INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EDG Security European DataGrid Project Security Coordination Group
E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.
Condor-G A Quick Introduction Alan De Smet Condor Project University of Wisconsin - Madison.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep NIKHEF.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
4th EELA TUTORIAL - USERS AND SYSTEM ADMINISTRATORS E-infrastructure shared between Europe and Latin America Security Hands-on Vanessa.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
E-infrastructure shared between Europe and Latin America Security Hands-on Alexandre Duarte CERN Fifth EELA Tutorial Santiago, 06/09-07/09,2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Moisés Hernández Duarte UNAM FES Cuautitlán.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE glexec on worker nodes David Groep NIKHEF.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
INFSO-RI Enabling Grids for E-sciencE VO Naming practice and suggested development Oscar Koeroo.
VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
Hands on Security, Authentication and Authorization Virginia Martín-Rubio Pascual RedIRIS/Red.es Curso Grid y e-Ciencia.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Simone Campana (CERN) Job Priorities: status.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Practicals on VOMS and MyProxy
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Update on EDG Security (VOMS)
Argus: General Introduction
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19 June 2007

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June Outline Status – Short-lived credential service (SLCS) – VOMS attributes from Shibboleth (VASH) Access for Grid Users to Shib SP(Phase 1b) – from Grid to Shib (and back) AuthZ and AuthZ with Shibboleth Attributes – use case (scenario) – a closer look on LCAS and LCMAPS plugins for generic attributes – xml-based mapping rules Open Issues & Outlook Summary

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June SLCS Status Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June SLCS Status CLI: Possibility to store key&certificate as pkcs12 –import in browsers Administrator Interface (web-based) –user management tool –ACL editor –audit viewer Productive (for SWITCH Federation) – ToDos: – Server documentation – ETICS server build – yaim, service configuration (?)

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June VASH Status New feature: SLCS users pre-registration on VOMS –Situation SLCS user not yet registered on VOMS 1.VASH initiates pre-registration on VOMS 2.User gets mail with cookie and user registration request number 3.User visits VASH again to confirm pre-registration 4.VOMS admin accepts/rejects registration request GUI finished ToDos: –replace mailing module (currently uses velocity) –ETICS build –documentation (admin, installation, and user manuals) – Shibboleth attribute enforcement

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June VASH Status

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June VASH Status

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June Access for Grid Users to Shib SP(Phase 1b) Grid users access Shibboleth protected resources –Symmetric access, Applications not affected

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June Access for Grid Users to Shib SP(Phase 1b) Test-bed SWITCH INFN in summer 2007

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes Scenario: A user of VO switch wants to submits a job to the grid. Admission to the CE requires him to be member of the switch.ch home organization. The job shall get assigned to a higher priority queue if the user is a staff member.

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes flury]$ slcs-init -i switch.ch Shibboleth Password: New Key Password: Key password is empty, using Shibboleth password. flury]$ voms-proxy-init -voms switch Enter GRID pass phrase: Your identity: /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A Creating temporary proxy Done Contacting egeria.switch.ch:15015 [/O=GRID-FR/C=CH/O=SWITCH/OU=MIDDLEWARE/CN=egeria.switch.ch] "switch" Done Creating proxy Done Your proxy is valid until Fri Jun 15 05:17: flury]$ voms-proxy-info -all subject : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A/CN=proxy issuer : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A identity : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A type : proxy strength : 512 bits path : /tmp/x509up_u965 timeleft : 11:59:46 === VO switch extension information === VO : switch subject : /DC=ch/DC=switch/DC=slcs/O=Switch - Teleinformatikdienste fuer Lehre und Forschung/CN=Placi Flury C82EEB1A issuer : /O=GRID-FR/C=CH/O=SWITCH/OU=MIDDLEWARE/CN=egeria.switch.ch attribute : /switch/Role=NULL/Capability=NULL attribute : urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID = (switch) attribute : urn:mace:dir:attribute-def:sn = Flury (switch) attribute : urn:mace:dir:attribute-def:givenName = Placi (switch) attribute : urn:mace:dir:attribute-def:mail = (switch) attribute : urn:mace:dir:attribute-def:eduPersonAffiliation = staff (switch) attribute : urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization = switch.ch (switch) timeleft : 11:59:46 A user of VO switch wants to submits a job to the grid

