Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.

Published byNaomi Young Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January 2006

2 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 2 Overview Introduction to VOMS – Features – Groups & Roles – Advanced Usage Introduction to MyProxy – Features – Use Interaction of VOMS with MyProxy – Problems – Solution – Restrictions

3 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 3 Introduction to VOMS Virtual Organization Membership Service (VOMS) – Account Database  Serving information in a special format (VOMS credentials)  Can be administered via command line & via web interface – Provides information on the user’s relationship with his/her Virtual Organization (VO)  VO Membership  Group membership  Roles of user

4 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 4 Introduction to VOMS VOMS Features – Single login using (proxy-init) only at the beginning of a session  VOMS extensions are attached to user proxy – Expiration time  The authorization information is only valid for a limited period of time as the proxy certificate itself –Multiple VO  User may log-in into multiple VOs and create an aggregate proxy certificate, which enables him/her to access resources in any one of them – Support for Group and Roles  Group membership is automatically inserted when requesting voms proxy  Role has to be requested explicitly – Backward compatibility  The extra VO related information is in the user’s proxy certificate  User’s proxy certificate can be still used with non VOMS-aware service – Security  All client-server communications are secured and authenticated

5 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 5 VOMS architecture VOMS DB voms-proxy-init Web browser Java mgmt client mkgridmap and LDAP sync VOMS core server VOMS admin server VOMS web interfac e VOMS mgmt API gridmap Support VOMS protocol over GSI HTTPS SOAP over HTTPS HTTPS MySQL API JDBC R-GMA servicetool

6 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 6 VOMS Web interface VO user can – Query membership details – Register himself in the VO You will need a valid certificate – Track his requests VO manager can – Handle request from users – Administer the VO

7 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 7 Groups The number of users of a VO can be very high: – E.g. the experiment ATLAS has 2000 member Make VO manageable by organizing users in groups: Examples: – VO GILDA  Group Catania INFN oGroup Barbera University  Group Padua – VO GILDA  /GILDA/TUTORS can write to normal storage  /GILDA/STUDENT only write to volatile space Groups can have a hierarchical structure, undefinitely deep

8 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 8 Roles Roles are specific roles a user has and that distinguishes him from others in his group: –Software manager –VO-Administrator Difference between roles and groups: –Roles have no hierarchical structure – there is no sub-role –Roles are not used in ‘normal operation’  They are not added to the proxy by default when running voms-proxy-init  But they can be added to the proxy for special purposes when running voms-proxy-init Example: –User Emidio has the following membership  VO=gilda, Group=tutors, Role=SoftwareManager –During normal operation the role is not taken into account, e.g. Emidio can work as a normal user –For special things he can obtain the role “Software Manager”

9 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 9 Requesting group/role membership Any group membership is automatically added when performing voms-proxy-init Default group is /, if not differently specified it’s the 1st group inserted in attributes. User can specify a different order for groups Role membership has to be requested explicitly voms-proxy-init –voms gilda:/gilda/tutors voms-proxy-init -voms gilda:/Role=Vo-Admin voms-proxy-init –voms gilda

10 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 10 voms extensions in proxy [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it type : proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:58:44 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 11:59:52 Voms extensions Standard globus attributes

11 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 11 Groups / Role mapping on resources gLite services offers native support to Group / Role Grouping can also be performed acting on gridmap file configuration.gilda is the prefix of (local) set of pool users where normally memberes of VO gilda are mapped to gildasgm is a (local) privileged user, for example it could have the rights to install software under a dedicated directory group vomss://voms.ct.infn.it:8443 /voms/gilda?/gilda.gilda group vomss://voms.ct.infn.it:8443 /voms/gilda?/gilda/\ Role=SoftwareManager gildasgm On glite-mkgridmap.conf

12 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 12 Long term proxy Proxy has limited lifetime (default is 12 h) –Bad idea to have longer proxy However, a grid task might need to use a proxy for a much longer time –Grid jobs in HEP Data Challenges on LCG last up to 2 days myproxy server: –Allows to create and store a long term proxy certificate: –myproxy-init -s  -s: specifies the hostname of the myproxy server –myproxy-info  Get information about stored long living proxy –myproxy-get-delegation  Get a new proxy from the MyProxy server –myproxy-destroy –Chech out the myproxy-xxx - - help option A dedicated service on the RB can renew automatically the proxy File transfer services in gLite validates user request and eventually renew proxies –contacting myproxy server

13 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 13 Grid authentication with MyProxy UI Local WS MyProxy Server Grid portal (UI) myproxy-init any grid service myproxy-get-delegation output the Grid execution WEB Browser

