Presentation is loading. Please wait.

Presentation is loading. Please wait.

SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733.

Published byAlexandrina Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733."— Presentation transcript:

1 SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733 Nanbor Wang Gabriele Garzoglio Balamurali Ananthan Steven Timm Tanya Levshina Tech-X Corporation Fermi National Accelerator Laboratory

2 2/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Outlines Project overview –What SVOPME tries to address Architecture and implementations Outlook and planning

3 3/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment What are VO Privileges? VOs use resources VOs wish to define usage policies for various resources for different users within the VOs – Example 1: Production team members submit jobs with higher priority – Example 2: Software team members can write to disk area for software installations VOs define user privileges at different resources to comply with the expressed usage policies However, VOs do not manage/configure all Grid sites Grid sites provide resources Grid sites may want to provide different services to different VOs – Example 3: site X has a special agreement with VO Y; therefore, jobs from VO Y might have higher priority than others Grid sites help VOs to enforce their usage policies by managing user privileges Grid sites don’t define VOs’ usage policies Site and VO Challenge: Enforcing heterogeneous VO privileges on multiple Grid sites to provide uniform VO Policies across the Grid (ad hoc solution: verbal communication) Virtual Organizations: Grid Sites:

4 4/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Motivations of SVOPME With the growth in Grid usage, both the numbers of VOs and Grid-sites increase Serious scalability problems in propagating VO privilege policies SVOPME: –Provide the tools and infrastructure to help VOs express their policies Sites support a VO –Reuse proven administrative solutions – we adopt common system configuration patterns currently in use in major grid sites … CMSUSATLAS CompBioGrid STAR LIGO Fermilab SDSSiVDGL FERMIGRIDCMS-T2 LIGO-MIT GPFARM UCSDT2UC-ATLAS ASGC STAR-BNL Address scalability

5 5/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Modern User Privilege Management Moving away from the use of gridmap files to VOMS/GUMS role-based privilege management –Eliminate the need for multiple user certificates –Similar trend can be observed in EGEE (LCAS/LCMAPS + SCAS and VOMS) Managing requests priority for both SE and CE The OSG Authorization Infrastructure

6 6/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME Helps VO’s Propagate Privilege Policies to Grid Sites SVOPME aims to replace the verbal interaction between VO and site admin’s with automated workflows VO’s intended privilege policies are clearly defined –Using eXtensible Access Control Markup Language (XACML) –No ambiguity –Allow programmatic verification of policies –XACML is also used by AuthZ Interoperability project Site’s actual policies can be verified SVOPME provides recommendations to site configurations for better VO supports VO Privilege Policies Site Privilege Policies Site Configurations Configuration Recommendations Propagate Verify Synthesize SVOPME Concept Diagram

7 7/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Survey of Resources and Policies Managed on the Grid Resources –OS protection (account types: group or pool) –Batch system –File system –External storage (SRM/dCache) –Network access (inbound/outbound) –Edge services Policies expressed by the Site –Timed availability (execution time slots for certain VO users) Policies expressed by both –Disk quota –File retention period –Network (inbound/outbound) access control Policies expressed by the VO –Account type –Intra-VO relative priority in batch system –Directory access (group privacy) permissions –Job pre-emption (Consecutive execution period) –Suspension/resumption of jobs –User file privacy –Two roles to share the same GID –Repeat execution (Allowing restart or not in batch system) ? Highlighted policies are supported

8 8/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME Architecture VO Privilege Policy Editor XACML VO Privilege Policies XACML VO Requests VO Storage Elements Computing Elements VO Administrator Grid Probe XACML Effective Site Access Policies Policy Advisor Policy Comparer Creates/Edits Synthesizes Crawls Uses Compliance Report Generates Suggested Changes Site Administrator Applies Uses Grid Site SVOPME Application XACML Document Text Document

