Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu European Grid Initiative www.egi.eu e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki:

Published byCameron Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.egi.eu European Grid Initiative www.egi.eu e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki:"— Presentation transcript:

1 www.egi.eu European Grid Initiative www.egi.eu e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki: https://wiki.egi.eu/wiki/GOCDB EGI Production Instance: https://goc.egi.eu Src: https://github.com/GOCDB Info Doc: https://wiki.egi.eu/w/images/d/d3/GOCDB5_Grid_Topology_Information_System.pdf

2 www.egi.eu Infrastructure Service Directory....2 List infrastructure services including technical and contact details offered by a site (human + machine accessible) Domain Objects A subset of GLUE2: Projects, Admin-Domains (NGIs), Sites, Services, Service- Groups, Endpoints, Downtimes, Users, Roles Interfaces Web Portal (view/input/edit) + REST style API to query in XML Tagging Resource owners tag their objects with >1 ‘scope-tags’ to provide.. Fine-grained resource grouping / filtering (eg declare multiple project affiliations) No resource duplication across ‘n’ projects (DRY – essential for data integrity) Auth abstractions to support multiple AAI (x509, SAML2,..)

3 www.egi.eu What in general can GOCDC support? Register domain objects for e-infrastructures: Admin-domains, groups, sites, services, service-groups, endpoints, downtimes, users, roles Enforces business rules for object management Role based permission model Resource tagging for fine-grained resource filtering/selection Groups manage their own users and resources Add/edit/delete resource objects Grant/revoke roles over objects Extensible: Add custom key-value pairs to domain objects Auth abstractions to support multiple AAI (x509, SAML2,..) 3

4 www.egi.eu Comprehensive Role/Permission Model 4 Sites GroupsProjects Users own Roles over objects that grant permissions:

5 www.egi.eu Categorise Resources by Scope Tags 5 1.Resource owners tag their sites/services/groups Available tags are defined by GOCDB admins to avoid tag proliferation 2.Defines core categories/groupings with no duplication 3.Essential to maintain integrity of information across different infrastructures, sub-groups, projects… Service AService B Scope Tags Filter using ‘scope’ and ‘scope_match’ (Portal+API)

6 www.egi.eu 6 Extensibility Mechanism Extension Properties: define custom ‘Key=Values’ on objects Fine grained filtering of objects by property name + value Also supported in API using AND|OR|NOT expression Allows content to be organised into custom categories Good for rapid prototyping and building folksonomies e.g. filter Sites by VAT extension

7 www.egi.eu 1.Standalone instance per project / infrastructure Pro: Full control, easy to customise Con: May need to duplicate GOCDB entries across infrastructures (consider a single site that contributes to multiple projects) 2.Single shared instance that hosts multiple projects/infrastructures under different scopes Pro: Easy/cheap, single resource tagged for multiple infrastructures/projects Con: More difficult to customise Optional: Separate/standalone failover instance Securely downloads dump of DB every hour. 7 Deployment Scenarios

8 www.egi.eu Useful Links Wiki: https://wiki.egi.eu/wiki/GOCDB EGI Production Instance: https://goc.egi.eu Src: https://github.com/GOCDB Info Doc: https://wiki.egi.eu/w/images/d/d3/GOCDB5_Grid_Topology_Information _System.pdf Technical Strongly constrained relational model using Doctrine Object- relational mapping AAI abstractions inspired by SpringSecurity3 API (AuthProvider, AuthToken, AuthManager, SecurityContextServer, UserDetailsService) 8

9 www.egi.eu European Grid Initiative www.egi.eu For more information....9

10 www.egi.eu Core Domain model closely follows a sub-set of GLUE 2 10

11 www.egi.eu Images 11 EGI EUDAT

12 www.egi.eu 12 Role / Permissions Model a) User Principle: /x509/DN/str c) OwnedObject > Project, NGI, Site, Service, SG, … REQUESTED, GRANTED d) RoleType SiteAdmin, SecurityOfficer, … b) Role Permissions: EDIT, DELETE, GRANT_ROLE, REVOKE_ROLE a) User owns b) Roles that link c) OwnedObjects to d) RoleTypes Can add new: RoleStatus values RoleTypes Owned Objects

