190 likes | 311 Views
Virtual Organization Management Registration Service (VOMRS). T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey, P. Mhashilkar, R. Pordes, A. Sill, D. Yocum. Talk Outline. VOMRS Scope Place in the GRID World Architecture Main Features Overview
E N D
Virtual Organization Management Registration Service (VOMRS) T. Levshina J. Weigand S. White Co-Authors: L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey, P. Mhashilkar, R. Pordes, A. Sill, D. Yocum
Talk Outline • VOMRS Scope • Place in the GRID World • Architecture • Main Features Overview • Since Last CHEP • Implementation and Distribution • Deployment • Dependencies and Issues • Summary CHEP 2006 VOMRS
VOMRS Scope VOMRS offers a comprehensive set of services that facilitates secure and authenticated management of VO membership, grid resource authorization and privileges: • implements a registration workflow providing means for collaborators to register with a Virtual Organization (VO) • supports management of multiple grid certificates per member • permits VO-level control of a member's privileges • provides email notifications of selected events • supports VO-level control over its trusted set of Certificate Authorities (CA) • permits delegation of responsibilities within the various VO administrators • manages groups and group roles • is capable of interfacing to third-party systems and pulling or pushing relevant member information from/to them CHEP 2006 VOMRS
Certificate Certificate Proxy job job Member VOMRS Place in the GRID World Grid Facility VOMRS register Grid Cluster Globus Gatekeeper membership/ privileges get proxy Job Manager callouts Is authorized? VOMS membership/ privileges Is authorized? Facility Authorization Management GUMS submit job CHEP 2006 VOMRS
VOMRS Server Member SAM DB CERN ORG DB VOMRS Architecture VOMRS Host gLite VOMS DB Client Host SAM DB Host VOMS Admin API GSI Authentication CLI SAM ADMIN API SOAP+SSL Authentication CLI gLite Trust Manager ORGDB Host HTTP+SSL Authentication Service Broker LCG ORGDB API VOMRS Admin Service WEB CLIENT VOMRS DB CHEP 2006 VOMRS
VOMRS Entities Certificate Authorities • Allows list management of CAs accepted in VO • Offers a consistent way of managing membership status for members whose certificate CAs become obsolete or invalid Groups and Group Roles • Supports hierarchy of groups • Allows creation/deletion of group roles • Provides interface to manage groups and group roles Institutions and Sites • Provides interface to manage Institutions and Sites • Requires member affiliation with Institution; expiration date imposed Personal Data Set • Supports real time editing of data set collected during registration • Distinguishes between private and public data, persistent and non persistent data, etc CHEP 2006 VOMRS
VOMRS Administrators Allows for delegation of responsibilities within the VO: • VO Admin responsible for maintaining the VOMRS. A VO admin manages data pertaining to institutions, sites, CAs, members‘ privileges, and can modify the set of personal information required by the VO • Representative: responsible for approving/denying applicants' requests for VO membership based on personal knowledge about each individual applicant's identity and institutional affiliation • Group Owner and Group Manager: responsible of managing the group's membership. Group Manager can create new subgroups and/or group roles • Site Admin and Local Resource Provider: able to access members information CHEP 2006 VOMRS
Membership Registration In order to access VOMRS a user is required to have a valid certificate whose CA is recognized by the VO Registration consists of two steps: • During Phase I a new user: • fills out personal information • selects a Representative • provides email address • After receiving email notification, a user proceeds to Phase II, and : • signs the Usage Rules for the VO • selects group(s) and group role(s) In order to become a VO member with grid resource privileges, the user's registration must be approved by user's Representative or VO Admin. CHEP 2006 VOMRS
WEB UI Example (Registration) Phase II Phase I CHEP 2006 VOMRS
Notification Events An event in the VOMRS constitutes any changes to: • member's status/privileges: • new administrative role is assigned • certificate is suspended • member is assigned to group • structure of the VO: • creation of a new group • expiration of a CA • addition of an institution Events can trigger a call to external system via registered interface. Some events can required action to be taken by a VO member: • a Representative is asked to approve/deny registration • a member is asked to sign a new Usage Rules document The events to which member can subscribe depend upon member's roles and membership status. CHEP 2006 VOMRS
Membership and Certificate Statuses Membership status • New • Approved • Denied • Suspended: member is currently not in good standing in the VO • Expired: occurs when a new Usage Rules document must be signed; member's validity period has expired; member's institutional affiliation has expired Certificate status • New • Approved • Denied • Suspended: the certificate has been somehow compromised • Expired: indicates that certificate issuer does not currently have a valid certificate Multiple certificates per member • Each VO member has at least one registered certificate • A valid member can request additional certificates • Each such request should be approved by VO Admin • Member can access VOMRS by using one of the approved certificates CHEP 2006 VOMRS
