Presentation is loading. Please wait.

Presentation is loading. Please wait.

The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK

Published byJason Roach Modified over 10 years ago

Similar presentations

Presentation on theme: "The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 16-Feb-06David Kelsey, GGF16, LCG AuthZ2 Outline Authorization for Particle Physics (LHC at CERN) Introduction: Experiments and WLCG EGEE AuthZ and VO management AuthZ/Interoperation requirements –ATLAS as an example VOMS deployment Issues and Interoperation Some personal comments Disclaimer: The information contained here is not official statements by WLCG or the LHC Experiments or EGEE or GridPP

3 Les Les Robertson LCG Project Leader High Energy Physics using a worldwide computing grid CERN December 2005 WLCG = The Worldwide LCG Collaboration

4 last update 20/04/2014 17:24 LCG les robertson - cern-it-4 The accelerator generates 40 million particle collisions (events) every second at the centre of each of the four experiments detectors The LHC Accelerator

5 last update 20/04/2014 17:24 LCG les robertson - cern-it-5 LHC DATA This is reduced by online computers that filter out a few hundred good events per sec. Which are recorded on disk and magnetic tape at 100-1,000 MegaBytes/sec ~15 PetaBytes per year for all four experiments

6 last update 20/04/2014 17:24 LCG les robertson - cern-it-6 Resources for LHC Data Handling 15 PetaBytes of new data each year CMS LHCb ATLAS ALICE 1 Petabyte (1PB) = 1000TB = 10 times the text content of the World Wide Web ** ** Urs Hölzle, VP Operations at Google 100,000 of todays fastest processors 150 times the total content of the Web each year

7 last update 20/04/2014 17:24 LCG les robertson - cern-it-7 High Energy Physics: a global community 1800 physicists (including 400 students) 150 universities/laboratories 34 countries.

8 last update 20/04/2014 17:24 LCG les robertson - cern-it-8 Global Science needs a Global Grid LCG depends on two major science grid infrastructures – EGEE and the US Open Science Grid Interoperation very important EGEE Feb 2006 184 Grid sites 42 countries 21,000 CPUs EGEE Feb 2006 184 Grid sites 42 countries 21,000 CPUs

9 16-Feb-06David Kelsey, GGF16, LCG AuthZ9 Authorization & VO Management in EGEE In EGEE gLite and LCG middleware Global AuthZ (VOMS) –Virtual Organization Membership Service VO members, their groups and roles Provides digitally signed AuthZ attribute certificate –Included in the grid proxy certificate –A PUSH model (user can select roles and VOs) Local AuthZ –Local Centre Authorization Service (LCAS) A framework to handle local policy (e.g. banned users) –Local Credential Mapping (LCMAPS) Provides local credentials (Kerberos/AFS, ldap nss…) Local policy decisions (CE and SE) –Can decide and enforce policy on VOMS attributes n.b. LCAS/LCMAPS is just one local AuthZ service

10 16-Feb-06David Kelsey, GGF16, LCG AuthZ10 LHC AuthZ requirements Some general AuthZ requirements (not complete list!) A VO (experiment) wishes to centrally control –Fine-grained access control (data) –Fine-grained access control/priority (cpu) Priority likely to be dynamic –By Group membership, by role, or individual Individuals may belong to more than one VO –User must be able to choose for each session User must be able to select a role(s) per session –Not always super-user! Sites need to apply local policy based on AuthZ attributes No need for data encryption – integrity more important Privacy (no read) between experiments (or groups) needed Accounting/Auditing required (at group/role/individual) AND MUST INTEROPERATE BETWEEN GRIDS

11 A. De Salvo – ATLAS plans and requirements for Authorization in LCG for 2006 – LCG Authorization Workshop 13-9-2005 16-Feb-06 David Kelsey, GGF16, LCG AuthZ11 ATLAS (Alessandro De Salvo) Workload Management groups and roles Workload Management roles (3) Workload Management roles (3) Grid software administrator Grid software administrator Responsible of the installation of the experiment software. Production manager Production manager Production user, will have higher priority than normal users for official group productions and will be able to place files in commonly accessible areas User User Any normal userAny normal user Workload Management groups (~20) Workload Management groups (~20) Physics and Combined Performance working groups Physics and Combined Performance working groups One group for each Physics Working Group and Combined Performance GroupOne group for each Physics Working Group and Combined Performance Group Testing, validation and central production activities groups Testing, validation and central production activities groups

