VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

Slides:

Advertisements

Similar presentations

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

GRID DATA MANAGEMENT PILOT (GDMP) Asad Samar (Caltech) ACAT 2000, Fermilab October , 2000.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

A DΙgital Library Infrastructure on Grid EΝabled Technology ETICS Usage in DILIGENT Pedro Andrade

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Tony Doyle & Gavin McCance - University of Glasgow ATLAS MetaData AMI and Spitfire: Starting Point.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

09/02 ID099-1 September 9, 2002Grid Technology Panel Patrick Dreher Technical Panel Discussion: Progress in Developing a Web Services Data Analysis Grid.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Edg-voms-admin European DataGrid Project Security Coordination Group

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Next Steps: becoming users of the NGS Mike Mineter

15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.

Towards deploying a production interoperable Grid Infrastructure in the U.S. Vicky White U.S. Representative to GDB.

1Maria Dimou- cern-it-gd LCG End of the Task Force for VO User Registration of LHC Experiment Users Grid Deployment.

VOX Project Status T. Levshina. 8/06/2003VOX Project Status Report2 Task List and Schedule for Virtual Organization and Related Work for USCMS vs. 1.0.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

VO Management Tanya Levshina Computing Division, Fermilab.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab

David Kelsey CCLRC/RAL, UK

How to connect your DG to EDGeS? Zoltán Farkas, MTA SZTAKI

A Model for Grid User Management

Middleware independent Information Service

Update on EDG Security (VOMS)

Presentation transcript:

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 2 Presentation overview Introduction Stakeholders, team and collaborators VOX components VO Membership Registration Service Identifying the workflow VO Concepts Roles VOMRS Architecture Association with EDG VOMS WEBUI Screenshots What’s next? Summary

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 3 Introduction US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab, the VOX Project (VO Management Service eXtension), to investigate and implement the requirements, both policy-related and technical, for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. This effort has resulted in a study and understanding of the necessary workflow, and the creation of a prototype VO Membership Registration Service (VOMRS), which is a principal component of the VOX project.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 4 Stakeholders, Team and Collaborators Stakeholders: –US CMS (L. Bauerdick) –Fermilab Computing Facility (D. Skow) –iVDGL (R. Gardner) –SDSS (J. Annis) Team: –T. Levshina – Fermilab –L. Grundhoefer – iVDGL –A. Heavey (technical writer) – Fermilab –V. Sekhri – SDSS/iVDGL, Fermilab –J. Weigand – Fermilab –Y. Wu – Fermilbab Collaborators –BNL(R. Baker, D. Yu) – VOMRS architecture, registration process, common interfaces – EDG/Data Tag (V. Ciaschini, A. Frohner) – VOMS core and admin software –VDT (U of Wisconsin), Virginia Tech (Markus Lorch) - ongoing communication and agreements with Globus on gatekeeper and authorization callouts

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 5 VOX Project VOX Goals: –to understand and model the registration workflow –to provide VO registration mechanism –to negotiate and monitor member authorization to grid resources –End Goal:To facilitate the remote participation of physicists in effective and timely analysis of data from the LHC experiments during DC04. VOMS EDG SAZ LRAS VOMRS Fermilab Grid Cluster Gatekeeper & callouts Local Center Registration Service

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 6 VOX Components VOMRS (VO Membership Registration Service) provides a registration service that –allows a single point of registration with a VO –facilitates, negotiates and monitors the process of a member’s authorization to grid resources –provides centralized storage of membership information and a means to query said information LRAS (Local Resource Authorization Service) automates and facilitates the process of managing fine grain access to a local grid element –stores a subset of VO membership information and maps a VO member to a local account Gatekeeper authorization callouts (in agreement with standard adopted by Globus, EDG, FNAL, and Virginia Tech). SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources VOMS EDG Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. VOMS EDG Core service gives out extended proxy upon member’s request.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 7 VOMRS: Identifying the workflow Understand that VO registration is a multi-level process (institution, grid site, country, VO). Identify necessary elements of the registration procedure and develop a model workflow. Identify administrative roles and responsibilities. Identify various implications of our model on sites and site policies. Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 8 VO Concepts (I) Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … Experiment: represents research activities that are specific to a particular VO. Group: an experiment contains groups. Group may have sub-groups. Institution: is an organization whose members participate in experiments within a particular VO. Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. Grid job submission rights: distinguishes between members who can submit grid jobs and those who can only perform administrative tasks.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 9 VO Concepts (II) Personal information: private and public data about an individual that is collected by the VO. Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. Role: defines actions that a VO Member can perform within the VO.A VO member can have one or more roles.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 10 Roles (I) Applicant: –An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. Member: –An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. VO administrator: –A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles.

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 11 Roles (II) Institutional VO representative: –Vouches for the identity of an applicant. –Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. Grid site administrator: –Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site –Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. Local resource provider: –Administers authorization of a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc)

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 12 Roles (III) Group owner: –Creates groups and subgroups within the experiment. – Assigns/revokes group manager/owner role to a member of the VO. –A Group owner is a Group manager as well. –A Group owner owns the group if he owns any of ancestor group. Group managers: –Assigns/removes members to/from the group he manages

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 13 Institution Representative Registration Flow Grid Site Site Admin LRPS Site Admin LRPS Grid Site VOMRS EDG VOMS Proxy Server VO Central Node synchronize Applicant register notify approve Member query notify approve notify approve notify approve notify approve

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 14 VOMRS Architecture Client IF Registrar Event Manager Server Synchronizer EDG VOMS ADMIN API VOMRS DB Web Services /Servlets CLI Member WEB CLIENT EDG VOMS DB EDG Trust Manager GSI

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 15 Association with EDG VOMS EDG VOMS is used currently as a significant part of VOX project: –Extended Proxy generation –Gridmapfile generation for local grid resource –Query to get members, groups, roles by authorization services on local grid clusters VOMS & VOMRS have some overlap in functionalities and stored data, but –VOMRS is a registration service that is accessed infrequently by people (not hosts) –VOMS is a service that provides member with extended proxy and should sustain heavy load. It allows access by registered hosts. –VOMRS keeps a lot of information about members and VO entities (institutions, sites, etc). Member information is persistent. –VOMS keeps minimum information related to member (dn,ca, group, role). Member has to be deleted in order to deny him access to the Grid. VOMRS Synchronizer is responsible for updating VOMS database

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 16 VOMRS WEBUI (Registration of a new user)

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 17 VOMRS WEBUI (registration)

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 18 VOMRS WEBUI (member search)

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 19 VOMRS WEBUI (subscribe to event) Date: Fri, 05 Dec :43: From: Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS To: Dear Administrator, We have received a request from a person with Distinguished Name /DC=org/DC=doegrids/OU=People/CN=Anne Heavey issued by Certificate Authority /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 to join VO USCMS.You may approve or deny user access. VO Administrator

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 20 What’s Next? Now that we have a model, we need to work with others to get input to take it to next step and to create a workflow that everyone can use Standardize the terminology, especially for administrative roles and responsibilities Improvement of VOMRS –Database (move to Oracle) –Documentation –Packaging VOMS/VOMRS –Need to define stable interfaces between VOMRS & VOMS –Solve issues with VOMS installation/upgrade (takes too much time and effort – very possibly due to lack understanding on our part)

12/15/2003 User Registration/VO management/AuthZ workshop at CERN 21 Summary We greatly appreciate discussions, support and software contributions provided by our collaborators. We all have spent substantial time and effort understanding the issues involved, modeling the workflow and developing a system to implement it. There are a lot of issues that remain. We believe that all will benefit from collaboration on this project. More info: