1. A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab

2. 6/16/2015 CHEP 03, La Jolla 2 Outline  Motivation and System Requirements  GUMS (Grid User Management System)  System Design and Framework  System Components  System Installation  Current Status, Existing Issues  Future Works

3. 6/16/2015 CHEP 03, La Jolla 3 GUMS: Scope & Limitations  Develop Model for Distributed User Registration  Work With Existing VO Management Tools  Help Define Requirements for New & Improved VO Tools  Focus on Site Tools for User Management

4. 6/16/2015 CHEP 03, La Jolla 4 User Registration  Many Sites Require Pre-registration of Users  Sites Will Need to Serve Large Sets of Users  Users Will Need Access to a Large Number of Sites  Sites and VOs Will Need to Work Out User Registration Mechanisms

5. 6/16/2015 CHEP 03, La Jolla 5 Registration Requirements  Site Requirements  Collect Sufficient Information About User and Registration Chain  Provide Information to Site in Secure, Trusted, Auditable Manner  “Reasonably” Static User List  Store History Information, Keep Updated User Information, User Membership  User Requirements  Register Once Per Virtual Organization  Registration Must Be “Reasonably” Local  “Reasonable” and Static Number of Data Items  VO Requirements  Sites Must Have “Reasonably” Complete and Up-to-date User List  Extensibility of Including More Information

6. 6/16/2015 CHEP 03, La Jolla 6 Automated Registration  Software Tools – The Easy Part  VO User Registry – N Column Database; Several Approaches: VOMS, VO Server Software  Local User Registration Authorities – M Column Database and Configurable Tool for Periodically Pushing Users Up to VO or Regional Authority  Site – User Database, Configurable Tool to Periodically Pull User Info From One or More Vos, Perform Local Account Mapping, Creating Grid-mapfile  Trust Relationships – The Hard Part  A VO Structure Needs to Be Created That Will Enforce Agreed Registration Requirements  Every Site Must Be Able To Trust Every Registrar  Protect User Privacy

7. 6/16/2015 CHEP 03, La Jolla 7 Virtual Organization GUMS: A scalable Grid User Management System User info UNM

8. 6/16/2015 CHEP 03, La Jolla 8 Schematic Diagram VO User Registry Database Regional Registration Authority? Local Registration Authority VO #3 … VO #2 Database Site User Info Database Local Policy Local Accont Management grid-mapfile Site Push Pull Push

9. 6/16/2015 CHEP 03, La Jolla 9 Grid User Management System Architecture VO server User info importer Grid-Mapfile Generation Module Account Creation And Mapping grid-mapfile Cron Job Banned User Synchronize New user Membership User left VO CRL Download User Info User info Mapping Tables Update Cron Job

10. 6/16/2015 CHEP 03, La Jolla 10 GUMS COMPONENTS  User Info Importer  Pull User Information Multiple VO User Databases (LDAP, RDB)  Write User Information Into Local Database, Update User Membership  Command Line Tool in the Current System: getVOusers  Invoke Local Tools That Track and Manage Local Accounts  New Users: Interacts With Local User Manage System to Request New Accounts for the Users  Old Users: Interacts With Local User Manage System to Update User Authorization ( Group Membership, for Example)  Maintain the Banned User Lists  Tools Implemented: initdb, getVOousers, updategroup  Interface Into GRID Security System  For Globus Gatekeeper, Generate a Grid-mapfile From Local Database  Tools Implemented: generate_gridmapfile

11. 6/16/2015 CHEP 03, La Jolla 11 Current Status and Known Issues  Status:  System Software Available to All USATLAS Testbed Sites  Ready to Run, Detailed Man Page  Four VO Servers Are Used:  USATLAS VO SERVER group ldap://spider.usatlas.bnl.gov:6200/ ou=us-atlas,o=atlas,dc=ppdg- datagrid,dc=org  ATLAS VO SERVER group ldap://grid- vo.nikhef.nl:389/ou=testbed1, o=atlas,dc=eu-datagrid,dc=org  EDG VO SERVER group ldap://grid- vo.cnaf.infn.it/ou=group1, o=datatag,dc=org  GLUE SCHEMA TESTBED group ldap://rod.mcs.anl.gov/ou=group1, o=glue,c=us  Issues:  Incomplete User Information Collected by VO Server, VO Servers Must Be Extended to Keep More User Information  Lack of Security in Authentication  Use Anonymous Mode to Access ldap Based VO Server: GSI?  Plain Password Authenticate With MYSQL-based Local Database

12. 6/16/2015 CHEP 03, La Jolla 12 Current Status  The First Stage Development Is Completed  Available to Be Download: http://www.atlasgrid.bnl.gov/testbed/gums  Ready to Run, Detailed Man Page  Characteristics  Tractable, Flexible  Satisfy the User Registration Requirements  GUMS Can Easily Support Large Numbers of Users to Access Multiple Grid Sites  Easy Installation and Management  User Base Is Still Small Enough for Traditional Registration Methods Which Can Be Used in Parallel With Distributed/automated Tools

13. 6/16/2015 CHEP 03, La Jolla 13 Future Plan  Security Module Replaces the Plain Password/anonymous Authentication  Mysql 4.0.12 (the Lastest Production Release) Supports SSL Encrypted Connection and X509 Certificates. We Are Looking Into Using GSI Enabled MYSQL Server As Our Local User DB  Web Interface to Manage GUMS  Having a Real User Management System Will Expose Issues/problems and Begin Building Trust Infrastructure  Force Some Sites to Start Addressing Remote User Registration Issues  Create and Deploy User Management Tools at Some ATLAS Sites To Work With ATLAS VO in Computing Exercises, for example: Data Challenge & Reconstruction