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes Admission to the CE requires him to be member of the switch.ch home organization Authorization –LCAS plugin –org.glite.security.lcas-plugins-voms-attr –transparent handling of VOMS’ generic attributes –authorization by ACL (xml-file)  parser for rules: org.glite.security.acl-parser switch.ch ACL file: Plugin log: LCAS 0: lcas.mod-lcas_run_va(): authorization granted by plugin /opt/glite/lib/modules/lcas_userban.mod LCAS 0: lcas_voms_attr - is_rule_match(): ACL rule(1) matched LCAS 0: lcas.mod-lcas_run_va(): authorization granted by plugin /opt/glite/lib/modules/lcas_voms_attr.mod

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes The job shall get assigned to a higher priority queue if the user is a staff member. Mapping: –LCMAPS plugin –org.glite.security.lcmaps-plugins-voms-attr –transparent handling of VOMS’ generic attributes –Mapping rules defined in xml-file  parser for rules: org.glite.security.lcmaps-rules-parser

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes Why XML based mapping rules? – ‘limitations’ of conventional grid-mapfile:  Management of grid-mapfile  FQAN + 2 generic attributes example /switch/Role=production/Capability=NULL/urn:mace:dir:attriutedef:eduPersonAffiliation=staff/ urn:mace:switch.ch:attributedef:swissEduPersonHomeOrganization=switch.ch.switchsgm Discussions with – LCMAPS developers (Oscar, NIKHEF), and site administrators (Maarten, local site admins)

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes XML Mapping Rules Syntax and structure defined: rule::= {attribute} [dns] [fqans] map attribute ::= attribute_name, attribute_value map ::= account, group | account | group dns ::= {dn} fqans ::= {fqan} Semantic defined by plugin –lcmaps-plugins-voms-attr interprets rule as follows: Rule matches if following conditions are met: 1.All specified attributes must be present in the AC (name and value must match) 2.If any DNs are specified, the DN in proxy cert must match one of these 3.If any FQANs are specified, FQAN in proxy cert must match one of these (note if no DNs are specified any will match, the same for FQANs) ToDos: –VO info in rule -> attribute::= attribute_name, attribute_value, vo ? –wildcard support –Longest match first -> sort before doing the match? –Deny ‘flag’? (c.f Oscar’s talk)

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June AuthZ and Mapping with Shibboleth Attributes Back to the example: (XML Mapping Rules file) [cut] <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization" displayName="home organization">switch.ch <Attribute name= "urn:mace:dir:attribute-def:eduPersonAffiliation" displayName=”Affiliation"> staff /switch/Role=NULL/Capability=NULL Plugin log : LCMAPS 0: lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_voms_attr.mod LCMAPS 0: lcmaps_voms_attr - get_mapping(): mapping rule(2) matched [cut] LCMAPS 0: lcmaps_voms_attr - plugin_run: lcmaps_voms_attr plugin succeeded LCMAPS 0: lcmaps.mod-runPlugin(): found plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod LCMAPS 0: lcmaps.mod-runPlugin(): running plugin /opt/glite/lib/modules/lcmaps_posix_enf.mod LCMAPS 6: lcmaps_plugin_posix_enf-log_cred(): uid=18911(switch001):pgid=45005(switchprio):sgid=2689(switch) LCMAPS 0: lcmaps_plugin_posix_enf-plugin_run(): posix_enf plugin succeeded

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June Open Issues & Outlook SLCS/VASH –etics build – docu, better enforcement of validity of generic attributes from Shibs on VOMS (moment global expiration time). LCAS/LCMAPS plugins: –extend LCMAPS framework –VO support in rules, etc. –input/comments on xml-format for ACL and XML mapping rules? Phase 3 (enable SAML support for selected Grid resources) –Still in design phase

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June Summary Summary: –Development of SLCS and VASH completed. SLCS already productive. Documentation pending. –Phase 1.b, Symmetric access from Shibboleth resources by grid users needs to be implemented (SWITCH - INFN) –The LCAS/LCMAPS plugins for the generic VOMS attributes filled the missing gap to use Shibboleth for authZ and mapping of grid jobs.

Enabling Grids for E-sciencE JRA1 All Hand Meeting Helsinki– 19 June This is the end… Thank’s a lot for your attention. Q?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.