9 9/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment SVOPME VO Tools VO Privilege Policy Editor XACML VO Privilege Policies XACML VO Requests VO VO Administrator Creates/Edits Uses VOMS Client VOMS Server Request Archiver Comparer Client Time-stamped Zip Archieves Reads Creates Uses Latest Invokes Grid site comparer service Uses Retrieves VO Groups/Roles VO HTTP Server Published via

10 10/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment XACML VO Policy Editor (Domain Specific) XACML is –An XML-based language for specifying access control policies –Suitable for machine processing (deciding permissions on actions) –Way too generic to reason an arbitrary policy SVOPME –Takes a domain specific approach –Defines a set of “profiles” of meta-policies –Each meta-policy defines a type of policy VO can define –For example: Account Mapping Policy - Group X should run with pool account The VOMS client obtains information about all the Group/Role and the number of users from the VOMS server on VO editor’s behave. Support for new policy types can be added as “Policy Template” plug-in’s VO Administrator can create and edit a set of policies Reject contradicting policies – (will leverage Model checking Grid Policies by JeeHyun)

11 11/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO Policy Editor Screenshot

12 12/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO Policy Data Management The Editor stores the policies and verification requests under predefined directories Request Archiver collects and zips up verification requests into time-stamped zip files –Can be used by sites to examine their compliance –Time-stamped request zip archives are made available to site via a simple web page –Sites can scan the page and determine the latest version VO admins and users can use Comparer Client to contact and check a site’s support to VO policies

13 13/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Mechanism for Synthesizing Grid Site Privilege Policies “Grid Probe” in a nutshell –Policy building and configuration crawling functions are separated –Depending on the target privilege, different info is necessary: there are multiple crawling executables –Invoked by different cron tasks with diff privileges –Dump the info as simple text files at a specific directory –Allow site-specific probes Configuration checked –Condor/GUMS config –Disk quota/directory permissions Policy Builder –Parses the intermediate configuration info –Synthesizes the effective privilege policies of a site into XACML policies Disk Quota Probe Intermediate Config Info Policy Builder XACML Effective Site Access Policies Synthesizes Grid Probe

14 14/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Analyzing Site Configurations VO Request Retriever –Checks if the local VO verification requests is up-to- date –Cache the new verification requests if needed Policy Comparer and Advisor –Test compliance by testing the verification requests one-by-one –Since all requests and policies are based on our XACML profiles, reports and advises can be derived XACML Effective Site Access Policies Policy Advisor Policy Comparer Uses Compliance Report Generates Suggested Changes VO Request Retriever XACML VO Verification Requests VO HTTP Server Checks timestamp Caches if necessary

15 15/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Comparer  Example output: [java] VO/Grid Grid Accounts Policy Comparison [java] --------------------------------------- [java] /TECHX/Role=User is mapped to 1 account(s) on the Grid site. Passed! [java] No Account Mapping Policies for /TECHX/VISITORS were found on the Grid site.  Policy Comparer Grid Service –Allow VO users to check privilege policy compliance at a site –Instead of cached verification requests, users supply a list of verification requests related to policies of interests –SVOPME provides a policy comparer client as part of the VO tools –Currently only provide text reports – should provide a mechanism for further automate the information gathering

16 16/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment VO/Grid Policies Advisor  Provide advice for the Grid site administrator on what amendments need to be done on the Site; such that the Grid site complies with the VO policies  Example output:  VO requested 3 accounts for VISITORS role via VO policies  Site-policies derived from GUMS do not match [java] VO/Grid Grid Accounts Policy Advices [java] ------------------------------------ [java] No matching Grid Accounts Policy was found for /TECHX/VISITORS on the Grid site. Create a mapping in GUMS config such that /TECHX/VISITORS be mapped to at least 3 account(s) [java] TECHX/Role=VO-Admin mapped to 1 account(s) (techxVOadmin) on the Grid site, is not suffient enough. Needs to be mapped to atleast 3 accounts.

