Download presentation
Presentation is loading. Please wait.
Published byVincent Bennett Modified over 8 years ago
1
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 gPLAZMA: grid-aware Pluggable AuthoriZation Management (Introducing Role-based Access Control in dCache) Abhishek Singh Rana UC San Diego rana@fnal.gov Frank Würthwein UC San Diego fkw@fnal.gov The XVth International Conference on Computing in High Energy and Nuclear Physics (CHEP’06) February 15, 2006 TIFR, Mumbai
2
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 2 RANA, Abhishek Singh (University of California, San Diego, CA, USA) WÜRTHWEIN, Frank (University of California, San Diego, CA, USA) PERELMUTOV, Timur (Fermi National Accelerator Laboratory, Batavia, IL,USA) KENNEDY, Robert (Fermi National Accelerator Laboratory, Batavia, IL, USA) BAKKEN, Jon (Fermi National Accelerator Laboratory, Batavia, IL, USA) SKOW, Dane (Fermi National Accelerator Laboratory, Batavia, IL, USA) FISK, Ian (Fermi National Accelerator Laboratory, Batavia, IL, USA) FUHRMANN, Patrick (DESY, Hamburg, Germany) ERNST, Michael (DESY, Hamburg, Germany) Authors
3
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 3 Outline OSG AuthZ approach gPlazma architecture gPlazma implementation Example of end-to-end AuthZ for CEs and SEs Status Future Work
4
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 4 OSG AuthZ Approach VO-Global specification of privilege attributes per Role. Site central mapping of Role to site’s implementation of privilege attributes. Local enforcement of privilege attributes. Use of VOMS extended X.509 Attribute Certificate specification for defining extra attributes (FQANs or Fully Qualified Attribute Names). Based on RFC-3281. FQANs contain Role and VO membership information for a User.
5
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 5 OSG AuthZ Approach VO defines Roles and associated privileges by specifying expected functionality. –E.g. cmssoft may install software in area that is read-only by all cmsuser jobs running on site/campus. –E.g. cmsphedex may have special access to SRM/dCache system. Site maps VO scope identities to local scope identities. –Site wide management of mapping. –Service level granularity of mapping. Site enforces VO privilege policies within local scope identities. Authorization = (VO-allowed) && !(Site-vetoed)
6
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 6 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes
7
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 7 VO Attribute Repository Service X Service Y Service X Service Z Service X Veto Service Y Veto Service Z Veto Site-wide Assertion Service Host 1 Host 2 Site Authorization Service for Service X, Y, Z Site-wide Mapping Service Auxiliary Authorization Service for Service Z Auxiliary Mapping Service Callout Module for X, Y Callout Module for Z Local or Remote Client Proxy with VO Membership | Role Attributes PDP PEP PDP PEP Policy Enforcement PointPolicy Decision Point PDP
8
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 8 GridFTP Callout Future Additions Site Assertion Future Additions VO Identity Mapping Client Priorities Bias: ACCESS Priority: 2 Apply: Authorization Response: AuthZ Record SRM Door VO Role Mapping AuthZ (gPLAZMA native) GridFTP Door … GUMS-based VO Role Mapping AuthZ Legacy Grid AuthN (gridmapfile) Legacy Storage AuthZ (dcache.kpwd) Switches Authorization Services Plugins VO Identity Mapping Service Storage Metadata AuthZ SRM Callout Storage Provider’s Policies https/SOAP SAML gPLAZMA Architecture Bias: DENIAL Priority: 1 Apply: Assertion Response: Allow OR Deny
9
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 9 SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005 Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation
10
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 10 SRM-dCache SRM Server voms-proxy-init Proxy with VO Membership | Role attributes gPLAZMA PRIMA SAML Client Storage Authorization Service Storage metadata GridFTP Server DATA https/SOAP SAML response SAML query Get storage authz for this username User Authorization Record If authorized, get username SRM Callout srmcp GridFTP Callout gPLAZMALite Authorization Service gPLAZMALite grid-mapfile dcache.kpwd GUMS Identity Mapping Service GriPhyN All Hands Meeting Argonne National Laboratory, April 29 2005 Abhishek Singh Rana, UCSDwww.opensciencegrid.org The Open Science Grid Consortium gPLAZMA Implementation 1 2 34 4a 4b 4c 4d 5 7 6 8 9 10 11 12 13
11
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 11 Example of end-to-end AuthZ for CEs and SEs
12
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 12 SE: SRM-dCache Different doors for different authz methods. Same underlying local authz mechanism. Can be mapped to site’s UID/GID domain. Or be restricted to SRM-dCache only. Examples: –USCMS-VO at FNAL: Site UID domain. –CDF-VO at FNAL: Site Kerberos domain.
