140 likes | 289 Views
Grid User Management System. Gabriele Carcassi HEPIX 2004 18 October 2004. Outline. What GUMS is How it is used at BNL What the current functionalities are Roadmap and future. GUMS …. … is a site tool. CMS. ATLAS. CMS VOMS. ATLAS VOMS. VO. VO. Brookhaven National Lab. CERN.
E N D
Grid User Management System Gabriele Carcassi HEPIX 2004 18 October 2004
Outline • What GUMS is • How it is used at BNL • What the current functionalities are • Roadmap and future
GUMS … • … is a site tool CMS ATLAS CMSVOMS ATLASVOMS VO VO Brookhaven National Lab CERN BNL GUMS CERN GUMS site site
GUMS … • … translates a Grid identity to a local identity (certificate -> local user) /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi Resource AuthZ Service – Grid Identity Mapping Simpler case show, equivalent to grid-mapfile
GUMS … • … is centralized: one server per site Grid resource Grid resource Grid resource Grid resource BNL GUMS Allows to control identity mapping from a single place Keeps the site consistent
GUMS … • … allows a site policy Grid3 production servers Allow: Members of Grid3 VO mapped with accounts taked from a pool Members on a speciallist from a database mapped to ‘special’ Test servers for USATLAS Allow: All LCG test VO mapped to ‘lcgt’ All USATLAS group mapped to ‘usatlast’ Allow: Members of … mapped to … All groups and mappings definitions are specified in a single XML file Other machines
Use at BNL since May 2004 Grid resource … VO PHENIX VO STAR VO ATLASVO Grid resource Grid resource 1. GUMS server 3. 2. GUMS DB mapfile cache 1. GUMS contacts VO servers and update local database with members 3. The gatekeepers contact the database to retireve their mapping 2. GUMS generates the maps according to the policy and stores it in a special DB table
Use at BNL GUMS Policy example <gums> <persistanceFactories> <persistenceFactory name='mysql' className='gov.bnl.gums.MySQLPersistanceFactory' /> </persistanceFactories> <groupMappings> <groupMapping name='usatlasPool'> <userGroup className='gov.bnl.gums.LDAPGroup' server='grid-vo.nikhef.nl' query='ou=usatlas,o=atlas,dc=eu-datagrid,dc=org‘ persistanceFactory='mysql' name='usatlas' /> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.AccountPoolMapper' persistanceFactory='mysql' name='bnlPool' /> <accountMapping className='gov.bnl.gums.GroupAccountMapper' groupName='usatlas1' /> </compositeAccountMapping> </groupMapping> <groupMapping name='star'> <userGroup className='gov.bnl.gums.VOMSGroup' url='https://vo.racf.bnl.gov:8443/edg-voms-admin/star/services/VOMSAdmin‘ persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.NISAccountMapper' jndiNisUrl='nis://nis2.somewhere.com/rhic.bnl.gov' /> </compositeAccountMapping> </groupMapping> … </groupMappings> <hostGroups> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='star*.somewhere.gov' groups='star' /> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='gums.somewhere.gov' groups='star,phenix,usatlasPool' /> … </hostGroups> </gums>
Open architecture • All critical pieces are defined through interfaces and specified in the configuration UserGroup persistence impl. Persistence Factory <creates> GroupMapper <creates> Account Mapper persistence impl. * HostGroup • Allows integration with site specific services • (i.e. HR databases, LDAP, information services, …): • Implement the interface (only dependency on GUMS) • Put jar in the lib folder • Modify the policy file
Features implemented • Persistence: • MySQL • UserGroups: • LDAP VO, VOMS, manual list of users (persistence) • AccountMappers: • Group account, best effort NIS mapping, account pool, manual mapping (persistance) • All are being used at BNL
Future plans • Version 1.0 will be ready by OSG-0 release (February 2005) • Target functionalities: • Account pooling • Tested already setup within grid3 • Web service interface for GUMS • Role based authorization • part of Privilege Project, joint USATLAS and USCMS project
Account Pooling • A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi grid0009 /DC=org/DC=doegrids/OU=People/CN=Dantong Yu grid0010 grid0011 /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu grid0012 grid0013 /DC=org/DC=doegrids/OU=People/CN=Dantong Yu grid0014 grid0015 • Will allow BNL cybersecurity to perform auditing • To go in production we need: • Assign the group id after the assignment • Make sure it doesn’t disrupt accountingand applications grid0016 grid0017 …
GT3 GUMS service • Use gatekeeper call-out to contact GUMS directly Grid resource … VO PHENIX VO STAR VO ATLASVO Grid resource Grid resource GUMS server GUMS DB
Role based authorization • Use of callout and of VOMS extended proxy /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /VO=ATLAS/Group=USATLAS/Role=production-leader Grid resource BNL GUMS usatlasprod