17 17/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Advantages for VOs and Sites VO’s No need to run ad-hoc jobs to figure out what policies are enforced and what not Provides templates to define commonly used policies Automates most of the communication with Sites that support the VO Provides the basis for the negotiation of privileges at sites that provide opportunistic access Sites Sites can advertise and prove that a VO is supported Sites that want to support a VO have a semi-automated mechanism to enforce the VO policies Privilege enforcement remains responsibility of the Site, informed by formal VO policy assertions

18 18/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Experiments on FermiGrid’s Integrated TestBed Using “Dzero” and “Engage” VO’s privileges as a real-world examples Validation requests are copied over to the site (FGITB) using the “Retriever” tool Two different probes run with different privileges “Engage” VO will continue to expand and incorporate other smaller sub-VO’s Was able to detect several anomalies –Enhanced disk quota probes – multiple filesystems –Re-wrote quota/filesystem probe to use python – easier for admins to examine –Detected one missing account mapping –Legacy pool account configurations Separating probes allows easy adaption to site with unconventional confiurations

19 19/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Extending Meta-Policies Steps to extend SVOPME to support new privilege policy profiles –Define what access right the policy type would control (subject, action, etc.) –Define how the XACML policy would look like –Extend the VO Editor to support the policy type –Extend Grid Probe to crawl relevant resource configs –Extend Policy Comparer/Advisor to interpret the test results Currently, it’s not so trivial to extend the supported meta-policies (profiles) Need to refactor design to guide developers –Using interfaces –Using generic classes

20 20/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Future Directions We are recruiting VO’s and sites to deploy SVOPME to production Grids Ongoing enhancements –VO-side needs to be able to deal with multiple grid sites for policy compare –Grid-side needs to be able to organize multiple VO info –Overall site status chart for VO’s –Code refactoring Prioritize further improvements to the tools based on feedbacks –Correctness Comparer may need to be changed to only return a list of allow/deny decisions Currently, only examine compliance, not redundant policies –Additional meta-policies –Better defined dataflow/tools –Adopting OSG AuthZ profiles

21 21/23 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment Conclusions SVOPME ensure uniform access to resources by providing an infrastructure to propagate, verify, and enforce VO policies at Grid sites SVOPME integrates with the OSG Authorization Infrastructure We continue to enhance SVOPME design and implementations We are soliciting interested VO’s and sites to deploy SVOPME in a production environment We love to hear your comments and suggestions https://ice.txcorp.com/support/wiki/MidSys/SVOPME

Download ppt "SVOPME A Scalable Virtual Organization Privileges Management Environment ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733."

Similar presentations

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.

The SAM-Grid Fabric Services Gabriele Garzoglio (for the SAM-Grid team) Computing Division Fermilab.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.

REFACTORING Lecture 4. Definition Refactoring is a process of changing the internal structure of the program, not affecting its external behavior and.
Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG www.opensciencegrid.org International.

Open Science Grid Software Stack, Virtual Data Toolkit and Interoperability Activities D. Olson, LBNL for the OSG International.
GRACE Project IST-2001-38100 EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.

GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
OSG Public Storage and iRODS

OSG Public Storage and iRODS
SVOPME: Scalable Virtual Organization Privilege Management Environment Nanbor Wang 1, Balamurali Ananthan 1, Gabriele Garzoglio 2, Steven Timm 2 1 Tech-X.

SVOPME: Scalable Virtual Organization Privilege Management Environment Nanbor Wang 1, Balamurali Ananthan 1, Gabriele Garzoglio 2, Steven Timm 2 1 Tech-X.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Nicholas LoulloudesMarch 3 rd, 2009 g-Eclipse Testing and Benchmarking Grid Infrastructures using the g-Eclipse Framework Nicholas Loulloudes On behalf.

Nicholas LoulloudesMarch 3 rd, 2009 g-Eclipse Testing and Benchmarking Grid Infrastructures using the g-Eclipse Framework Nicholas Loulloudes On behalf.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.

Similar presentations

Ads by Google