14 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 14 VOMS and MyProxy Problem : MyProxy support natively just plain proxies, without voms extension User can just store plain proxies on MyProxy servers For WMS issues it’s faced by ProxyRenewal For remote authentication purposes there are two approachs 1.Retrieve from server a proxy-delegation, using it to sign the request for a voms-proxy 2.Store on the server proxies with voms extension With 1., length of certificates chain on proxy is very long (5 cert nested !), and will likely produce authentication errors

15 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 15 Storing long lived voms proxies To allow storing of voms ext., myproxy client has been modified, The faculty of choosing the VO and group/roles has been added, while the previous options have all been kept Proxies then retrieved with myproxy-get-delegation will have the requested voms extension but… There’s a limitation, due to voms extensions lifetime: tipically it’s limited, and it’s not renewed when performing myproxy-get-delegation Studying solutions to extend voms extension renew in get-delegation The “modified” client is available on all of GILDA UI’s Will be largely deployed when the above issues will be solved myproxy-init --voms gilda:/Role=VO-Admin

16 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 16 voms extension on a delegated proxy [ui-test] /home/giorgio > myproxy-get-delegation -s grid001.ct.infn.it Enter MyProxy pass phrase: A proxy has been received for user giorgio in /tmp/x509up_u500 [ui-test] /home/giorgio > voms-proxy-info -all subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy/CN=prox y issuer : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy identity : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it/CN=proxy/CN=proxy type : unknown strength : 512 bits path : /tmp/x509up_u500 timeleft : 12:00:09 === VO gilda extension information === VO : gilda subject : /C=IT/O=GILDA/OU=Personal Certificate/L=INFN/CN=Emidio Giorgio/Email=emidio.giorgio@ct.infn.it issuer : /C=IT/O=GILDA/OU=Host/L=INFN Catania/CN=voms.ct.infn.it/Email=emidio.giorgio@ct.infn.it attribute : /gilda/Role=NULL/Capability=NULL attribute : /gilda/tutors/Role=NULL/Capability=NULL timeleft : 0:00:00 Voms extension expired…

17 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 17 References VOMS suite : user and installation guide –http://infnforge.cnaf.infn.it/voms/software.pdfhttp://infnforge.cnaf.infn.it/voms/software.pdf MyProxy user’s guide –http://grid.ncsa.uiuc.edu/myproxy/credmgmt.htmlhttp://grid.ncsa.uiuc.edu/myproxy/credmgmt.html VOMS with MyProxy, how to –http://egee-na4.ct.infn.it/genapps/wiki/index.php/VomsMyProxy

18 Enabling Grids for E-sciencE INFSO-RI-508833 Catania, NA4 Generic Applications Meeting, January 10th, 2006 18 Questions…

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January."

Similar presentations

MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Tutorial Getting started with GILDA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Tutorial Getting started with GILDA.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Security on Grid: Emidio Giorgio INFN –
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, 27-29 April 2006 Authorization.

INFSO-RI Enabling Grids for E-sciencE Claudio Cherubino, INFN Catania Grid Tutorial for users Merida, April 2006 Authorization.
GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.

GLite authentication and authorization Discipline: Grid Computing, 07/08-2 Practical classes Inês Dutra, DCC/FCUP.
Enabling Grids for E-sciencE www.eu-egee.org Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.

Enabling Grids for E-sciencE Security on gLite middleware Matthieu Reichstadt CNRS/IN2P3 ACGRID School, Hanoi (Vietnam) November 5th, 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,

INFSO-RI Enabling Grids for E-sciencE Practicals on VOMS and MyProxy Emidio Giorgio INFN Retreat between GILDA and ESR VO, Bratislava,
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Luciano Díaz ICN-UNAM Based on Domenico.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org The GENIUS Grid portal Tony Calanducci INFN Catania - Italy First Latin American Workshop.

INFSO-RI Enabling Grids for E-sciencE The GENIUS Grid portal Tony Calanducci INFN Catania - Italy First Latin American Workshop.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Security in gLite Gergely Sipos and Peter Kacsuk MTA SZTAKI Grid Computing School.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
Www.eu-eela.org E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.

E-science grid facility for Europe and Latin America E2GRIS1 Raúl Priego Martínez – CETA-CIEMAT (Spain)‏ Itacuruça (Brazil), 2-15 November.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
Www.eu-eela.org E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.

E-infrastructure shared between Europe and Latin America Security Hands-on Christian Grunfeld, UNLP 8th EELA Tutorial, La Plata, 11/12-12/12,2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.

INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
Www.eu-eela.org E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA-026409 Hands-on on security Pedro Rausch IF - UFRJ.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA Hands-on on security Pedro Rausch IF - UFRJ.

Similar presentations

Ads by Google