1 / 25

Multi-Site VOs and Multi-VO Sites in Open Science Grid

Multi-Site VOs and Multi-VO Sites in Open Science Grid. GridWorld/GGF15 October 3-6, 2005 Boston, MA, USA Community Activity: Leveraging Site Infrastructute for Multi-Site Grids. Abhishek Singh Rana UC San Diego rana@fnal.gov. Frank Wuerthwein UC San Diego fkw@fnal.gov.

justus
Download Presentation

Multi-Site VOs and Multi-VO Sites in Open Science Grid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Site VOs and Multi-VO Sites inOpen Science Grid GridWorld/GGF15 October 3-6, 2005 Boston, MA, USA Community Activity: Leveraging Site Infrastructute for Multi-Site Grids Abhishek Singh Rana UC San Diego rana@fnal.gov Frank Wuerthwein UC San Diego fkw@fnal.gov

  2. Collaborative Effort Technical Lead: Ian Fisk, FNAL Privilege Project Brookhaven National Lab USATLAS Open Science Grid RBAC, Security and Policy Frameworks Fermi National Lab USCMS U California San Diego PPDG Common Virginia Tech Technical Coordinator: Dane Skow, FNAL

  3. Outline • Concepts & Goals. • Examples • Compute Element. • Storage Element. • User work space at a compute node.

  4. OSG Approach: Concepts • Global specification of privilege requirements per Role. • Site central mapping of Role to implementation of privilege requirements. • Local enforcement of privilege requirements.

  5. Site Site Site Site Site CE CE CE CE CE SE SE SE SE SE Multi-Site VO

  6. Site CE SE Multi-VO Site

  7. Site Site Site Site Site Site Site Site CE CE CE CE CE CE CE CE SE SE SE SE SE SE SE SE A Multi-VO Multi-Site Grid

  8. OSG Approach • VO defines Roles and associated privileges by specifying expected functionality. • E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus. • E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus. • Site maps VO scope identities to local scope identities. • Site wide management of mapping. • Service level granularity of mapping. • Site enforces VO privilege policies within local scope identities. • Authorization = !(Site-vetoed) && (VO-allowed)

  9. Local or Remote Client Proxy with VO Membership | Role Attributes VO Attribute Repository Site Host 1 Site-wide Mapping Service Service X Callout Module for X, Y Authorization Service for Service X, Y, Z Service Y Auxiliary Mapping Service Auxiliary Authorization Service for Service Z Service X Service Z Callout Module for Z Site-wide Assertion Service Service X Veto Service Y Veto Service Z Veto Host 2

  10. Local or Remote Client Proxy with VO Membership | Role Attributes VO Attribute Repository Site Host 1 Site-wide Mapping Service PEP PDP Service X Callout Module for X, Y Authorization Service for Service X, Y, Z PDP Service Y Auxiliary Mapping Service Auxiliary Authorization Service for Service Z Service X Service Z Callout Module for Z Site-wide Assertion Service Service X Veto Service Y Veto Service Z Veto PEP Host 2

  11. Example: Compute Element

  12. CE: Globus and Condor • PRIMA and GUMS provide CE authz in OSG approach. • PRIMA authenticates. • GUMS translates {DN, Membership, Role} to Username. • System translates Username to site-wide {UID}.

  13. Local or Remote Client Proxy with VO Membership | Role Attributes VOMS Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service CE PRIMA C SAML libraries GUMS Site-wide Assertion Service SAZ Deployed at many sites/campuses with static UIDs as well as UID pools.

  14. Example: Storage Element

  15. SE: SRM-dCache • Different doors for different authz methods. • Same underlying local authz mechanism. • Can be mapped to site’s UID/GID domain. • Or be restricted to SRM-dCache only. • Examples: • USCMS-VO at FNAL: Site UID domain. • CDF-VO at FNAL: Site Kerberos domain.

