Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab.

Similar presentations

Presentation on theme: "Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab."— Presentation transcript:

1 Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab

2 09/29/2004 CHEP 20042 Authors and contributors Richard Baker (BNL) Lothar Bauderick (Fermilab) Eileen Berman (Fermilab) Gabriele Carcassi (BNL) Ian Fisk (Fermilab) Robert Gardner (University of Chicago) Gregory Graham (Fermilab) Leigh Grundhoefer (University of Indiana) Anne Heavey (Fermilab) Joe Kaiser (Fermilab) Tanya Levshina (Fermilab) Ruth Pordes (Fermilab) Vijay Sekhri (Fermilab) Dane Skow (Fermilab) John Weigand (Fermilab) Yujun Wu (Fermilab)

3 09/29/2004 CHEP 20043 Presentation overview Introduction Stakeholders and collaborators VO Management Infrastructure at Fermilab VO Membership Registration Service Identifying the workflow VO Concepts VO Roles VOMRS Architecture WEBUI Screenshots What’s next? Summary

4 09/29/2004 CHEP 20044 Introduction US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab, the VOX Project (VO Management Service eXtension), to investigate and implement the requirements, both policy-related and technical, for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. This effort has resulted in a study and understanding of the necessary workflow, and the creation of a prototype VO Membership Registration Service (VOMRS), which is a principal component of the VOX project.

5 09/29/2004 CHEP 20045 Stakeholders and Collaborators Stakeholders: –US CMS –Fermilab Computing Facility –iVDGL –SDSS Collaborators –BNL – VOMRS architecture, registration process, common interfaces –EGEE(EDG)/DataTag – VOMS core and admin software –VDT (U of Wisconsin), Virginia Tech - ongoing communication and agreements with Globus on gatekeeper and authorization callouts

6 09/29/2004 CHEP 20046 VO Management Infrastructure at Fermilab (I) VOX Project Privilege Project VOMS Project VOMS Admin and Core Services SAZ GUMS VOMRS Fermilab Grid Cluster Gatekeeper & PRIMA module Local Center Registration Service register voms-proxy-init synchronize proxy certificate authorize authenticate

7 09/29/2004 CHEP 20047 VO Management Infrastructure at Fermilab (II) VOX Project: VOMRS (VO Membership Registration Service) provides a registration service that –allows a single point of registration with a VO –facilitates, negotiates and monitors the process of a member’s authorization to grid resources –provides centralized storage of membership information and a means to query said information SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources VOMS Project: EGEE (EDG) VOMS Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. DataTag VOMS Core service gives out extended proxy upon member’s request. Privilege Project automates and facilitates the process of managing fine grain access to a local grid element: PRIMA authorization module at the gatekeeper –elicits information from provided VOMS attributes and other sources –queries a site centralized grid user management server GUMS (grid user management) server provides –site-consistent user and group assignment –interfaces and extensions to the data storage systems

8 09/29/2004 CHEP 20048 VOMRS: Identifying the workflow Understand that VO registration is a multi-level process (institution, grid site, country, VO). Identify necessary elements of the registration procedure and develop a model workflow. Identify administrative roles and responsibilities. Identify various implications of our model on sites and site policies. Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

9 09/29/2004 CHEP 20049 VO Concepts Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … Experiment: represents research activities that are specific to a particular VO. Group and group roles: an experiment contains groups. Group may have sub-groups. Group and group roles are included as attributes in a proxy certificate Institution: is an organization whose members participate in experiments within a particular VO. Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. Personal information: private and public data about an individual that is collected by the VO. Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. Role: defines actions that a VO Member can perform within the VO and information that a VO Member can access. A VO member can have one or more roles. A VO member event notification depends on member’s role.

10 09/29/2004 CHEP 200410 Roles (I) Applicant: –An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. Member: –An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. VO administrator: –A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles.

11 09/29/2004 CHEP 200411 Roles (II) Institutional VO representative: –Vouches for the identity of an applicant. –Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. Grid site administrator: –Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site –Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. Local resource provider: –Administers authorization a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc)

12 09/29/2004 CHEP 200412 Institution Representative Registration Flow Grid Site Site Admin LRPS Site Admin LRPS Grid Site VOMRS EDG VOMS Proxy Server VO Central Node synchronize Applicant register notify approve Member query notify approve notify approve notify approve notify approve

13 09/29/2004 CHEP 200413 VOMRS Architecture Client IF Registrar ( Workflow Manager) Event Manager Server Synchronizer EDG VOMS ADMIN API VOMRS DB Web Services /Servlets CLI Member WEB CLIENT EDG VOMS DB EDG Trust Manager GSI HTTPS/SSL

14 09/29/2004 CHEP 200414 VOMRS WEBUI (Home page, Group page…)

15 09/29/2004 CHEP 200415 VOMRS WEBUI (registration) USCMS VO Registration

16 09/29/2004 CHEP 200416 VOMRS WEBUI (member search)

17 09/29/2004 CHEP 200417 VOMRS WEBUI (subscribe to event) Date: Tue, 21 Sep 2004 13:43:20 -0600 From: Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS To: undisclosed-recipients: ; Dear Administrator, We have received a request from a person with Distinguished Name /DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073 issued by Certificate Authority /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 to join VO USCMS. You can check member's personal information. You can approve or deny member's request. VO Administrator Notification Event Example:

18 09/29/2004 CHEP 200418 What’s Next? Continue collaboration with, BNL, SDSS, ivDGL, LCG User Registration Task Force etc Implement multiple new features requested by collaborators: –VO membership expiration and renewal processes –Email verification –Interface to organizational human resource database (LCG requirement) Continue support for VOMRS instances installed at Fermilab and BNL Deploy test installation of VOMRS at CERN

19 09/29/2004 CHEP 200419 Summary The VO Membership Registration Service that allows grid user to become a member of Virtual Organization has been developed. It provides a flexible mechanism to collect member’s personal data as well as manage registration workflow. Several instances of VOMRS has been deployed at Fermilab and BNL. We greatly appreciate discussions, support and software contributions provided by our collaborators. There are still a lot of features that need to be implemented. More info: E-mail:

Download ppt "Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab."

Similar presentations

Ads by Google