1. 2006-12-19 1 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management

2. 2006-12-19 2 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management VO Management in running projects:  EGEE gLite  Open Science Grid (OSG) – VO Privilege VOMRS Features Using VOMRS with GT4  Pragmatic solution: volist & merge-gridmap  manage-local-gridaccounts: Flowchart  Serving multiple VOs & Sub-VOs

3. 2006-12-19 3 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 VOMS/VOMRS in EGEE gLite VOMRS (Igor Sfiligoi: gLite Authentication)

4. 4 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 VOMS/VOMRS in OSG VOMRS VOMS Globus Gatekeeper GUMS Facility Authorization Management Grid Facility CE Certificate register submit job callouts membership/ privileges get uid Is authorized? JobManager Certificate Proxy get proxy job Member membership/ privileges PRIMA SE SRM callouts gPlazma get uid, gid, rootpath SAZ (Tanya Levshina: VOMRS)

5. 5 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 AGD Grid Account Management VOMRS : VO Management, volist : communication manage-local-gridaccounts: local process VOMRS DB “volist“ servlet Member Certificate register Grid resource Globus Gatekeeper JobManager job grid- mapfile manage- local -grid-accounts job local grid- mapfile local config Auth lists group name Proxy Certificate Submit job List (DN+ID) & more (cronjob) Site-RA User manage NFS homes accounts homes

6. 6 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 VOMRS Features secure & authenticated management of VO membership, grid resource authorization and privileges:  2-phase registration workflow to register users with a VO  Dynamic set of collected personal information  Management of multiple grid certificates per member  VO-level control of member's privileges  Email notifications of selected changes and events  Permits delegation of responsibilities within the various VO administrators and group managers  Manages hierarchies of groups and group roles  Interfaces to third-party systems like VOMS

7. 7 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 volist Features:  interfacing VOMRS database via jndi  extracting required information via sql-statements  multiple options for data retrieval SELECT CONCAT('"',a.distinguished_name,'"') AS dn, a.member_id-1 AS id FROM member_dns a, members b WHERE a.is_primary_ind='Y' AND a.member_id=b.member_id AND b.member_status='Approved';  implemented as webapplication for tomcat container  http queries (htpasswd-security)  https queries (htpasswd-security + certification based authentication of host) wget --http-user Kerr --http-passwd Einstein \ "http://mintaka.aip.de:8080/volist/vomembers?print_id=1"

8. 8 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 Manage local grid accounts volist/ VOMRS VO list wget/https Map to pool account schema Remove non-allowed DNs Remove denied DNs Remap DNs to non-pool accounts Allowed DNs Denied DNs Remap DN+ID Remap with local gridmap local grid- mapfile Check account existence Log unknown accounts Create account for new DN Higher priority Write grid-mapfile grid- mapfile Create sudoers entries RunAs aliases Command entries Log new accounts Keep copy use visudo Local policies Prefix+format “agd” %.3d

9. 9 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 ManageLocalGridAccounts.pl Features: Queries list of VOMRS servers via volist for generating actual list of VO members parses listing into an adaptable schema of locally configurable usernames and groups (accounts) creates accounts on demand with checking existence and home allows for nfs-homes in cluster environments (separates creation of accounts and homes, if required)  addition: create_remote_homes.pl: takes local list from the script and creates via ssh (or rsh) homes, accounts and gridmap on nfs-host creates new gridmap file is designed to run as a regular cron job takes a list of VORMS-servers and option lists for different VO

10. 10 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 Serving multiple (Sub-)VOs VOMRS  VOMRS DB VOMRS A VOMRS DB “volist“ servlet A “volist“ servlet  Grid resource manage-gridmap local grid- mapfile Config Sub-VO /Omega/Uno Auth lists manage-gridmap grid- mapfile Config VO /Alpha Config VO /Omega

11. 11 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 Differences to GUMS GUMS :  duplicates VO-Management locally  by creating locally another VO-management tool  requires manual administration of local accounts  ‚is a "site tool" as opposed to a "VO tool“‘  implements (weak) interaction with gatekeepers  substitutes the gridmap file  requires local (java) coding for group/account mappings  does not generate accounts „on demand“  does not have a clean separation of VO-Management, information retrieval and local resource policies  requires additionally PRIMA on local resources  requires additional exchange mechanism for information exchange VOMRS & UNICORE  already has a clean implementation against OGSA AuthZ Interface (callout)

12. 12 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 Summary Using volist+ManageLocalGridUser.pl with VOMRS  separation into three independent steps  managing VOs with VORMS user registration local RA manages membership for their users central VO managers manage VO membership  retrieval of information from VORMS: volist: queries and retrieval of different sets of information –for resource-providers –other middleware : UNICORE VOMS VOMRS exchange  local grid-account management with ManageLocalGridUser.pl with –different mapping schema and choices –one-to-one mapping

13. 13 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 D-Grid Development Thinking ahead : Currently:  HEP uses VOMS  All other CG use Globus: they need VOMRS  UNICORE will remain a special thing for HPC, but UUDB has to be served as well  All need a regular (and flexible) means to manage their VO  Since VOMRS is independent of underlying middleware, we should use this on the VO-Management level  Since almost every CG uses Globus, a solution for VO Management has to be based on this fact  VOMS is heavily relying on gLite, so it’s a non-option for all CG except HEP  D-Grid Call II:  new CG are waiting to be integrated into D-Grid  they will base their grid infrastructure on Globus

14. 14 VO Management in D-Grid, 2. WS, H. Enke (AstroGrid-D) 2006-12-19 D-Grid Development Thinking ahead :  very few CG, except HEP and AGD, have a VO-Management established  Core D-Grid registers ~30..40 users  But: if only this amount of users comes from each CG, which hopefully will be the situation within the next year, a centralized approach will become unmanageable or inefficient (aka: users with certificates waiting on end to be registred on local resources, which already now is a common experience).  Consequence: establishing a  CG-centered VO-level management now with a VOMRS for each CG  interchange of data between those servers on a regular basis  separating VO-Management and local user management  linking both with simple tools will be an absolute necessity now  Inefficient VO-Management is one of the main obstacles for getting users interested in grid infrastructure and thus for the transformation from a playing ground for informatic freaks into a production means for science