  16. SE: SRM-dCache • gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach. • gPLAZMA authenticates. • Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service. • GUMS translates {DN, Membership, Role} to Username. • System optionally translates Username to site-wide {UID, GID}. • gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set. • Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}. • Storage-privilege Set is User-level ACL governed by {DN, Membership, Role} .

  17. Local or Remote Client Proxy with VO Membership | Role Attributes VOMS Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service CE PRIMA C SAML libraries GUMS PRIMA Authorization Service Auxiliary Mapping Service gPLAZMA Storage metadata SRM-GridFTP gPLAZMA callout SE gPLAZMA PRIMA Java SAML Site-wide Assertion Service SAZ gPLAZMALite Authorization Services suite

  18. Local or Remote Client Proxy with VO Membership | Role Attributes VOMS Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service CE PRIMA C SAML libraries GUMS OGSA AuthZ interface PRIMA Authorization Service Auxiliary Mapping Service gPLAZMA Storage metadata SRM-GridFTP gPLAZMA callout SE gPLAZMA PRIMA Java SAML Site-wide Assertion Service SAZ gPLAZMALite Authorization Services suite

  19. Local or Remote Client Proxy with VO Membership | Role Attributes VOMS VOMS Virtual Organization Membership Service Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service GUMS Grid User Management System CE PRIMA C SAML libraries GUMS PRIMA A System for Privilege Management and Authorization in Grids PRIMA Authorization Service Auxiliary Mapping Service gPLAZMA Storage metadata gPLAZMA grid-aware Pluggable Authorization Management System SRM-GridFTP gPLAZMA callout SAZ Site Authorization Service SE gPLAZMA PRIMA Java SAML Site-wide Assertion Service SAZ gPLAZMALite Authorization Services suite

  20. Local or Remote Client Proxy with VO Membership | Role Attributes VOMS VOMS INFN teams, Italy Site Globus Gatekeeper PRIMA callout Site-wide Mapping Service GUMS Gabriele Carcassi, BNL CE PRIMA C SAML libraries GUMS PRIMA Markus Lorch, VT PRIMA Authorization Service Auxiliary Mapping Service gPLAZMA Storage metadata gPLAZMA Abhishek Singh Rana, UCSD Timur Perelmutov, FNAL SRM-GridFTP gPLAZMA callout SAZ Vijay Sekhri, FNAL John Weigand, FNAL SE gPLAZMA PRIMA Java SAML Site-wide Assertion Service SAZ SRM-dCache DESY/FNAL teams gPLAZMALite Authorization Services suite

  21. SE ACLs: VO versus Site Control • VO control of ACLs. • All files are owned by VO. • Simple solutions. • VO PDP, separated from Resource. • Site control of ACLs. • All files are owned by {DN, Membership, Role} of a User. • Site SE enforces global (VO) and local (site) policies. • Global & local policies are used together to aid in isolation of privileges, grant privacy to user, and perform fine-grained security. • Demands sophisticated solutions. • Site PDP, closer to Resource.

  22. Example: User work space

  23. Consider a simple goal… If a user credential gets compromised, the miscreant must be restricted to exploiting stolen credentials to only run the user’s application. • What would this require? • Slicing of a Resource, on demand. • PEP closer to such finer slices of a Resource. • Customized (possibly transient) slices. • Isolation of environment of such a slice. • A resource slice and applications make a work space.

  24. User work space • Concepts • TID (Transactional Identity) = {DN, Membership Profile, Set of Roles} • Thus, TID is VO & “application type” specific. • TID functions as a tag for work space characteristics. • Site central mapping service translates TID into work space characteristics. • Compute node local service provisions work space according to characteristics.

  25. Summary of OSG Approach • Global specification of privilege requirements per role. • Means to do so are lacking today! • Site central mapping of role to implementation of privilege requirements. • Simple solutions in production usage. • Local enforcement of privilege requirements. • Simple solutions in production usage. • Moving forward to designing more advanced solutions.

More Related