grid, from VOs to Grid sites. Prototype tools were developed to facilitate the automatic propagation of privilege data –VO Policy Editor – generates VO policies and verification queries –VO/Grid Policies Comparer - produces a report on which VO policies are honored by the Grid site and which are not –VO/Grid Policies Advisor - advises the Grid administrator on what amendments needs to be performed on the Grid; such that the Grid site complies with the VO policies XML schema for specifying role-based privilege policies was defined and used to assist documenting and converting policies among VOs and Grid sites. Proof of concept: Use standard policy languages (XACML) to express site and VO policies for our use cases.

VOMRS and VOMS-admin Convergence 6/24/2008VO Management Workshop at HPDC 15 Summary VOMRS and VOMS were developed to address the end-to-end needs for VO membership registration and groupings of common interest within the WLCG and Fermilab contexts. Fermilab is committed to the support and maintenance of VOMRS in the short and longer term. The recent development of new features in VOMS-Admin raises the possibility of rationalizing the support and converging on a single solution by continuing and extending our current collaborations. VO Services Project is constantly evolving and adapting for new use cases.