Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

AustrianGrid, LCG & more Reinhard Bischof HPC-Seminar April 8 th 2005.

WebFTS as a first WLCG/HEP FIM pilot

> > AuthZ Interop report out for the authz-interop.org collaboration David Groep, with many thanks to Dave Dykstra’s CHEP talk.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting May 11, 2009 Gabriele Garzoglio.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.

Jan 10, 20091/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Jan 10, 2009 Gabriele Garzoglio.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center Open Science Grid (OSG) Introduction for the Ohio Supercomputer Center February.

OSG Integration Activity Report Rob Gardner Leigh Grundhoefer OSG Technical Meeting UCSD Dec 16, 2004.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

OSG Abhishek Rana Frank Würthwein UCSD.

USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our.

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

Western Tier 2 Site at SLAC Wei Yang US ATLAS Tier 2 Workshop Harvard University August 17-18, 2006.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

Open Science Grid Consortium Storage on Open Science Grid Placing, Using and Retrieving Data on OSG Resources Abhishek Singh Rana OSG Users Meeting July.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.

FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab

AuthZ Interop report out

Presentation transcript:

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005

Definition Role based VO authorization: an authorization decision based on an extended credential provided by the VO server that allows a user to have different sessions in which he obtains different privileges

Use case A VO compiles a list of users that can use data production resources When acting as data production coordinator, the user gets a “token” from the VO, that states he is authorized to act in that role The user presents that token to the site when submitting a job or initiating a file transfer The services maps the user to a different account based on the role The different account allows access to restricted resources or a different class of service (i.e. file access, higher queue priorities, special pool of machines, …)

Example: USATLAS at BNL /atlas/usatlas/Role=production: few people (currently ~7) coordinate the data production –run under the same account ‘usatlas1’ (allows to start/stop each other jobs) –‘usatlas1’ have a very high priority on the farm /atlas/usatlas/Role=software: very few people (~3) that need to install remove software and debug applications –special account ‘usatlas2’, write on NFS with group readable access (rest of atlas can run applications, but not modify them) –highest priority, but on very few machines (~3) to be able to “skip” the queue (i.e. install/debug won’t wait in queue anymore) /atlas/usatlas: all analysis users (~90) –assigned an account from the pool (i.e. grid001): allows auditing for the site /atlas/lcg1: “international atlas” (~150) –Assigned an account from the pool with different gid (allows the batch system to differentiate between ATLAS and USATLAS to set policy accordingly) Rest of OSG –Assigned an account from the pool, gid different for each VO –UNIX Group read/write == VO read/write

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 0 The user, member of VO “foo”, wants to submit a job with a role “bar” to the gatekeeper of site “X”.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 1 The user run “voms-proxy-init –voms foo:/foo/Role=bar”, to generate his VO authorized proxy.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 2 Voms-proxy-init creates a normal user proxy, and then sends it to the foo VO VOMS server.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 3 The VOMS server returns the VOMS proxy, signed by the VO, that authorizes the user to act as “bar”.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 4 The user submits the job to site X

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 5 The gatekeeper, through the globus call-out, delegates the PRIMA module to decide what local user account to should be used for the given GRID credential.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 6 Prima extracts the Proxy information and sends a message to asks GUMS which local account should be used. (The message is a SAML authorization request)

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 7 GUMS consults its configuration, the local copy it keeps of the different database, and determines that the corresponding credential should be mapped to “foobar1”. GUMS returns a message, a SAML successful response with the obligation account=“foobar1”

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 8 PRIMA interprets the response, and return the account “foobar1” to the gatekeeper.

An example User voms-proxy-init gums-host VOMS site GUMS Server Gatekeeper grid3-user…txt PRIMA Submission site Execution site VOs 9 The gatekeeper sets the uid to “foobar1” and submits the job. Note: a cron jobs on the gatekeeper contact GUMS to retrieve the inverse map needed for accounting.

Components: VOMS A VO service (one per VO) that provides extended proxies with signed group and role membership Vincenzo Ciaschini, INFN - Karoly Lorentey, et al Part of OSG distribution, used in production

Components: PRIMA The gatekeeper callout module that is able to contact a site Authorization service to retrieve the mapping Markus Lorch, VT Part of OSG distribution, used in production

Components: GUMS A site Authorization service that manages site-wide mappings Gabriele Carcassi, BNL Part of OSG distribution, used in production

Components: VOMRS A VO service that manages the VO Registration process, and feeds the list of currently approved members to VOMS FNAL team Used in production

Storage AuthZ site GUMS Server Gatekeeper GRAM gridFTP PRIMA Execution site SRM/ dCache gPLAZMA Storage Authorization Service

Components: Storage AuthZ An authorization service that provides the extra authorization attributes required by dCache (contacts GUMS to retrieve the mapping) Markus Lorch, VT Prototype

Components: gPLAZMA The dCache Authorization infrastructure, which is able to contact the Storage Authorization Service Abhishek Singh Rana, UCSD et al. Distributed as part of dCache, Beta quality, in production at Fermi in a couple of months (probably less)