Presentation is loading. Please wait.

Presentation is loading. Please wait.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

Published byEleanor Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna."— Presentation transcript:

1 VO management: Progress since Chicago Workshop Vincenzo Ciaschini vincenzo.ciaschini@cnaf.infn.it 23/5/2002 CNAF – Bologna

2 Summary ● Ready – Web-based VO registration ● Current Work – Multiple VOs – User info protection ● Proposal – CAS

3 grid-mapfile generation mkgridmap Grid-mapfile VO Directory CN=Mario Rossi o=xyz, dc=edg, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=People ou=tb1 ou=Admin local users Ban list Web based submission scripts

4 Web-based VO registration (1) ● Secure web form to submit subscription requests (https://grid-vo.cnaf.infn.it/subscribe.php) – Users identified by their X509 certificate (mandatory) ● Certificate informations used transparently for request (e.g. DN) ● Other informations from user input (e.g. phone number) ● Check of existence in LDAP tree (to be implemented) ● Confirmation by VO managers – Mail alert sent to managers – Secure web form to update LDAP tree (only insert procedure implemented up to now)

5 Web-based VO registration (2) ● Limitations – Only INFN CA certificates accepted, but trivially extendible ● Maybe some little modifications needed to take in account different certificates formats ● Future developments – Web interface for VO's management (June 2002) – Web interface for users to modify pending requests, to view status etc.. (???)

6 Multiple VOs ½ ● Users can specify with which VO they choose to submit jobs with: – grid-proxy-init -vo,for hand-generated proxies, or – export VO=, for programs who automatically call grid-proxy-init – grid-proxy-init -novo to ignore the VO variable.

7 Multiple VOs 2/2 ● Compatibility: – Patched version of libglobus_ssl_utils must be installed on every farm that wants to accept the new proxies, and on the RB and possibly II. – Old proxies are accepted by the new system, the reverse doesn't hold.

8 User info protection ● CE no longer publish the whole grid-mapfile, but only the accepted VOs. ● CEs must authenticate with VO LDAP servers using TLS. ● As a consequence, the RB can no longer be sure that the CE it selects for a job effectively authorizes the user to which the job belongs.

9 CAS 1/4 ● Considerations: – Users may need to access more than one CAS server at the same time. – ACLs should stay with the resource, not with the roles. – CAS should contain only (user, group, role, acl) information. – CAS certificates should identify the user holding them ● Needed by local sites (ban specific users) ● Mapping to unix UID/GID – Proof of user consent is needed.

10 CAS 2/4 ● Proposal. – The user submits a request to CAS – CAS returns a quintuple (signed) ● User ID ● CAS ID ● (group, role, acl)* ● Timestamp – Repeat the above steps for each CAS

11 CAS 3/4 ● Proposal (continued): – The user generates the proxy putting the CAS info into extensions. – An appropriately written LCAS plugin extracts and verifies information from the extensions. ● Advantages – Compatibility with current system – Easily integrates info from two or more CAS servers

12 CAS 4/4 ● At the moment under investigation for both requirements and algorithms ● Better name ? (VOMS -- VO Membership System?) ● Inputs?

Download ppt "VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK

5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.

Authorization Working Group Report WP6 Meeting 5 March 2002, Paris.
Security NeSC Training Team International Summer School for Grid Computing, Vico Equense, 10 - 22.6.2005.

Security NeSC Training Team International Summer School for Grid Computing, Vico Equense,
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.

INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
VOMS Alessandra Forti HEP Sysman meeting 27-28 April 2005.

VOMS Alessandra Forti HEP Sysman meeting April 2005.
WP4 Security and AA(A) issues For WP4: David Groep

WP4 Security and AA(A) issues For WP4: David Groep
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK

Similar presentations

Ads by Google