12 A. De Salvo – ATLAS plans and requirements for Authorization in LCG for 2006 – LCG Authorization Workshop 13-9-2005 16-Feb-06 David Kelsey, GGF16, LCG AuthZ12 ATLAS Database and Data Management groups and roles Database access roles (5) Database access roles (5) Administrator Administrator Administrators manage the installation of database servers and give access rights to other users. Developer Developer Database applications developers for particular software domains (full access right to particular databases) Editor Editor People having UPDATE or DELETE rightsPeople having UPDATE or DELETE rights Writer Writer People having INSERT or SELECT rightsPeople having INSERT or SELECT rights Reader Reader People having only the SELECT privilegesPeople having only the SELECT privileges Data Management groups and roles Data Management groups and roles The same groups and roles as for the Workload Management The same groups and roles as for the Workload Management

13 16-Feb-06David Kelsey, GGF16, LCG AuthZ13 VOMS deployment in LCG One central VOMS service (CERN) per experiment –for use on all Grids –Linked to the Experiment User Database (HR) Difference between a group and a role? Membership of all Groups –always present in VOMS proxy cert Roles may be requested (or not) by the user –E.g. super-user

14 16-Feb-06David Kelsey, GGF16, LCG AuthZ14 Interoperation/Issues (1) All GRIDs must understand VOMS attributes All services/middleware must understand VOMS –Gridftp will be used for some years ahead Not VOMS-aware so still need a grid mapfile User therefore can only belong to one VO Local sites need to interpret the attributes sensibly –Not necessarily the same, but not contradictory Cannot today implement large numbers of groups and roles –batch systems/schedulers use UNIX group id –Need a separate gid for every combination of group/role –too many! LHC trying to limit the number for now –(Per VO) 2 to 4 groups and 2 to 4 roles (sum <= 6)

15 16-Feb-06David Kelsey, GGF16, LCG AuthZ15 Interoperation/Issues (2) Can we standardise the names of common roles? –No conclusion yet in LHC –Concerns about names becoming hard-wired into code –May be too hard or not worth it LHC Groups/Roles today –All experiments have one group = lcg1 For general users (old names stick!) –CMS has defined some physics groups (no need to standardise) StandardModel, HeavyIons, Higgs, … –Role names VO-Admin(the VO managers) lcgadmin(software managers) production(managers of data production) But note… also cmsprod and usprod

16 16-Feb-06David Kelsey, GGF16, LCG AuthZ16 Interoperation/Issues (3) How do VOs define a global/central policy? And will this be interpreted same by all Grids? –Each VO needs to be able to set processing priority By group (to give a physics topic priority) Dynamically and for short periods of time Without having to get sites to reconfigure –Should they assign a role? –Or a VOMS capability (not used yet) –Or maybe nothing to do with VOMS E.g. VO Global policy could be applied at the Resource Broker (new G-PBox)?

17 16-Feb-06David Kelsey, GGF16, LCG AuthZ17 Interoperation/Issues (4) A user can belong to multiple groups –How does the work performed run/accounted correctly (in correct group) –And will all Grids do this the same way? And linked to AuthZ… –Will Grids be able/willing to share accounting and/or auditing information? This is required by the VO But usually handled by the Grid Operations Technical and/or legal problems

18 16-Feb-06David Kelsey, GGF16, LCG AuthZ18 References The Worldwide LHC Computing Grid http://lcg.web.cern.ch/LCG/ http://lcg.web.cern.ch/LCG/ LCG/EGEE Joint Security Policy Group http://proj-lcg-security.web.cern.ch/ EGEE JRA3 (Security) http://egee-jra3.web.cern.ch/ http://egee-jra3.web.cern.ch/

19 16-Feb-06David Kelsey, GGF16, LCG AuthZ19 Personal Comments EU DataGrid, EGEE and LCG have been working with VOMS for several years now –And still we are only just getting it going VOMS is logically rather simple –But lots of details need to be handled Its difficult meeting AuthZ requirements within a Grid –Let alone between Grids Production Grids do not like change –E.g. LCG wants stability over the LHC startup (1 year?) To have any chance of a working AuthZ system between large global production Grids we must start simply and improve slowly –When security is too hard, people turn it off!

Download ppt "The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK"

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
S.L.LloydATSE e-Science Visit April 2004Slide 1 GridPP – A UK Computing Grid for Particle Physics GridPP 19 UK Universities, CCLRC (RAL & Daresbury) and.

S.L.LloydATSE e-Science Visit April 2004Slide 1 GridPP – A UK Computing Grid for Particle Physics GridPP 19 UK Universities, CCLRC (RAL & Daresbury) and.
1 ALICE Grid Status David Evans The University of Birmingham GridPP 14 th Collaboration Meeting Birmingham 6-7 Sept 2005.

1 ALICE Grid Status David Evans The University of Birmingham GridPP 14 th Collaboration Meeting Birmingham 6-7 Sept 2005.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
1 ALICE Grid Status David Evans The University of Birmingham GridPP 16 th Collaboration Meeting QMUL 27-29 June 2006.

1 ALICE Grid Status David Evans The University of Birmingham GridPP 16 th Collaboration Meeting QMUL June 2006.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Your university or experiment logo here What is it? What is it for? The Grid.

Your university or experiment logo here What is it? What is it for? The Grid.
GridPP Building a UK Computing Grid for Particle Physics www.gridpp.ac.uk A PPARC funded project.

GridPP Building a UK Computing Grid for Particle Physics A PPARC funded project.
Slide 1 of 24 Steve Lloyd NW Grid Seminar - 11 May 2006 GridPP and the Grid for Particle Physics Steve Lloyd Queen Mary, University of London NW Grid Seminar.

Slide 1 of 24 Steve Lloyd NW Grid Seminar - 11 May 2006 GridPP and the Grid for Particle Physics Steve Lloyd Queen Mary, University of London NW Grid Seminar.
Particle physics – the computing challenge CERN Large Hadron Collider –2007 –the worlds most powerful particle accelerator –10 petabytes (10 million billion.

Particle physics – the computing challenge CERN Large Hadron Collider –2007 –the worlds most powerful particle accelerator –10 petabytes (10 million billion.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
Computing for LHC Dr. Wolfgang von Rüden, CERN, Geneva ISEF students visit CERN, 28 th June - 1 st July 2009.

Computing for LHC Dr. Wolfgang von Rüden, CERN, Geneva ISEF students visit CERN, 28 th June - 1 st July 2009.
Service Data Challenge Meeting, Karlsruhe, Dec 2, 2004 Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Plans and outlook at GridKa Forschungszentrum.

Service Data Challenge Meeting, Karlsruhe, Dec 2, 2004 Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Plans and outlook at GridKa Forschungszentrum.
CBPF J. Magnin LAFEX-CBPF. Outline What is the GRID ? Why GRID at CBPF ? What are our needs ? Status of GRID at CBPF.

CBPF J. Magnin LAFEX-CBPF. Outline What is the GRID ? Why GRID at CBPF ? What are our needs ? Status of GRID at CBPF.
GridPP From Prototype to Production David Britton 21/Sep/06 1.Context – Introduction to GridPP 2.Performance of the GridPP/EGEE/wLCG Grid 3.Some Successes.

GridPP From Prototype to Production David Britton 21/Sep/06 1.Context – Introduction to GridPP 2.Performance of the GridPP/EGEE/wLCG Grid 3.Some Successes.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
1 User Analysis Workgroup Update  All four experiments gave input by mid December  ALICE by document and links  Very independent.

1 User Analysis Workgroup Update  All four experiments gave input by mid December  ALICE by document and links  Very independent.

Similar presentations

Ads by Google