13 www.egi.eu PI methods....13 https://wiki.egi.eu/wiki/GOCDB/PI/Technical_Documentation

14 www.egi.eu....14 Extensibility Mechanism in PI Selected PI methods support ‘extensions’ URL parameter (get_site, get_service, get_downtime, get_service_group) Defines a (key=value) expression (K=V) pairs prefixed with AND, OR, NOT E.g. &extensions=(VO=) (blank for wildcard value) &extensions=(VO=foo)AND(VO=bar)OR(V02=baz) &extensions=(VO=foo)AND(VO=bar)OR(V02=baz)NOT(V03=) Pattern matching on values only, no notion of greater or less than e.g. can’t do (SampleRate>=20)

15 www.egi.eu....15 https://goc.egi.eu/gocdbpi/private/?method=get_site&extensions =(P4U_Pilot_VAT=20)AND(P4U_Pilot_Cloud_Wall=) …body elements hidden… 2 Sites selected with specified extensions User Guide on GOCDB docs/wiki: https://wiki.egi.eu/wiki/GO CDB/Input_System_User_ Documentation#Extension _Properties https://wiki.egi.eu/wiki/GO CDB/Input_System_User_ Documentation#Extension _Properties Extensibility Mechanism in PI

16 www.egi.eu Authentication Abstractions The authentication logic is abstracted into its own module in GOCDB: 1.Isolates the bulk of the GOCDB code from authentication-mechanism changes 2.Allow extension: plug-in support for different authentication mechanisms using new AuthProvider and AuthToken (still requires work to implement a new AuthProvider for chosen auth-scheme!). X509 and SAML2 integrated into EGI instance Inspired by core interfaces and classes copied from Spring Security 3 framework....16

17 www.egi.eu Key Authentication Abstractions....17 1. 2. X509AuthProvder, UserPasswordAuthProvider, SAML2 3. GOCDBUserDetailsService 4. X509AuthToken, SamlAuthToken 1. Manages >1 AuthProviders Queries user store Creates auth token (added to session prevent re-authentication across page requests) GOCDB calls out to SecurityContextService (is user authenticated?)

Download ppt "Www.egi.eu European Grid Initiative www.egi.eu e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki:"

Similar presentations

The CA MDB Revised May 16 2006. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
My First Building Block Presented By Tracy Engwirda 28 September, 2005.

My First Building Block Presented By Tracy Engwirda 28 September, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Enterprise Search With SharePoint Portal Server V2 Steve Tullis, Program Manager, Business Portal Group 3/5/2003.

Enterprise Search With SharePoint Portal Server V2 Steve Tullis, Program Manager, Business Portal Group 3/5/2003.
Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.

Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.
Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.

Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
1 Application Specific Module for P-GRADE Portal 2.7 Application Specific Module overview Akos Balasko MTA-SZTAKI LPDS 21-04-2009.

1 Application Specific Module for P-GRADE Portal 2.7 Application Specific Module overview Akos Balasko MTA-SZTAKI LPDS
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
Aurora: A Conceptual Model for Web-content Adaptation to Support the Universal Accessibility of Web-based Services Anita W. Huang, Neel Sundaresan Presented.

Aurora: A Conceptual Model for Web-content Adaptation to Support the Universal Accessibility of Web-based Services Anita W. Huang, Neel Sundaresan Presented.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Building Search Portals With SP2013 Search. 2 SharePoint 2013 Search  Introduction  Changes in the Architecture  Result Sources  Query Rules/Result.

Building Search Portals With SP2013 Search. 2 SharePoint 2013 Search  Introduction  Changes in the Architecture  Result Sources  Query Rules/Result.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EG recent developments T. Ferrari/EGI.eu ADC Weekly Meeting 15/05/2012 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EG recent developments T. Ferrari/EGI.eu ADC Weekly Meeting 15/05/
Embedding CenterView and Hosting External Content.

Embedding CenterView and Hosting External Content.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

Similar presentations

Ads by Google