200 likes | 308 Views
Coregrid Workpackage 5 Virtual Institute on G rid Information and Monitoring Services. Ji ř i Denemark, Michał Jankowski , Ludek Matyska, Norbert Meyer, Miroslav Ruda, Paweł Wolniewicz User Management for Virtual Organizatio ns CoreGRID Integration Workshop 2005
E N D
Coregrid Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Jiři Denemark, Michał Jankowski, Ludek Matyska, Norbert Meyer, Miroslav Ruda, Paweł Wolniewicz User Management for Virtual Organizations CoreGRID Integration Workshop 2005 Pisa, Italy, 28-30. November 2005
Outline • Introduction • Definitions • System Requirements • Example Approaches • Proposed Solution • Summary European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Introduction • Aims of User Management • Provide controlled and secure access to Grid resources • Provide effective way of introducing/removing users and granting/revoking privileges • Accounting European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual organization • Virtual organization (VO) is a set of individuals and/or institutions that allows its members sharing resources in a controlled manner, so that they may collaborate to achieve a shared goal. • VOs may form hierarchies. • The hierarchy forms a Directed Acyclic Graph (DAG) where the VOs are vertices and the edges represent relations between them. • The user may be a member of many VOs. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
User roles • The privileges the organization wants to grant the user, related to the tasks he is supposed to perform, are connected to user roles. • The roles are defined across the hierarchy of VOs and are managed in independent structure. • The authorities of VOs are responsible for defining roles. • One user may have multiple roles and he is responsible to select the required role while accessing the resource. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Capabilities • Any special rights to resources expressed, e.g. by ACL are calledcapabilities. • The capabilities may be used to express any rights to aspecific user, e.g. some file is writable only by the owner. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
VOs, roles and capabilities European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual environment • By the virtual environment we understand such encapsulation of user jobs that will both guarantee the limited set of privileges and also provides support for identification of user and organization on behalf he/she acts. • Virtual accounts, sandboxes, and virtual machines are examples of different approaches to the creation of virtual environments. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Security -requirements • Authentication • single sign-on • credential delegation • integration with local security solutions • Fine grained authorization (maximum security for resources with minimum limitations to the users) • Membership to Virtual Organization • User role in VO • Capabilities • Combined security policies of VO and resource owner (delegation of some administrative privileges and work from node administrator to VO) • Possibility of logging user activities for audit European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Accounting -requirements • Proper level of job isolation • Context (VO, role...) • Collecting data from many locations European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Effective and scalable Management • The administrative burden must be divided between VO managers and resource managers • Avoid duplication of administrative work (e.g. creating user accounts on each node) • Take into account very dynamic structure of the Grid, lots of administrative domains, heterogenity, different local policies. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Example Approaches • Perun • VUS • VOMS, LCAS, LCMAPS • Virtual Workspaces, DynamicVirtual Environments European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual Environment Management Service European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual Environment Information Service European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Summary • The list of requirements for user management is long and may vary depending on the system • There is number of tools that provide for at least part of the mentioned requirements • The tools are used in many projects, although none of them fulfills all the requirements • The proposed solution is a framework, that allows combining these tools European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Thank You! European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual User System • VUS is an extension of the system that runs users' jobs (e.g. Globus GRAM) that allows running jobs without having an user account on a node. • The user is authenticated, authorized and then logged on a 'virtual' account (one user per one account at the time). • The history of user-account mapping is stored, so that accounting and tracking user activities is possible. • The authorization is pluginbased. Using VO-membership plugin it is possible to combine security policy of VO and resource owner. • VUS has been used or will be used in a number of national and international projects: SGIgrid, Clusterix, GridLab, Coregrid, BalticGrid. • Virtual environments other than virtual accounts are not supported. • Authorization based on roles or capabilities not supported, but easy to be added. • Non WS approach European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Perun • Central Configuration Database with resource configuration information. • Normalized data, integrity constraints enforced. • Changes in database watched by database triggers, data change starts automatic service update. • „Configuration files/database" of managed services are changed, no run-time dependency on Perun. • Support for service dependencies, application-specific plugins. • Failures detected, services re-planned eventually. • Deployed in projects: MetaCentre, SITOLA, GridLab.s • Accounting and logging not supported. • Limited control of the resource user. • Virtual environments not supported. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
VOMS, LCAS, LCMAPS • Virtual Organization Membership Service • contains database withinformation on the user's VO and group (suborganization)membership, roles and capabilities in the form of VOMS credential. • The user, before starting a job must acquire theVOMS proxy certificate. The extraauthorization data is placed as a non-critical extension in the proxy, so itis compatible with not VOMS aware services. • Local Center Authorization System • service used on computing nodes in order to enforce local security policies. • Local Credential Mapping Service • maps user to local credentials (AFS/Kerberos tokens, UNIX account and group), depending on user proxy certificate and job description. • Lack of proper isolation and thus accounting and logging not possible. • VOMS may be used with other systems (e.g. VUS) European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual Workspaces, Runtime Environments, DynamicVirtual Environments • Workspace Management Serviceallows to run user jobs in virtual environment, using different technologies (GRAM Gatekeeper, OGSI, WSRF). • The virtual environments are implemented as dynamically created Unix accounts and virtual machines. • The authorization and accounting issues are not addressed directly. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies