210 likes | 353 Views
VO Membership Registration Workflow, Policies and VOMRS software (VOX Project). Tanya Levshina Fermilab. Presentation overview. Introduction Stakeholders, team and collaborators VOX components VO Membership Registration Service Identifying the workflow VO Concepts Roles
E N D
VO Membership RegistrationWorkflow, Policies and VOMRS software(VOX Project) Tanya Levshina Fermilab
Presentation overview • Introduction • Stakeholders, team and collaborators • VOX components • VO Membership Registration Service • Identifying the workflow • VO Concepts • Roles • VOMRS Architecture • Association with EDG VOMS • WEBUI Screenshots • What’s next? • Summary User Registration/VO management/AuthZ workshop at CERN
Introduction US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab, the VOX Project (VO Management Service eXtension), to investigate and implement the requirements, both policy-related and technical, for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. This effort has resulted in a study and understanding of the necessary workflow, and the creation of a prototype VO Membership Registration Service (VOMRS), which is a principal component of the VOX project. User Registration/VO management/AuthZ workshop at CERN
Stakeholders, Team and Collaborators • Stakeholders: • US CMS (L. Bauerdick) • Fermilab Computing Facility (D. Skow) • iVDGL (R. Gardner) • SDSS (J. Annis) • Team: • T. Levshina – Fermilab • L. Grundhoefer – iVDGL • A. Heavey (technical writer) – Fermilab • V. Sekhri – SDSS/iVDGL, Fermilab • J. Weigand – Fermilab • Y. Wu – Fermilbab • Collaborators • BNL(R. Baker, D. Yu) – VOMRS architecture, registration process, common interfaces • EDG/Data Tag (V. Ciaschini, A. Frohner) – VOMS core and admin software • VDT (U of Wisconsin), Virginia Tech (Markus Lorch) - ongoing communication and agreements with Globus on gatekeeper and authorization callouts User Registration/VO management/AuthZ workshop at CERN
VOX Project Local Center Registration Service VOX Goals: • to understand and model the registration workflow • to provide VO registration mechanism • to negotiate and monitor member authorization to grid resources • End Goal:To facilitate the remote participation of physicists in effective and timely analysis of data from the LHC experiments during DC04. VOMRS VOMS EDG Fermilab GridCluster LRAS Gatekeeper & callouts SAZ User Registration/VO management/AuthZ workshop at CERN
VOX Components • VOMRS (VO Membership Registration Service) provides a registration service that • allows a single point of registration with a VO • facilitates, negotiates and monitors the process of a member’s authorization to grid resources • provides centralized storage of membership information and a means to query said information • LRAS (Local Resource Authorization Service) automates and facilitates the process of managing fine grain access to a local grid element • stores a subset of VO membership information and maps a VO member to a local account • Gatekeeper authorization callouts (in agreement with standard adopted by Globus, EDG, FNAL, and Virginia Tech). • SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources • VOMS EDG Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. VOMS EDG Core service gives out extended proxy upon member’s request. User Registration/VO management/AuthZ workshop at CERN
VOMRS: Identifying the workflow • Understand that VO registration is a multi-level process (institution, grid site, country, VO). • Identify necessary elements of the registration procedure and develop a model workflow. • Identify administrative roles and responsibilities. • Identify various implications of our model on sites and site policies. • Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes. User Registration/VO management/AuthZ workshop at CERN
VO Concepts (I) • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … • Experiment: represents research activities that are specific to a particular VO. • Group: an experiment contains groups. Group may have sub-groups. • Institution: is an organization whose members participate in experiments within a particular VO. • Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. • Grid job submission rights: distinguishes between members who can submit grid jobs and those who can only perform administrative tasks. User Registration/VO management/AuthZ workshop at CERN
VO Concepts (II) • Personal information: private and public data about an individual that is collected by the VO. • Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. • Role: defines actions that a VO Member can perform within the VO.A VO member can have one or more roles. User Registration/VO management/AuthZ workshop at CERN
Roles (I) • Applicant: • An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. • Member: • An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. • VO administrator: • A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles. User Registration/VO management/AuthZ workshop at CERN
Roles (II) • Institutional VO representative: • Vouches for the identity of an applicant. • Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. • Grid site administrator: • Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site • Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. • Local resource provider: • Administers authorization of a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc) User Registration/VO management/AuthZ workshop at CERN
Roles (III) • Group owner: • Creates groups and subgroups within the experiment. • Assigns/revokes group manager/owner role to a member of the VO. • A Group owner is a Group manager as well. • A Group owner owns the group if he owns any of ancestor group. • Group managers: • Assigns/removes members to/from the group he manages User Registration/VO management/AuthZ workshop at CERN
Registration Flow Institution notify approve Member VO Central Node EDG VOMS Proxy Server Representative register query Applicant synchronize notify approve notify approve VOMRS notify approve Grid Site Grid Site notify approve Site Admin Site Admin LRPS LRPS User Registration/VO management/AuthZ workshop at CERN
VOMRS Architecture Member Server CLI GSI Event Manager Client IF Synchronizer EDG VOMS ADMIN API Registrar EDG Trust Manager WEB CLIENT VOMRS DB EDG VOMS DB Web Services /Servlets User Registration/VO management/AuthZ workshop at CERN
Association with EDG VOMS • EDG VOMS is used currently as a significant part of VOX project: • Extended Proxy generation • Gridmapfile generation for local grid resource • Query to get members, groups, roles by authorization services on local grid clusters • VOMS & VOMRS have some overlap in functionalities and stored data, but • VOMRS is a registration service that is accessed infrequently by people (not hosts) • VOMS is a service that provides member with extended proxy and should sustain heavy load. It allows access by registered hosts. • VOMRS keeps a lot of information about members and VO entities (institutions, sites, etc). Member information is persistent. • VOMS keeps minimum information related to member (dn,ca, group, role). Member has to be deleted in order to deny him access to the Grid. • VOMRS Synchronizer is responsible for updating VOMS database User Registration/VO management/AuthZ workshop at CERN
VOMRS WEBUI (Registration of a new user) User Registration/VO management/AuthZ workshop at CERN
VOMRS WEBUI(registration) User Registration/VO management/AuthZ workshop at CERN
VOMRS WEBUI(member search) User Registration/VO management/AuthZ workshop at CERN
VOMRS WEBUI (subscribe to event) Date: Fri, 05 Dec 2003 13:43:20 -0600 From: vouscms-admin@shahzad.fnal.gov Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS To: tlevshin@fnal.gov Dear Administrator, We have received a request from a person with Distinguished Name /DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073 issued by Certificate Authority /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 to join VO USCMS.You may approve or deny user access. VO Administrator User Registration/VO management/AuthZ workshop at CERN
What’s Next? • Now that we have a model, we need to work with others to get input to take it to next step and to create a workflow that everyone can use • Standardize the terminology, especially for administrative roles and responsibilities • Improvement of VOMRS • Database (move to Oracle) • Documentation • Packaging • VOMS/VOMRS • Need to define stable interfaces between VOMRS & VOMS • Solve issues with VOMS installation/upgrade (takes too much time and effort – very possibly due to lack understanding on our part) User Registration/VO management/AuthZ workshop at CERN
Summary We greatly appreciate discussions, support and software contributions provided by our collaborators. We all have spent substantial time and effort understanding the issues involved, modeling the workflow and developing a system to implement it. There are a lot of issues that remain. We believe that all will benefit from collaboration on this project. • More info: http://www.uscms.org/s&c/VO • E-mail: vo-project@fnal.gov User Registration/VO management/AuthZ workshop at CERN