13
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 13 SE: SRM-dCache gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach. 1.gPLAZMA authenticates. 2.gPLAZMA uses PRIMA Java SAML libraries to form a SAML query and contacts Storage Authz Service. 3.Storage Authz Service contacts GUMS and Storage Metadata Service. 4.GUMS translates {DN, Membership, Role} to Username. 5.Storage Metadata Service translates Username to Storage-privilege Set. 6.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}. 7.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role}. 8.Storage Authz Service forms a User Authorization Record into a SAML response and sends it back to gPLAZMA at SE.
14
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 14 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service
15
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 15 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata Storage Authorization Service
16
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 16 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service
17
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 17 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout PEP Storage Authorization Service
18
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 18 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service CE SE gPLAZMA Storage metadata PRIMA C SAML libraries Globus Gatekeeper PRIMA callout Storage Authorization Service
19
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 19 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite Storage Authorization Service
20
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 20 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMALite Authorization Services suite PEP Storage Authorization Service
21
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 21 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout OGSA AuthZ interface gPLAZMALite Authorization Services suite Storage Authorization Service
22
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 22 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA grid-aware Pluggable Authorization Management System GUMS Grid User Management System SAZ Site Authorization Service VOMS Virtual Organization Membership Service gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA A System for Privilege Management and Authorization in Grids
23
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 23 GUMS Local or Remote Client Proxy with VO Membership | Role Attributes Site-wide Assertion Service Site SAZ VOMS Site-wide Mapping Service Auxiliary Mapping Service PRIMA C SAML libraries CE SE gPLAZMA Storage metadata PRIMA Java SAML gPLAZMA Globus Gatekeeper PRIMA callout SRM-GridFTP gPLAZMA callout gPLAZMA Abhishek Singh Rana, UCSD Timur Perelmutov, FNAL GUMS Gabriele Carcassi, BNL SAZ Vijay Sekhri, FNAL John Weigand, FNAL SRM-dCache DESY/FNAL teams VOMS INFN teams, Italy gPLAZMALite Authorization Services suite Storage Authorization Service PRIMA Markus Lorch, VT
24
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 24 Status gPLAZMA native role-based authz mode deployed at USCMS tier-2 production site at UCSD. Work in progress for deployment at tier-1 at FNAL. GUMS role-based authz mode in final stages of development/packaging. Deployment and usage of all modes on USCMS production dCache sites expected before Service Challenge 4.
25
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 25 Known Limitations Not (yet) implemented for dcap. Scalability of site central call-out not yet understood.(gPLAZMA native a viable fallback) vi/emacs is only administrative interface. Options for communicating desired policies from VO to site are less than satisfactory. (general problem of role based authz!)
26
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 26 Future Work Add MySQL based backend to replace storage authz records configuration file. Complete gPLAZMA for dcap. Understand scalability of site-wide call-out. Add XACML based authorization engine to dynamically assign storage authz mappings at Site. Explore XACML/SAML rule-based policy declaration (VO-level) and policy computation (Site-level).
27
Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February 15 2005 27 Thank You.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.