Groups and Group Roles • A VO Member can select group and group role association • Group Owner, Manager or VO Admin can assign group and group role to any member • Group Owner, Manager or VO Admin can block member’s association with any group or group role CHEP 2006 VOMRS
Interfacing Third Party Software Interfaces can be registered with VOMRS and can be subscribed to receive event notification. Currently there are three known interfaces: “LCG” Registration Type: • User's registration in CERN HR DB is verified via query during Phase I of VOMRS registration. No data is downloaded from CERN DB to VOMRS. • VOMRS can be configured such that whenever an administrator queries a member's personal data, CERN HR DB is queried and both the VOMRS and CERN DB data display together. “SAM” Registration Type: • SAM DB is queried to obtain list of SAM’s group • SAM DB is updated by using sam-admin commands when: Member’s status/privileges are changed EGEE VOMS: • VOMS is updated by using VOMS API when Member’s status/privileges are changed A group is added/removed A group role is added/removed CHEP 2006 VOMRS
WEB Services Example • Access to VOMRS is also available via web services. • A certificate (or proxy) signed by a recognized CA is needed. • The list of services available for a particular user is defined by user's role and status within VOMRS. • Web Service example: #java -Daxis.socketSecureFactory=… -DsslConfigFile=… fnal/vox/vomrs/client/SoapClient https://fermigrid4.fnal.gov:8443/vo/Test/services/VOMRS getGroups /test /test/development /test/production /test/production/stream1 /test/production/stream2 CHEP 2006 VOMRS
Since last CHEP • Implemented “LCG” Registration type using LCG Registration API (developed by K.Lorentey) to verify member standing with CERN HR DB • Integrated with SAM by using VOMRS-SAM API • Implemented Oracle support • Implemented two phases of registration that include email verification • Introduced VO and institutional membership expiration • Introduced VO-level management of CAs • Implemented selection of groups and group roles by member • Added multipart messaging, improved message format • Implemented customizable on-line help CHEP 2006 VOMRS
Implementation and Distribution • Implementation details: • Java based ( 1.4.1 and higher) • WEB UI uses JavaScript • Configuration scripts are written in python (1.5 and higher) • Configuration files are in xml format • DBMS: Oracle or MySQL • Product distribution: • The current distribution of VOMRS software is built with gLite 1.4 trustmanager package and can be synchronized with gLite VOMS. • VOMRS components are distributed using Pacman package manager and are available from the cache:http://www.uscms.org/SoftwareComputing/Grid/VO/VOMRS • RPMs are available from:http://www.uscms.org/SoftwareComputing/Grid/VO/downloads.html CHEP 2006 VOMRS
Current Deployment • Fermilab: • 14 instances that are synchronized with corresponding installation of VOMS (VDT 1.3.9). VOMRS and VOMS are running on the same node • Total number of registered users > 5,000 • CERN: • 4 instances are using “LCG Registration Type” and connect to CERN HR DB • 5 instances are using “General Registration Type” • All instances are synchronized with corresponding installation of VOMS (gLite 1.4). VOMRS and VOMS are running on the same node. • Total number of registered users > 190 • BNL: • 2 instances (all are synchronized with corresponding installation of VOMS). • Test installations: • 2 instances in Texas Tech University are synchronized with corresponding installation of VOMS (VDT 1.3.7) • 1 instance in University of Melbourne (Physics Department) CHEP 2006 VOMRS
Dependencies and Issues EGEE trustmanager and VOMS admin package support is crucial for VOMRS • Bug fixing is slow (depends on gLite releases and integration in VDT) • Patches should be available much sooner • Good news: We have access to LCG savannah portal that allows us to submit bugs as soon as we find them and monitor the bug fixing progress We are working very closely with LCG VO Management Registration Task Force • LCG VO Managers submitted many constructive requests for improvements and new features. Most have been implemented in previous releases. New requests included: implement a hierarchy of representative associates with country, region and institution improve VOMRS performance add configurable subject in notification emails • We are planning to transfer some of the responsibilities for VOMRS support to a yet to be chosen person at CERN • VOMRS/VOMS workshop is planned in March CHEP 2006 VOMRS
Summary • VOMRS is a successfully implemented VO registration service providing the means to better identify and communicate with VO members, and to assign grid privileges to them. • Through the use of its multiple administrative roles, VOMRS allows for delegation of responsibilities within the VO while still providing a high level of control over privileges granted. • As a highly configurable service, it can meet the needs of a wide variety of VOs , both in terms of membership size and complexity of privileges required. • Its installation at numerous sites has resulted in increased requests for additional features to improve management and control of VO membership. • Fermilab is committed to future support of this product for the LCG and OSG. • A lot of people took part in gathering and understanding requirements, and providing us with valuable feedback. Thanks a lot to all of them! More information can be found: http://www.uscms.org/SoftwareComputing/Grid/VO E-mail: vo-project@fnal.gov CHEP 2006 VOMRS