EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Voms & Voms-admin report Vincenzo Ciaschini.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EDG Security European DataGrid Project Security Coordination Group
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks AMGA PHP API Claudio Cherubino INFN - Catania.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
INFSO-RI Enabling Grids for E-sciencE Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS Server Giuseppe La Rocca INFN EGEE Tutorial Rome November 2005.
INFSO-RI Enabling Grids for E-sciencE Installing a gLite VOMS server Joachim Flammer Integration Team, CERN EMBRACE Tutorial, Clermont-Ferrand.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE MyProxy - a brief introduction.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
Enabling Grids for E-sciencE Sofia, 17 March 2009 INFSO-RI Introduction to Grid Computing, EGEE and Bulgarian Grid Initiatives –
INFSO-RI Enabling Grids for E-sciencE VO Naming practice and suggested development Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS & Reliability Vincenzo Ciaschini & Andrea.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
1Maria Dimou- cern-it-gd LCG End of the Task Force for VO User Registration of LHC Experiment Users Grid Deployment.
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
1 Grid security Services and Support Vincenzo Ciaschini, INFN CNAF V INFN-GRID workshop 18-20/12/2006.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Guidelines for attribute translation to X.509
StoRM: a SRM solution for disk based storage systems
Practicals on VOMS and MyProxy
Grid accounting system
Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07
Update on EDG Security (VOMS)
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop Boston, 24/6/08

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS, in short VOMS is a X.509 compliant Attribute Authority –See RFC 3281 VOMS is a SAML Attribute Authority –See  SAML V2.0 Deployment Profile for X.509 Subjects  OGF document currently in public comments

Enabling Grids for E-sciencE EGEE-II INFSO-RI The Problem: In a Virtual Organization World, resource utilization is authorized on a VO basis –Not all users are alike! –Membership in a VO is large and subject to change –Resources are many and subject to change –Authorizing every single user on every single resource does not scale! So, why not authorize user on the basis of a set of attributes? –Many, many less attributes that users –Much less frequent changes

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS VOMS is a X509 Attribute Authority with special support for Grids and VOs –Adds direct support to represent organizational data  Workgroups Subgroups of workgroups, subgroups of subgroups, etc…  Provisions for special roles inside groups –Also keeps support for more “standard” attributes  Name = value  And allows them to be associated not only to users, but also to subgroups and roles

Enabling Grids for E-sciencE EGEE-II INFSO-RI Examples Examples of Attributes: /vo1 workgroup /vo1/group1 subgroup /vo1/group1/Role=TestRole role in subgroup login = marotta guarantor = Vincenzo C. (/vo1/group1/Role=TestRole)‏ location = Bologna (/vo1/group1)‏

Enabling Grids for E-sciencE EGEE-II INFSO-RI Usage of attributes Attributes are useless if resources and applications could not access them. Both push and pull are supported: –Pull:  Resources and applications can directly contact VOMS on behalf of users to obtain their attributes. –Push:  A voms-proxy-init command is provided to contact VOMS and put the attributes in the user’s proxy, which is subsequently delegated to applications. Grid software almost completely uses push. The protocol to contact the server is proprietary but documented. –No update will ever break forward and backward compatibility

Enabling Grids for E-sciencE EGEE-II INFSO-RI To change: View -> Header and Footer 7 VOMS Interaction

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS Formats and Standards VOMS inserts its attributes into Attribute Certificates conforming to RFC 3281 Proxies generated by voms-proxy-init conform to RFC 3820 VOMS uses X509 certificates and proxies (both RFC 3820 and old-style) to authenticate

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS? VOMS is a X509 Attribute Authority with special support for Grids and VOs VOMS is a Membership management tool –Membership in VO Membership in a VOMS –Membership in a VOMS implies a lot of things  A user may be a member of many groups  A user may hold multiple roles  A user may have many attributes –A tool is needed to manage this: VOMS-Admin

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS-Admin VOMS-Admin is a tool used to manage user membership data in a VOMS –A separate process from VOMS –Comprised by both a Web Application and a Web Service

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS-Admin user registration

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS-Admin Group Management

Enabling Grids for E-sciencE EGEE-II INFSO-RI To change: View -> Header and Footer 13 VOMS-Admin AuthZ framework All Operations on the VOMS Admin are authorized via ACLs ACLs are (Context, Principal, Permission) triples –The Context is a FQAN –The Principal is either  a (DN, CA) couple (i.e., an X509 certificate)  a FQAN  ANY_AUTHENTICATED_USER –The Permission states what the principal can do in the Context  List/Add members to a Group/Role  Create subgroups  Manage attributes  Manage requests/subscriptions pertaining groups/roles

