Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004.

Slides:



Advertisements
Similar presentations
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Advertisements

Data Management Expert Panel - WP2. WP2 Overview.
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Magda – Manager for grid-based data Wensheng Deng Physics Applications Software group Brookhaven National Laboratory.
VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.
OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
MySQL and GRID Gabriele Carcassi STAR Collaboration 6 May Proposal.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.
Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,
GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.
OSG AuthZ components Dane Skow Gabriele Carcassi.
USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our.
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
AstroGrid-D Meeting MPE Garching, M. Braun VO Management.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Status of tests in the LCG 3D database testbed Eva Dafonte Pérez LCG Database Deployment and Persistency Workshop.
IBM Express Runtime Quick Start Workshop © 2007 IBM Corporation Deploying a Solution.
Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.
VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.
Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.
Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
A Model for Grid User Management
Leigh Grundhoefer Indiana University
Presentation transcript:

Grid User Management System Gabriele Carcassi HEPIX October 2004

Outline What GUMS is How it is used at BNL What the current functionalities are Roadmap and future

GUMS … … is a site tool ATLAS VOMS Brookhaven National Lab BNL GUMS CERN GUMS site VO ATLAS CMS VOMS VO CMS

GUMS … … translates a Grid identity to a local identity (certificate -> local user) BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource Resource AuthZ Service – Grid Identity Mapping Simpler case show, equivalent to grid-mapfile

GUMS … … is centralized: one server per site BNL GUMS Grid resource Grid resource Grid resource Grid resource Allows to control identity mapping from a single place Keeps the site consistent

GUMS … … allows a site policy Test servers for USATLAS Allow: All LCG test VO mapped to ‘lcgt’ All USATLAS group mapped to ‘usatlast’ Allow: Members of Grid3 VO mapped with accounts taked from a pool Members on a special list from a database mapped to ‘special’ Grid3 production servers Other machines Allow: Members of … mapped to … All groups and mappings definitions are specified in a single XML file

Use at BNL since May 2004 ATLAS VO STAR VO PHENIX VO … VO GUMS server Grid resource Grid resource Grid resource mapfile cache GUMS DB GUMS contacts VO servers and update local database with members GUMS generates the maps according to the policy and stores it in a special DB table The gatekeepers contact the database to retireve their mapping

Use at BNL GUMS Policy example <userGroup className='gov.bnl.gums.LDAPGroup' server='grid-vo.nikhef.nl' query='ou=usatlas,o=atlas,dc=eu-datagrid,dc=org‘ persistanceFactory='mysql' name='usatlas' /> <userGroup className='gov.bnl.gums.VOMSGroup' url=' persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/> … …

Open architecture All critical pieces are defined through interfaces and specified in the configuration Persistence Factory persistence impl. persistence impl. UserGroup Account Mapper GroupMapper HostGroup * Allows integration with site specific services (i.e. HR databases, LDAP, information services, …): 1.Implement the interface (only dependency on GUMS) 2.Put jar in the lib folder 3.Modify the policy file

Features implemented Persistence: –MySQL UserGroups: –LDAP VO, VOMS, manual list of users (persistence) AccountMappers: –Group account, best effort NIS mapping, account pool, manual mapping (persistance) All are being used at BNL

Future plans Version 1.0 will be ready by OSG-0 release (February 2005) Target functionalities: –Account pooling Tested already setup within grid3 –Web service interface for GUMS –Role based authorization part of Privilege Project, joint USATLAS and USCMS project

Account Pooling A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts Will allow BNL cybersecurity to perform auditing To go in production we need: 1.Assign the group id after the assignment 2.Make sure it doesn’t disrupt accounting and applications … grid0009 grid0010 grid0011 grid0012 grid0013 grid0014 grid0015 grid0016 grid0017 … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /DC=org/DC=doegrids/OU=People/CN=Dantong Yu /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu /DC=org/DC=doegrids/OU=People/CN=Dantong Yu

GT3 GUMS service Use gatekeeper call-out to contact GUMS directly ATLAS VO STAR VO PHENIX VO … VO GUMS server Grid resource Grid resource Grid resource GUMS DB

Role based authorization Use of callout and of VOMS extended proxy BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi carcassi Grid resource BNL GUMS /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi usatlasprod Grid resource /VO=ATLAS/Group=USATLAS/Role=production-leader

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.