Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

Published byBritton O’Brien’ Modified over 9 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status Update GDB October 14, 2009 Christoph Witzig, SWITCH (christoph.witzig@switch.ch)

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 2 Outline Introduction Short Motivation and Description for the New Service Deployment Proposal Current Status Appendix: –A: More detailed motivation –B: Feature list of the service

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 3 Introduction Argus: gLite authorization service Institutions involved: –CNAF –HIP –NIKHEF –SWITCH Plan: –1st year EGEE-III: Software design and development –2nd year EGEE-III: certification, initial deployment (PPS, production) Note abbreviation: authZ = authorization

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 4 A New Service - Why? Support for authorizing multi-user pilot jobs Simple operation through CLI Contains simple debugging tool for authorization decisions Supports global banning lists –Only if configured at the site (site autonomy!) –OSCT wants to offer this service to the sites Monitoring of the service through Nagios plug-ins Roadmap for integrating other gLite Services exist –Prospect of having one centralized authorization service for all services at a given site  WN, (one or several) CE, (one or several) SE  WMS See appendix A and B for further information and feature list

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 5 Initial Deployment at a Site (1/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 6 Initial Deployment at a Site (2/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 7 Initial Deployment at a Site (3/3) PDPd PAP PDP EES PAP = Policy admin. point PDP = Policy decision point PEP = Policy enforcement point EES = Execution env. srv

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 8 Proposed Deployment Plan Deployment during EGEE-III Adoption during EGEE-III

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 9 CLI Operation All operational commands from command line –(Un-)banning a user:  pap-admin ban subject  Pap-admin un-ban subject –(Un-)banning an FQAN  pap-admin ban fqan /switch/test  pap-admin un-ban fqan /switch/test –Debugging authorization decisions:  pepcli -p https:// -c /tmp/x509up_u964 -r res_nok -a my_action Decision: Deny  pepcli -p https:// -s -f /switch -f /switch/test -r test -a test Decision: Permit Username=testb002 UID=5101 GID=5100 Secondary GIDs=5300

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 10 Deployment Options Initial deployment:  All components on one single host using YUM and configured with YAIM Flexibility of the service allows different deployment models Options: –Alternate deployment options are initially supported by authZ development team on a case-by-case basis –Duplicate installations of individual components –Next release: Multiple installation of the service across several hosts  No need for a shared file system

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 11 Load and Aging Tests Load and aging tests were done before submitting to certification Load tests: –Service Host: 1x 2.33GHz CPU, 1gig ram –client recreated - simulates what glexec would do  ~60 req/sec, ~160ms –client reused - simulates what CREAM/WMS would do  ~240 req/sec, ~120ms –client reused, repeat request - simulates pilot jobs  ~1000 req/sec, ~37.6ms Aging tests: –Test operation over several days with several mio requests –Memory usage: stable Further tests by SA3 - see their report

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 12 Long Term Support Argus was always considered as the long term solution for authorization in gLite Support from multiple institutions –CNAF, HIP, NIKHEF, SWITCH –Organized as a “product team” Will be part of EMI proposal –Interest from ARC and UNICORE Uses proven third party software –OpenSAML, JBossCache, Jetty –Adapted concepts proven by Shibboleth (~20-30 mio users worldwide)

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 13 Current Status Complete documentation: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework Argus service: currently in certification gLexec with LCMAPS Argus plug-in: submitted to certification gridFTP integration: developed and tested CREAM: –Phase 1: re-factoring authorization mechanism: done  Reduction in number of authorization steps in CREAM –Phase 2: integration of Argus: Q4 –Planned release: January 2010 Data management: –Initial talks with DPM, dCache and StoRM  Will interface to Argus once deployment guaranteed

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 14 Next Steps (as Argus team sees it) Finish certification of Argus  Incl. LCMAPS plug-in for Argus (for gLExec on WN)  --> Ready for initial deployment Now looking for sites that are willing to –Deploy Argus for gLExec on WN use-case –Use OSCT global banning lists  6 sites expressed interest –Argus now needs first exposure to initial deployments !!! Any volunteers? Support: –Mailing list: argus-support@cern.chargus-support@cern.ch –GGUS at later stage

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 15 Further Information Wiki: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework About the service: –authZ service design document: https://edms.cern.ch/document/944192/1 –Deployment plan: https://edms.cern.ch/document/984088/1 –Testing plan: https://edms.cern.ch/document/986067/1 General EGEE grid security: –Authorization study: https://edms.cern.ch/document/887174/1 –gLite security: architecture: https://edms.cern.ch/document/935451/2 EGEE09 presentations:  http://indico.cern.ch/sessionDisplay.py?sessionId=26&slotId=0&confId=55893 http://indico.cern.ch/sessionDisplay.py?sessionId=26&slotId=0&confId=55893  http://indico.cern.ch/sessionDisplay.py?sessionId=33&slotId=0&confId=55893 http://indico.cern.ch/sessionDisplay.py?sessionId=33&slotId=0&confId=55893

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 16 Outline Appendix A: More detailed motivation

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 17 Motivation Which Problems Are We Trying to Solve? Different Services use different authorization mechanisms Some services even use internally more than one authorization framework Site administrators do not have simple debugging tools to check and understand their authorization configuration Site administrators must configure the authorization for each service at their site separately –Consequence 1: At a site, there is no single point to ban users/groups of users for the entire site –Consequence 2: many site administrators don’t know how to ban users –There should be a command line tool for banning and un- banning users at a site

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 18 Motivation Which Problems Are We Trying to Solve? There is no central grid-wide banning list to be used during incidents –Consequence: Urgent ban cannot be taken for granted during incidents Sites cannot publish their complete authorization policy to the outside world –Currently only assignment of FQANS (experience of DENY tags) –Note: Fixing this problem does not mean that sites MUST publish their authorization policy No monitoring on authorization decisions

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 19 Motivation Benefits of the Authorization Service (1/2) Main benefit within EGEE-III: –Addressing the above list of short-comings In addition: –Resistance to failure and simple means for scaling the service  Flexible deployment model  No dependency on a shared file system  High availability option –Client component is very lightweight  Small amount of code  Few dependencies (especially on WN)  Portability: support on other OS and languages easy

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 20 Motivation Benefits of the Authorization Service (2/2) In addition (cont.): Enables/eases various authorization tasks: –Banning of users (VO, WMS, site, or grid wide) –Composition of policies – CERN policy + experiment policy + CE policy + OCST policy + NGI policy=> Effective policy –Support for authorization based on more detailed information about the job, action, and execution environment –Support for authorization based on attributes other than FQAN –Support for multiple credential formats (not just X.509) –Support for multiple types of execution environments –Virtual machines, workspaces, … –Nagios plug-ins provided for monitoring of service

21 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 21 Outline Appendix B: Feature list of the service

22 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 22 Feature List 1.Policy examples 2.Architectural features 3.Implementation features 4.Deployment features 5.Operational features (for a site admin) Note: Prio1 = within EGEE-III Prio2 = beyond EGEE-III Label: +, -, o for advantage, skeptic, neutral Some of it are features by design, others features that are aimed at

23 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 23 Policy Examples: Banning (1/3) Banning users for a site (prio 1) –+ easy banning of users for a CE site administrator –+ banning groups of users, entire VOs, CAs, …. –o single banning point for a site (site-wide banning)  + possible  - needs integration into DM Grid-wide banning (prio 1) –+ OSCT maintains a grid-wide ban list –o sites must trust external policy VO-banning of users (prio 2) –+ VOs can ban the user without deregistering him Regional banning (prio 2) –+ regions/federations/nations can enforce banning rules

24 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 24 Policy Examples: VO policies (2/3) VO policies (prio2) –- sites may oppose remote policies that they don’t understand –+ VO have a consistent means to communicate their policies to sites authZ users to run certain applications (prio2) –+ VOMS groups/roles are very limiting and don’t consider different types of applications (only admin role) –+ who is allowed to submit pilot/payload jobs + easy integration into VO specific services (prio2) –o VO schedulers? o Decoupling FQAN-shares (prio2) –Less important now (pilot jobs) –Deferred topic - how relevant is it really today?

25 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 25 Policy Examples: DM (3/3) + use case of banning –- implementation TBD –- performance TBD –- different SE implementations (DPM, dCache, CASTOR,…) o quota –Open issue

26 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 26 Policy Examples: Other (4/4) + Better sharing of resources (prio2) –E.g.access based on time + Better separation of responsibilities across Grid stakeholders (prio2) –+ combining different policies from the different stakeholders –+ adding new policies in a scalable way + Support for complex sites –Ex: CERN site policy vs site specific VO policy vs running 20+ CEs

27 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 27 Architectural Features + Exposes policy of a site to the outside –+ Pre-requisite for a consistent authorization infrastructure across services –+ other services/users don’t have to second guess whether the job will be accepted –+ site has possibility for private policies –+ option of publishing policy or remote PDP invocation + High availability –+ extremely robust –+ every service component has HA –+ no single point of failure –+ no shared file system needed

28 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 28 Implementation Features + Thin PEP client –+ no dependencies on WN ! –+ adding other language bindings is easy –+ easy to integrate into other services + Standard compliant –+ use of a powerful authZ language (XACML) (+extendable) –+ SAML2-XACML2 profile –+ support for SAML assertions built-in from the beginning  + credentials beyond PKI, VOMS SAML asssertions o Complexities of XACML hidden  + CLI tools + Good performance  o hard to get real requirements  + aim for several hundred invocations per second + Several institutions are involved –+ long-term support

29 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 29 Deployment Features + Flexible deployment models –Service can be deployed in various modes –Default deployment model assumes installation of all components on one single host (supported by YAIM) + Gradual introduction into production infrastructure –+ no big bang –+ more services can use authZ service depending on their development cycle –+ no requirement that all sites make switch to use authZ simultaneously

30 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 30 Operational Features (for site admin) + easy to use (command line interface) + consistent logging, support for incident handling  As defined in security command line tools + easy and simple monitoring interface  Easy to find out whether all service components work and what it does (Nagios plug-ins will be delivered as part of the service)  Command line interface + easy to troubleshoot + nagios plug-ins provided for service monitoring

31 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 31 EES + Consistent handling authZ - scheduling within a CE + Consistent way to add new execution environments + Support for new execution environments –Virtual machines –Workspaces Is a BIG job –Hasn’t really been started yet

32 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 GDB 14.10.2009 32 3rd Party Code Used OpenSAML / OpenWS: –Source: Shibboleth development team –User base: Shibboleth project (~20-30mio users), Danish e-gov, OpenLiberty, ClaritySecurity (National Ass. Of Realtors) Jetty: –Source: Mortbay –User base: one of the three major open source servlet containers JBossCache: (in-memory replication) –Source: JBoss / Red Hat –User base: JBoss, Shibboleth 1.3

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status."

Similar presentations

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks PPS All sites Meeting: Introduction & Agenda.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks PPS All sites Meeting: Introduction & Agenda.
Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Using DIANE for astrophysics applications Ladislav Hluchy, Viet Tran Institute of Informatics Slovak.

Enabling Grids for E-sciencE EGEE-III INFSO-RI Using DIANE for astrophysics applications Ladislav Hluchy, Viet Tran Institute of Informatics Slovak.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA1 summary Claudio Grandi EGEE-II JRA1.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Angela Poschlad (PPS-FZK), Antonio Retico.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Angela Poschlad (PPS-FZK), Antonio Retico.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Service Availability Monitoring – Status.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Service Availability Monitoring – Status.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

Similar presentations

Ads by Google