Enabling Grids for E-sciencE EGEE-II INFSO-RI To change: View -> Header and Footer 14 VOMS-Admin ACLs

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS VOMS is a X509 Attribute Authority with special support for Grids and VOs VOMS is a Membership management tool VOMS is a SAML Attribute Authority –The world is not a X509-monoculture! –The exact same data from X509 can be expressed in SAML

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS & SAML Outside from hardcore grid applications, many services rely on a SAML AttributeAssertion VOMS can generate an AttributeAssertion containing the exact same data as the AC. VOMS exposes an interface compliant to the SAML Query/Request Profile and the SAML SOAP Binding – Temporary independent package  From the same developers  Integration in the main packages ongoing

Enabling Grids for E-sciencE EGEE-II INFSO-RI SAML AttributeAssertion Ex. <saml:Assertion ID="_ebff47fb-21a4-4f3d-bf7d-6b2a12b3b81b" IssueInstant=" T09:56:20.020Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi=" CN=omii002.cnaf.infn.it,L=CNAF,OU=Host,O=INFN,C=IT.. signature here CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT... says the subject was authenticated using a X.509 certificate <saml:Attribute Name=" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> /omiieurope/INFN /omiieurope

Enabling Grids for E-sciencE EGEE-II INFSO-RI How SAML Credentials work

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS VOMS is a X509 Attribute Authority with special support for Grids and VOs VOMS is a Membership management tool VOMS is a SAML Attribute Authority VOMS integrates with Shibboleth –In the sense that VOMS makes Shibboleth attributes available to Grid services  Or to X509 based services in general

Enabling Grids for E-sciencE EGEE-II INFSO-RI SLCS (Certificates from Shibboleth)‏

Enabling Grids for E-sciencE EGEE-II INFSO-RI VASH VOMS Attributes from Shibboleth (VASH)‏ –Collaboration between SWITCH and INFN

Enabling Grids for E-sciencE EGEE-II INFSO-RI VASH UI

Enabling Grids for E-sciencE EGEE-II INFSO-RI Shib in VOMS - Full list How to use the voms with Shibboleth Attributes flury]$ slcs-init -i switch.ch Shibboleth Password: New Key Password: Key password is empty, using Shibboleth password. flury]$ voms-proxy-init -voms switch Enter GRID pass phrase: Your identity: /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A Creating temporary proxy Done Contacting egeria.switch.ch:15015 [/O=GRID-FR/C=CH/O=SWITCH/OU=MIDDLEWARE/CN=egeria.switch.ch] "switch" Done Creating proxy Done Your proxy is valid until Fri Jun 15 05:17: flury]$ voms-proxy-info -all subject : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A/CN=proxy issuer : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A identity : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A type : proxy strength : 512 bits path : /tmp/x509up_u965 timeleft : 11:59:46 === VO switch extension information === VO : switch subject : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A issuer : /O=GRID-FR/C=CH/O=SWITCH/OU=MIDDLEWARE/CN=egeria.switch.ch attribute : /switch/Role=NULL/Capability=NULL attribute : urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID = (switch)‏ attribute : urn:mace:dir:attribute-def:sn = Flury (switch)‏ attribute : urn:mace:dir:attribute-def:givenName = Placi (switch)‏ attribute : urn:mace:dir:attribute-def:mail = (switch)‏ attribute : urn:mace:dir:attribute-def:eduPersonAffiliation = staff (switch)‏ attribute : urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization = switch.ch (switch)‏ timeleft : 11:59:46

Enabling Grids for E-sciencE EGEE-II INFSO-RI What is VOMS VOMS is a X509 Attribute Authority with special support for Grids and VOs VOMS is a Membership management tool VOMS is a SAML Attribute Authority VOMS integrates with Shibboleth VOMS has native support for replication –Only one server is a single point of failure

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS and Replication A VOMS server is stateless. VOMS uses a DB to keep track of users and administrators. Replicating a VOMS is simple: –Replicate the DB somewhere else –Run a new instance of VOMS insisting on the replicated DB Support is native –APIs allow to discover replicas –CLI tools switch between replicas automatically

Enabling Grids for E-sciencE EGEE-II INFSO-RI VOMS Advanced features Multiple Certificates –A user may have more than one certificate –It is possible to register them as synonymous with each other

Enabling Grids for E-sciencE EGEE-II INFSO-RI The Team Vincenzo Ciaschini Valerio Venturi Andrea Ceccanti

Enabling Grids for E-sciencE EGEE-II INFSO-RI To change: View -> Header and Footer 28 Questions? ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.