1. VOX Project Tanya Levshina

2. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open Issues VOMRS Status Web Gui Examples

3. 05/17/2004 VOX Project3 Introduction VOX Goals: –to understand and model the registration workflow –to provide VO registration mechanism –to negotiate and monitor member authorization to grid resources End Goal: To facilitate the remote participation of physicists in effective and timely analysis of data from the LHC experiments during DC04.

4. 05/17/2004 VOX Project4 Grid Cluster VOMS EDG (USCMS) SAZ LRAS VOMRS (USCMS) Fermilab Gatekeeper & callouts Local Center Registration Service VOMS EDG (ATLAS) VOMRS (ATLAS) BNL VOMS EDG (SDSS) VOMRS (SDSS) Grid Cluster Gatekeeper & callouts GUMS Local Center Registration Service VO Members

5. 05/17/2004 VOX Project5 VOMRS: Identifying the workflow Understand that VO registration is a multi-level process (institution, grid site, country, VO). Identify necessary elements of the registration procedure and develop a model workflow. Identify administrative roles and responsibilities. Identify various implications of our model on sites and site policies. Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.

6. 05/17/2004 VOX Project6 VOMRS Concepts (I) Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … Experiment: represents research activities that are specific to a particular VO. Group: an experiment contains groups. Group may have sub-groups. Institution: is an organization whose members participate in experiments within a particular VO. Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. Grid job submission rights: distinguishes between members who can submit grid jobs and those who can only perform administrative tasks.

7. 05/17/2004 VOX Project7 VOMRS Concepts (2) Personal information: private and public data about an individual that is collected by the VO. Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. Role: defines actions that a VO Member can perform within the VO.A VO member can have one or more roles.

8. 05/17/2004 VOX Project8 Roles (I) Visitor: –A person who posses a valid certificate from the Certificate Authority approved by VO. Applicant: –An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. Member: –An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. VO administrator: –A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles.

9. 05/17/2004 VOX Project9 Roles (II) Institutional VO representative: –Vouches for the identity of an applicant. –Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. Grid site administrator: –Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site –Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. Local resource provider: –Administers authorization a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc)

10. 05/17/2004 VOX Project10 Roles (III) Group owner: –Creates groups and subgroups within the experiment. – Assigns/revokes group manager/owner role to a member of the VO. –A Group owner is a Group manager as well. –A Group owner owns the group if he owns any of ancestor group. Group managers: –Assigns/removes members to/from the group he manages

11. 05/17/2004 VOX Project11 Institution Representative Registration Flow Grid Site Site Admin LRPS Site Admin LRPS Grid Site VOMRS EDG VOMS Proxy Server VO Central Node synchronize Applicant register notify approve Member query notify approve notify approve notify approve notify approve

12. 05/17/2004 VOX Project12 Association with EDG VOMS EDG VOMS is used currently as a significant part of VOX project: –Extended Proxy generation –Gridmapfile generation for local grid resource –Query to get members, groups, roles by authorization services on local grid clusters VOMS & VOMRS have some overlap in functionalities and stored data, but –VOMRS is a registration service that is accessed infrequently by people (not hosts) –VOMS is a service that provides member with extended proxy and should sustain heavy load. It allows access by registered hosts. –VOMRS keeps a lot of information about members and VO entities (institutions, sites, etc). Member information is persistent. –VOMS keeps minimum information related to member (dn,ca, group, role). Member has to be deleted in order to deny him access to the Grid. VOMRS Synchronizer is responsible for updating VOMS database

13. 05/17/2004 VOX Project13 Open Issues More complicated logic needs to be implemented to handle deletion of Institution, Certificate Authorities Membership suspension mechanism should be more sophisticated (reason for suspension should be provided and stored for auditing) Membership expiration mechanism should be defined and implemented Suspension of a specific DN & CA that has been compromised Responsibilities of Sites are not really finalized –Should VO have up to date list of banned users per each site –Should it be mandatory to notify VO about approved/denied member’s authorization status during the registration process with a site Database issues: –Transition to ORACLE –Replication –Report Generation

14. 05/17/2004 VOX Project14 VOMRS Status Version 1.0.3 has been released. It consists of: –Server that is handling event notifications and synchronization with VOMS –WEB UI and Web Services that provide means for member registration, role and group assignments, and various administrative tasks –VOMRS database, scripts to facilitate its initial creation and population –Scripts to start/stop server and client –Configuration files that control behavior of the server, WEB UI and database setting –Documentation RPMs & pacman cache (for server and client) are available on: http://www.uscms.org/s&c/VO/downloads.html User Documentation is available on: http://computing.fnal.gov/docs/products/vomrs Test installation is running on (valid certificate is required to login): https://cmssrv08.fnal.gov:8443/vo-TEST/vomrs Bugs report: http://cmssrv08.fnal.gov:3080/bugzilla More info: http://www.uscms.org/s&c/VO E-mail: vo-project@fnal.gov

15. 05/17/2004 VOX Project15 WEB UI (welcome page) Fill in and submit the Registration form to apply for membership in the USCMS VO. You will need to enter the Required Personal Info (see link under menu). Popup help Displayed menu items depends on your role within the VO The following VOMRS entities are controlled by configuration: a.VO Name b.Usage Rules c.Database configuration d.Host location e.Location of VOMS service and synchronization level

16. 05/17/2004 VOX Project16 WEB UI (registration) Required personal information is dynamically configured by a VO Administrator and can be specific to a particular VO.

17. 05/17/2004 VOX Project17 WEB UI (administration) VO Administrator’s menu Search Criteria Output control Sortable search results

18. 05/17/2004 VOX Project18 WEB UI (notification subscription) Member related events VO Admministrator related events