USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our.

Slides:

Advertisements

Similar presentations

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Accounting Update Dave Kant Grid Deployment Board Nov 2007.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

VOMS Alessandra Forti HEP Sysman meeting April 2005.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Grid job submission using HTCondor Andrew Lahiff.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

INFSO-RI Enabling Grids for E-sciencE VO BOX Summary Conclusions from Joint OSG and EGEE Operations Workshop - 3 Abingdon, 27 -

Eric Shook, Anand Padmanabhan Grid Research & educatiOn IoWa (GROW) ITS Academic Technologies – Research Services The University of Iowa Iowa City,

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

My Name: ATLAS Computing Meeting – NN Xxxxxx A Dynamic System for ATLAS Software Installation on OSG Sites Xin Zhao, Tadashi Maeno, Torre Wenaus.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

INFSO-RI Enabling Grids for E-sciencE Enabling Grids for E-sciencE Pre-GDB Storage Classes summary of discussions Flavia Donno Pre-GDB.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Derek Ross E-Science Department DCache Deployment at Tier1A UK HEP Sysman April 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.

August 30, 2002Jerry Gieraltowski Launching ATLAS Jobs to either the US-ATLAS or EDG Grids using GRAPPA Goal: Use GRAPPA to launch a job to one or more.

Ad Hoc VO Akylbek Zhumabayev Images. Node Discovery vs. Registration VO Node Resource User discover register Resource.

OSG Abhishek Rana Frank Würthwein UCSD.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Last update 29/01/ :01 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD CERN VOMS server deployment LCG Grid Deployment Board

Last update 31/01/ :41 LCG 1 Maria Dimou Procedures for introducing new Virtual Organisations to EGEE NA4 Open Meeting Catania.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

1Maria Dimou- cern-it-gd LCG November 2007 GDB October 2007 VOM(R)S Workshop report Grid Deployment Board.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

Feb 15, 20071/6 OSG EB Meeting – VO Services Status Gabriele Garzoglio VO Services Status OSG EB Meeting Feb 15, 2007 Gabriele Garzoglio, Fermilab.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 December 2007.

WLCG Operations Coordination report Maria Alandes, Andrea Sciabà IT-SDC On behalf of the WLCG Operations Coordination team GDB 9 th April 2014.

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,

1Maria Dimou- cern-it-gd LCG End of the Task Force for VO User Registration of LHC Experiment Users Grid Deployment.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

SVOPME A Scalable Virtual Organization Privileges Management Environment CHEP 2009 Mar 24, 2009 Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733 Eileen.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Job Priorities and Resource sharing in CMS A. Sciabà ECGI meeting on job priorities 15 May 2006.

LCG A few slides for the discussion on VOMS Kors Bos, NIKHEF, Amsterdam GDB Oct.4, 2006.

Jean-Philippe Baud, IT-GD, CERN November 2007

Regional Operations Centres Core infrastructure Centres

Classic Storage Element

Farida Naz Andrea Sciabà

A Model for Grid User Management

The CCIN2P3 and its role in EGEE/LCG

Summary from last MB “The MB agreed that a detailed deployment plan and a realistic time scale are required for deploying glexec with setuid mode at WLCG.

Artem Trunov, Günter Quast EKP – Uni Karlsruhe

INFNGRID Workshop – Bari, Italy, October 2004

Presentation transcript:

USATLAS deployment We currently use VOMS Role based authorization in production within USATLAS. In the VO we have defined 4 groups/roles that satisfy our current needs (and that are a large improvement from the past). We need to distinguish between –/atlas/usatlas/Role=production: few people (currently ~7) that coordinate the data production –/atlas/usatlas/Role=software: very few people (~3) that need to install remove software and debug applications; in grid3 these operation where always slow as they had to wait for the job to run: we want to give them almost real-time response –/atlas/usatlas: USATLAS users (~90) –/atlas/lcg1: rest of ATLAS (~150) Where are those group defined?

VO servers dependencies Arrows signify dependencies (not dataflow) VOMS (Admin+Server) vo.racf.bnl.gov LDAP VO grid-vo.nikhef.nl OSG edg-voms-ldap-sync All groups and roles are defined in the ldap VO server as ldap groups. A cron script running every night synchronizes the BNL VOMS server with the ldap VO server. OSG (and USATLAS) users depend from the VOMS server installed at BNL. What about migration to CERN VOMS/VOMRS? OSG dependencies USATLAS dependencies

Planned migration Arrows signify dependencies (not dataflow) VOMS (Admin+Server) vo.racf.bnl.gov LDAP VO grid-vo.nikhef.nl OSG edg-voms-ldap-sync VOMS (Admin+Server) voms.cern.ch VOMS (Admin+Server) lcg-voms.cern.ch VORMS lcg-voms.cern.ch bnl-atlas-sync During migration, CERN is going to provide 2 VOMS servers (one with the old lists and one with the new). BNL is going to combine info in the prod server. Configuration for the ldap synch at BNL for ATLAS is exactly the same as the CERN one.

After migration Arrows signify dependencies (not dataflow) OSG VOMS (Admin+Server) lcg-voms.cern.ch VORMS lcg-voms.cern.ch Once all users are migrated, the production server for OSG will become the VOMS server at CERN. USATLAS groups and roles are planned to be present in the final CERN VOMS server as they are defined now in the BNL VOMS server. Migrating to BNL to CERN must be transparent to the users (i.e. just change the VO server name in the configuration files, and change certificates where needed)

Role implementation at BNL ATLAS VO lcg1 usatlas production software usatlas1 (usatlas) usatlas2 (usatlas) gridxxxx (gridgr07, usatlas) gridxxxx (gridgr07) BNL accounts Rest of OSG: gridxxxx (gridgrxx) All users are mapped to an account from the pool, with the gid set to the VO group. The 2 USATLAS roles are mapped to 2 special accounts. The batch system can now distinguish between different sets just by looking at the uid and gid. File permissions can be set to have read/write access within VOs. Production and software roles allow read/write access within the group.

At other USATLAS sites They are free to choose what implementation is best for them as long as they can distinguish between groups and implement ATLAS/USATLAS policies accordingly Two methods USATLAS supports are: –As BNL (2 special accounts + pool) –Simpler for smaller sites who do not have tight security requirements (4 accounts) Some sites will probably implement in their ad- hoc way, integrated with their user management system.