1. G-PBox: current status and future plans
Speaker Andrea Ceccanti
Location CERN
Date 25/10/2007

2. Accessing resources Grid infrastructures need regulate:
accesses of users on resources sites
actions of users on resources sites (once accessed)
usage of whole grid resources (based on SLA)
A comprehensive solution would be to handle:
access policies (ACL) agreed by VOs and Sites
more-than-access policies agreed by VOs and Sites

3. Current limits
VO <-> Resource Providers configuration are uneasy and not automatic to set:
agreed SLAs
agreed and site-specific ACLs
agreed and site-specific policies
A lot of different ACL/SLA mechanisms
BDII exclusions
LCAS/LCMAPS configurations
WMS configuration
DATA management configuration
etc.

4. VO layer Grid layer Site layer PBox VO GRID Site PBox SubFARM
The design objective was “Distribution of Policy to allow for AuthZ hierarchies and to implement replication & fault tolerance of the GPBox services”
Site layer

5. Distribution VO GridX Site1 Site2 Site3
The administrator selects a policy and sends that policy to a set of G-PBoxes
The administrators of the target G-PBoxes:
See new policies in the “Incoming policies box”
Accept the new policies and put these policies in the correct policy set VO
G-PBox
SLAs
GridX
G-PBox
Site1
Site2
Site3
G-PBox
G-PBox
G-PBox
MSWG, December 6-7, 2007, Berkeley

6. GUI Used by VO/Site Administrators to manage policies Features:
“Off-line” policy management
Policy/Policyset editor
to ease creation of XACML
policies
Policy distribution management
Interacts:
with the G-PBox server
with VOMS-Admin
Proof of concept
No formal requirements yet from Site/VO Admins
RMI interface since interoperability is not an issue in this phase
No input/formal requirements from Site and VO admin
Proof of concept
Focus on usability
In this phase, interoperability was not a requirement (that’s why RMI)

7. GUI – Policy Navigator tab (2)‏
Right mouse button popup menu for Policy/PolicySet
Basic management operations
Enable/Disable
Cut&Paste
Change order
Send policies to other G-PBoxes
Distribution info
MSWG, December 6-7, 2007, Berkeley

8. GUI – Policy Navigator tab (3)‏
New Policy/PolicySet button
Generic XACML editor
Wizards
Create Policy
VO PolicySet
Share PolicySet
BlackList PolicySet
Import XACML Policy/PolicySet from file
MSWG, December 6-7, 2007, Berkeley

9. VOMS attribute selection dialog
Used by the Create Policy wizard to retrieve FQANs directly from VOMS servers
MSWG, December 6-7, 2007, Berkeley

10. GUI - Address Navigator tab
Register the G-PBoxes involved in the Policy distribution
MSWG, December 6-7, 2007, Berkeley

11. GUI – Send policy
The VO administrator selects a policy and sends it to other G-PBoxes
MSWG, December 6-7, 2007, Berkeley

12. GUI – Accept policy
Incoming policies have to be accepted and put in the correct policy hierarchy
MSWG, December 6-7, 2007, Berkeley

13. Performance Test results
G-PBox performance has been tested in the EGEE preview testbed
Results presented at the Helsinki’s AH Meeting
No measurable overhead on the CE & WMS side
Small performance improvements in
AuthZ & Mapping on the CE
Resource selection on the WMS
Presentati all all-hands di giugno
test ce e test wms
presentazione vincenzo user forum