Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Slides:

Advertisements

Similar presentations

The National Grid Service and OGSA-DAI Mike Mineter

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

VOMRS/VOMS-Admin 2.0.x 2.5.x comparison Mar 28, 2008 Middleware Security Group Meeting Tanya Levshina and Gabriele Garzoglio Computing Division, Fermilab.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) AGD Grid Account Management.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Services at Tier2 Centers Rob Gardner University of Chicago WLCG Tier2 Workshop CERN June 12-14, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

GUMS Gabriele Carcassi PPDG Collaboration meeting June 27, 2004.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Edg-voms-admin European DataGrid Project Security Coordination Group

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Sep 17, 20081/16 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Sep 17, 2008 Gabriele Garzoglio.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Opensciencegrid.org Operations Interfaces and Interactions Rob Quick, Indiana University July 21, 2005.

Towards deploying a production interoperable Grid Infrastructure in the U.S. Vicky White U.S. Representative to GDB.

VOX Project Status T. Levshina. 8/06/2003VOX Project Status Report2 Task List and Schedule for Virtual Organization and Related Work for USCMS vs. 1.0.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

VO Management Tanya Levshina Computing Division, Fermilab.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

VOX Project Status Report Tanya Levshina. 03/10/2004 VOX Project Status Report2 Presentation overview Introduction Stakeholders, team and collaborators.

Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.

Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab

Operations Interfaces and Interactions

David Kelsey CCLRC/RAL, UK

UVOS and VOMS differences

A Model for Grid User Management

EGEE VO Management.

Leigh Grundhoefer Indiana University

Presentation transcript:

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab

09/29/2004 CHEP Authors and contributors Richard Baker (BNL) Lothar Bauderick (Fermilab) Eileen Berman (Fermilab) Gabriele Carcassi (BNL) Ian Fisk (Fermilab) Robert Gardner (University of Chicago) Gregory Graham (Fermilab) Leigh Grundhoefer (University of Indiana) Anne Heavey (Fermilab) Joe Kaiser (Fermilab) Tanya Levshina (Fermilab) Ruth Pordes (Fermilab) Vijay Sekhri (Fermilab) Dane Skow (Fermilab) John Weigand (Fermilab) Yujun Wu (Fermilab)

09/29/2004 CHEP Presentation overview Introduction Stakeholders and collaborators VO Management Infrastructure at Fermilab VO Membership Registration Service Identifying the workflow VO Concepts VO Roles VOMRS Architecture WEBUI Screenshots What’s next? Summary

09/29/2004 CHEP Introduction US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab, the VOX Project (VO Management Service eXtension), to investigate and implement the requirements, both policy-related and technical, for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. This effort has resulted in a study and understanding of the necessary workflow, and the creation of a prototype VO Membership Registration Service (VOMRS), which is a principal component of the VOX project.

09/29/2004 CHEP Stakeholders and Collaborators Stakeholders: –US CMS –Fermilab Computing Facility –iVDGL –SDSS Collaborators –BNL – VOMRS architecture, registration process, common interfaces –EGEE(EDG)/DataTag – VOMS core and admin software –VDT (U of Wisconsin), Virginia Tech - ongoing communication and agreements with Globus on gatekeeper and authorization callouts

09/29/2004 CHEP VO Management Infrastructure at Fermilab (I) VOX Project Privilege Project VOMS Project VOMS Admin and Core Services SAZ GUMS VOMRS Fermilab Grid Cluster Gatekeeper & PRIMA module Local Center Registration Service register voms-proxy-init synchronize proxy certificate authorize authenticate

09/29/2004 CHEP VO Management Infrastructure at Fermilab (II) VOX Project: VOMRS (VO Membership Registration Service) provides a registration service that –allows a single point of registration with a VO –facilitates, negotiates and monitors the process of a member’s authorization to grid resources –provides centralized storage of membership information and a means to query said information SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources VOMS Project: EGEE (EDG) VOMS Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. DataTag VOMS Core service gives out extended proxy upon member’s request. Privilege Project automates and facilitates the process of managing fine grain access to a local grid element: PRIMA authorization module at the gatekeeper –elicits information from provided VOMS attributes and other sources –queries a site centralized grid user management server GUMS (grid user management) server provides –site-consistent user and group assignment –interfaces and extensions to the data storage systems

09/29/2004 CHEP VOMRS: Identifying the workflow Understand that VO registration is a multi-level process (institution, grid site, country, VO). Identify necessary elements of the registration procedure and develop a model workflow. Identify administrative roles and responsibilities. Identify various implications of our model on sites and site policies. Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

09/29/2004 CHEP VO Concepts Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … Experiment: represents research activities that are specific to a particular VO. Group and group roles: an experiment contains groups. Group may have sub-groups. Group and group roles are included as attributes in a proxy certificate Institution: is an organization whose members participate in experiments within a particular VO. Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. Personal information: private and public data about an individual that is collected by the VO. Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. Role: defines actions that a VO Member can perform within the VO and information that a VO Member can access. A VO member can have one or more roles. A VO member event notification depends on member’s role.

09/29/2004 CHEP Roles (I) Applicant: –An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. Member: –An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. VO administrator: –A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles.

09/29/2004 CHEP Roles (II) Institutional VO representative: –Vouches for the identity of an applicant. –Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. Grid site administrator: –Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site –Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. Local resource provider: –Administers authorization a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc)

09/29/2004 CHEP Institution Representative Registration Flow Grid Site Site Admin LRPS Site Admin LRPS Grid Site VOMRS EDG VOMS Proxy Server VO Central Node synchronize Applicant register notify approve Member query notify approve notify approve notify approve notify approve

09/29/2004 CHEP VOMRS Architecture Client IF Registrar ( Workflow Manager) Event Manager Server Synchronizer EDG VOMS ADMIN API VOMRS DB Web Services /Servlets CLI Member WEB CLIENT EDG VOMS DB EDG Trust Manager GSI HTTPS/SSL

09/29/2004 CHEP VOMRS WEBUI (Home page, Group page…)

09/29/2004 CHEP VOMRS WEBUI (registration) USCMS VO Registration

09/29/2004 CHEP VOMRS WEBUI (member search)

09/29/2004 CHEP VOMRS WEBUI (subscribe to event) Date: Tue, 21 Sep :43: From: Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS To: undisclosed-recipients: ; Dear Administrator, We have received a request from a person with Distinguished Name /DC=org/DC=doegrids/OU=People/CN=Anne Heavey issued by Certificate Authority /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 to join VO USCMS. You can check member's personal information. You can approve or deny member's request. VO Administrator Notification Event Example:

09/29/2004 CHEP What’s Next? Continue collaboration with, BNL, SDSS, ivDGL, LCG User Registration Task Force etc Implement multiple new features requested by collaborators: –VO membership expiration and renewal processes – verification –Interface to organizational human resource database (LCG requirement) Continue support for VOMRS instances installed at Fermilab and BNL Deploy test installation of VOMRS at CERN

09/29/2004 CHEP Summary The VO Membership Registration Service that allows grid user to become a member of Virtual Organization has been developed. It provides a flexible mechanism to collect member’s personal data as well as manage registration workflow. Several instances of VOMRS has been deployed at Fermilab and BNL. We greatly appreciate discussions, support and software contributions provided by our collaborators. There are still a lot of features that need to be implemented. More info: