VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Security Mechanisms The European DataGrid Project Team

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOMS Alessandra Forti HEP Sysman meeting April 2005.

WP4 Security and AA(A) issues For WP4: David Groep

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

Authorization Package for TB1 Authorization Working Group Third DataGrid Project Conference 3-5 October 2001, Frascati.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Grid User Management System Gabriele Carcassi HEPIX October 2004.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

EDG Security European DataGrid Project Security Coordination Group

Ákos FROHNER – DataGrid Security n° 1 Security Group D7.6 Design Ideas

BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK

WP1 WMS rel. 2.0 Some issues Massimo Sgaravatto INFN Padova.

INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

December 17, 2015 A Secure VO Software for ATLAS Grid User Management Dantong Yu Brookhaven National Lab.

VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

SAM Sensors & Tests Judit Novak CERN IT/GD SAM Review I. 21. May 2007, CERN.

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

WP3 Security and R-GMA Linda Cornwall. WP3 UserVOMS service authr map pre-proc authr LCAS LCMAPS pre-proc LCAS Coarse-grained e.g. Spitfire WP2 service.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Grid Workload Management (WP 1) Massimo Sgaravatto INFN Padova.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

The GridPP DIRAC project DIRAC for non-LHC communities.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

Classic Storage Element

Grid accounting system

Accounting at the T1/T2 Sites of the Italian Grid

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

Update on EDG Security (VOMS)

Presentation transcript:

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna

Summary ● Ready – Web-based VO registration ● Current Work – Multiple VOs – User info protection ● Proposal – CAS

grid-mapfile generation mkgridmap Grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=edg, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=People ou=tb1 ou=Admin local users Ban list Web based submission scripts

Web-based VO registration (1) ● Secure web form to submit subscription requests ( – Users identified by their X509 certificate (mandatory) ● Certificate informations used transparently for request (e.g. DN) ● Other informations from user input (e.g. phone number) ● Check of existence in LDAP tree (to be implemented) ● Confirmation by VO managers – Mail alert sent to managers – Secure web form to update LDAP tree (only insert procedure implemented up to now)

Web-based VO registration (2) ● Limitations – Only INFN CA certificates accepted, but trivially extendible ● Maybe some little modifications needed to take in account different certificates formats ● Future developments – Web interface for VO's management (June 2002) – Web interface for users to modify pending requests, to view status etc.. (???)

Multiple VOs ½ ● Users can specify with which VO they choose to submit jobs with: – grid-proxy-init -vo,for hand-generated proxies, or – export VO=, for programs who automatically call grid-proxy-init – grid-proxy-init -novo to ignore the VO variable.

Multiple VOs 2/2 ● Compatibility: – Patched version of libglobus_ssl_utils must be installed on every farm that wants to accept the new proxies, and on the RB and possibly II. – Old proxies are accepted by the new system, the reverse doesn't hold.

User info protection ● CE no longer publish the whole grid-mapfile, but only the accepted VOs. ● CEs must authenticate with VO LDAP servers using TLS. ● As a consequence, the RB can no longer be sure that the CE it selects for a job effectively authorizes the user to which the job belongs.

CAS 1/4 ● Considerations: – Users may need to access more than one CAS server at the same time. – ACLs should stay with the resource, not with the roles. – CAS should contain only (user, group, role, acl) information. – CAS certificates should identify the user holding them ● Needed by local sites (ban specific users) ● Mapping to unix UID/GID – Proof of user consent is needed.

CAS 2/4 ● Proposal. – The user submits a request to CAS – CAS returns a quintuple (signed) ● User ID ● CAS ID ● (group, role, acl)* ● Timestamp – Repeat the above steps for each CAS

CAS 3/4 ● Proposal (continued): – The user generates the proxy putting the CAS info into extensions. – An appropriately written LCAS plugin extracts and verifies information from the extensions. ● Advantages – Compatibility with current system – Easily integrates info from two or more CAS servers

CAS 4/4 ● At the moment under investigation for both requirements and algorithms ● Better name ? (VOMS -- VO Membership System?) ● Inputs?