1 / 30

VO Privilege Activity

VO Privilege Activity. VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid-enabled resources and services Started Spring 2004 Sposored by US CMS (Fermilab) and US ATLAS (BNL) People: Fermilab, BNL, PPDG

flavio
Download Presentation

VO Privilege Activity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VO Privilege Activity

  2. VO Privilege Activity • The VO Privilege Project develops and implements fine-grained authorization to grid-enabled resources and services • Started Spring 2004 • Sposored by US CMS (Fermilab) and US ATLAS (BNL) • People: Fermilab, BNL, PPDG • Technologies: VOMS, VOMRS, Gridmap and SRM/DCache callout interface, GUMS, gPLAZMA, and SAZ

  3. VO Privilege ActivityMotivations • Improve user account assignment at grid sites • Make user-to-account mapping flexible and dynamic, using remote Grid Identity Mapping Services • Base user-to-account mapping on both user role and least privilege access • Reduce account management administrative overhead

  4. VO Privilege ActivityArchitecture Local or Remote Client Proxy with VO Membership | Role Attributes VOMS Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service CE PRIMA C SAML libraries GUMS PRIMA Authorization Service Auxiliary Mapping Service gPLAZMA Storage metadata SRM-GridFTP gPLAZMA callout SE gPLAZMA PRIMA Java SAML Site-wide Assertion Service SAZ gPLAZMALite Authorization Services suite

  5. Resource Selection Service (ReSS) Activity

  6. The Resource Selection Activity • The Resource Selector is a component of the OSG Job Management Infrastructure. • The project started in Sep 2005 with a planned duration of 9 months • Sponsored by PPDG as a DZero contribution to the Common Project • People: Fermilab, OSG TG-MIG group, PPDG

  7. The Resource Selection ActivityMotivations • A Resource Selector allows… • …expressing requirements on the resources in the job description • without a Resource Selector, the user is responsible for selecting the resource for the job • …the user to refer to abstract characteristics of the resources in the job description • without a Resource Selector, the user must use concrete resource attribute values in the job description (e.g. to initialize the job environment)

  8. The Resource Selection ActivityDeliverables • The Resource Selection Activity has two major goals • Enable OSG resource usage by DZero. Jobs will be prepared and data will be handled by the SAM-Grid. • Develop and deploy a Resource Selection Service that VOs with requirements on job management similar to DZero can use.

  9. job job What Gate? classads Gate 3 classads classads classads Gate2 Gate1 Gate3 CEMon CEMon CEMon jobs jobs jobs info info info CE CE CE job-managers job-managers job-managers job-managers job-managers job-managers job-managers job-managers job-managers CLUSTER CLUSTER CLUSTER The Resource Selection ActivityArchitecture Info Gatherer Condor Match Maker Condor Scheduler

  10. OSG Auditing Activity

  11. OSG Auditing Activity • The activity develops a system to record a suitable audit trail for grid services • Audit trail is a set of log entries to determine who did what, when, where and how • Audit trail is critical for both debugging and security investigations • Started Winter 05

  12. OSG AuditingGoals • Provide tools to the site to gather audit events, process them, correlate them, in order to facilitate post-mortem investigations and malicious use detection • Security concerns impose that a site auditing service could allow queries that do not expose much data (e.g. yes/no question such as: did this DN submit more than 10 jobs in the past 24 hours?). The feasibility/utility of across-site auditing is under investigation. • Determining what has happened in a GRID environment • Chain of events to follow: user contacts a resource broker, which submits to a gatekeeper, which starts a batch job, which execute on a node, which starts a file transfer, …

  13. Auditing at a site(an example) Site Cyber security GK GRAM Parsing AuditingService Centralized logging GridFTP Allows to search through events and make correlation. The user will use a GUI or command line tools to navigate through the data, and will retrieve pointers to the actual log entries when needed. Some sites already have a way to collect and store logs, based on syslog or other standard practices. We want to leverage and integrate within the framework. … We need to make sure the services actually provide enough information.

  14. OSG Accounting Activity

  15. OSG Accounting Activity • The goal of the activity is to develop a system to track the consumption of OSG services and resources user by user • Sponsored by SLAC, Fermilab and PPDG • Started Summer 2005 • More Info: google “osg accounting”

  16. OSG Accounting ActivityMotivation The OSG infrastructure must provide its users with precise and reliable information about resources consumption. Availability of such information will • allow resource providers to directly link resources consumption with VOs and science projects goals, • improve resource planning and organization at the resource providers sites • eventually, support automatic resource allocations and consumption based on an economic model.

  17. OSG Accounting ActivityArchitecture

  18. OSG Accounting Activity

  19. OSG Edge Services Framework Activity

  20. OSG Edge Services Framework Activity • In OSG, services on the “Edge” of the Grid/Fabric site boundaries grant users access to site private services. • Started in September 2005. • Collaboration: Physicists, Computer Scientists & Engineers, Software Architects. • People: USALTLAS, USCMS, Globus Alliance, ANL, U. Chicago, UC San Diego • Web collaborative area – http://osg.ivdgl.org/twiki/bin/view/EdgeServices

  21. OSG Edge Services Framework Activity Vision OSG site provides access to a shared compute & storage cluster via two types of services. Those shared between VOs, and those that are VO specific. VO specific service deployment is made possible via a shared services framework.

  22. OSG Edge Service Framework ActivityMotivation • OSG has many VOs each with many different requirements • Resources may be partitioned into specific, VO-dedicated servers along side shared, open grid services used by many VOs. • Each VO may want to use different software to implement any particular kind of an edge service • Each VO may put different requirements on edge service in terms of resource usage.

  23. ESF - Phase 1 Role=VO Admin CMS ESF XEN vm Based on XEN & Gt4 work spaces CE SE Site

  24. ESF - Phase 1 Role=VO Admin CMS ESF dom0 CE SE Site

  25. ESF - Phase 1 Role=VO Admin ESF dom0 CE SE Site

  26. ESF - Phase 1 Role=VO Admin ESF dom0 CE SE Site

  27. ESF - Phase 1 Role=VO Admin ESF CMS dom0 CE SE Site

  28. ESF - Phase 1 Role=VO User ESF XEN domU dom0 CMS CE SE Site

  29. ESF - Phase 1 Role=VO User ESF domU dom0 CMS CE SE Site

  30. ESF - Phase 1 Role=VO User ESF domU dom0 CMS CE SE Site

More Related