GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.

Slides:

Advertisements

Similar presentations

CHEP 2000, Roberto Barbera Roberto Barbera (*) GENIUS: a Web Portal for the GRID Meeting Grid.it, Bologna, (*) work in collaboration.

Advertisements

ATLAS/LHCb GANGA DEVELOPMENT Introduction Requirements Architecture and design Interfacing to the Grid Ganga prototyping A. Soroko (Oxford), K. Harrison.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

NorduGrid Grid Manager developed at NorduGrid project.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Futures – Alpha Cloud Deployment and Application Management.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

Data Management Kelly Clynes Caitlin Minteer. Agenda Globus Toolkit Basic Data Management Systems Overview of Data Management Data Movement Grid FTP Reliable.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Database weekly reports Zbigniew Baranowski Carlos Fernando Gamboa.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

All Hands Meeting 2005 BIRN Portal Architecture: Security Jana Nguyen

What is SAM-Grid? Job Handling Data Handling Monitoring and Information.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

Introduction Database integral part of our day to day life Collection of related database Database Management System : software managing and controlling.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Services for advanced workflow programming.

OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Security Solutions Rachana Ananthakrishnan University of Chicago.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

ATLAS Database Access Library Local Area LCG3D Meeting Fermilab, Batavia, USA October 21, 2004 Alexandre Vaniachine (ANL)

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

GGUS New features and roadmap

Jean-Philippe Baud, IT-GD, CERN November 2007

A Model for Grid User Management

f f FermiGrid – Site AuthoriZation (SAZ) Service

WP4 Security Update For WP4: David Groep

Gridification progress report

Presentation transcript:

GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004

Goal Concentrate on job submission Production system for site authorization –Allow centralized management of all BNL gatekeeper access and mapping –Allow policy based mapping –Eliminate the need for grid-mapfiles (use callouts) –Enable role based authorization (different local user and/or different use of local resources) Make it a product

Features Logging: a thought out log system (working with BNL cybersecurity on this) Account pooling Error prone: be able to withstand various internal and enternal malfunctions Modularity: allow anybody to plug-in a site- specific policy by just dropping in a library Persistence layer: allow to integrate site specific autorization/human resources databases Scalability: multiple server with load balancing

Features Backup plans: always be able to revert to actually working technologies Accounting: multiple accounts per VO with grid 3 Collaboration with other groups Gradual changes: always have the system in production Fast release cycle: release every 1 or 2 months Unit tests: test driven development

Discussion Are other sites interested? “Auditing service” (allow other different site’s cibersecurity to query each other access logs)? “Test service” (an interface to perform internal tests and see if the service is running/configured correctly)

Architecture

No GUMS Globus gatekeeper/ jobmanager Gatekeeper(s) grid-mapfile Requests edg- mk- gridmap … VO … VO … VO

GUMS 0.5 Globus gatekeeper/ jobmanager Gatekeeper(s) grid-mapfile Requests gums cron GUMS server GUMS DB Command line tools … VO … VO … VO

GUMS 0.6 Globus gatekeeper/ jobmanager Gatekeeper(s) grid-mapfile Requests gums cron GUMS server GUMS DB Business logic … VO … VO … VO Web UI Cmd line

GUMS 0.7 (?) Globus gatekeeper/ jobmanager Gatekeeper(s) grid-mapfile Requests gums cron GUMS server GUMS DB Business logic … VO … VO … VO Web UI Cmd line Web service

GUMS 1.0 Globus gatekeeper/ jobmanager Gatekeeper(s) Requests GUMS server GUMS DB Business logic … VO … VO … VO Web UI Cmd line Web service callout

GUMS 1.0 (if all else fails) GUMS server GUMS DB … VO … VO … VO Globus gatekeeper/ jobmanager Gatekeeper(s) Requests callout Business logic Web UI Cmd line Web service

BNL siteAAA layout

ATLAS VO apply notify approve/deny Registration process applicant representative STAR VO PHENIX VO … VO Virtual organization management Server tools Site access management cyber security Resource management sysadmin Client tools user Credential storage Client authentication GRID resources

Couple of GUMS UML diagrams

Configuration HostnameMapping GroupMapper UserGroup AccountMapper String mapUser(String userDN) boolean isInGroup(String userDN); List getMemberList(); void updateMembers(); List retrieveGroupMappers(String hostname) * Hostname Mapping Impl *

Groups UserGroupMockUserGroup LDAPUserGroupVOMSUserGroup UserGroupDB ManualUserGroup ManualUserGroupDB

AccountMappers AccountMapperMockAccMapper GroupAccMapperNISAccountMapperManualAccMapper ManualAccMaperDBCompositeAccMapper *

Persistence layer PersistanceFactory MySQLAccMapperDB MockPersFactMySQLPersFact ManualAccountMapperDB ManualAccountMapperDB retrieveManualAccountMapperDB(String name); UserGroupDB retrieveUserGroupDB(String name); ManualUserGroupDB retrieveManualUserGroupDB(String name); AccountPoolMapperDB retrieveAccountPoolMapperDB(String name); >

From GUMS 0.6

<userGroup className='gov.bnl.gums.VOMSGroup' url=' persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/>

<userGroup className='gov.bnl.gums.VOMSGroup' url=' persistanceFactory='mysql' name='phenix' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/>