80 likes | 166 Views
Authorization in L&B. Daniel Kouřil, CESNE T MWSG meeting , Zurich, 31/3/2009. Logging and Bookkeeping. Monitoring system to track jobs in production for many years designed to be able to process 1M jobs per day hundreds of LB events per second Currently for jobs passing via WMS
E N D
Authorization in L&B Daniel Kouřil, CESNET MWSG meeting, Zurich, 31/3/2009
Logging and Bookkeeping • Monitoring system to track jobs • in production for many years • designed to be able to process 1M jobs per day • hundreds of LB events per second • Currently for jobs passing via WMS • ongoing discussions with CREAM • recently adapted to monitor PBS and Condor jobs, too • Two basic L&B components • LB messaging infrastructure • LB server storing and processing job related data • Query interface • complex queries on jobs and their status • Notifications • sent by LB server on changes To change: View -> Header and Footer
Gathering L&B data • LB collects events from individual Grid components • information about a important point in the job‘s lifetime • transfer between components, start runnning, done, ... • Instrumentation of components • events sent as messages to the LB server • own messaging infrastructure • secure (protection, authN) and reliable (fault-tolerancy) • notifications use this messaging infrastructure too • events are tied with job (using the jobid) • job registration • Push model • events are sent by the components (mostly WMS) upon changes • instrumented components or reading log files • no useless polling To change: View -> Header and Footer
L&B Infrastructure To change: View -> Header and Footer
L&B Architecture To change: View -> Header and Footer
Authorizing consumers • Users can only access their jobs by default • ACL can be specified by users • Specifying subject names or VOMS attributes • Simple UI to manipalate the ACLs, output in GACL • Super-users • Specified by L&B server administrators • Subject names or VOMS attributes (LB 2.0) • Simple policy language used • Generalized „super-users“ • Work in progress • Broader access to job information • RTM monitoring • Policy language not set yet To change: View -> Header and Footer
Authorizing producers • No explicit authZ in L&B v1.x • LCAS-based authZ introduced in L&B 2.0 • Custom L&B LCAS module specifying events and clients • Enables to define trusted networks of loggers • Simple policy langauge: RegJob = { * } * = { /DC=cz/DC=cesnet-ca/O=University of West Bohemia/CN=scientific.civ.zcu.cz } ... • language may change before release To change: View -> Header and Footer
Trusted loggers • Loggers specified using subject names • VOMS support would be more convenient • Currently no support for VOMS attributes for services • Loggers always act as client for L&B server • Especially important when L&B used in incident resolution • L&B contain many interesting details about users‘ activities • Work in OSCT to trace users based on L&B data • L&B information must be reliable enough • originated from trusted components To change: View -> Header and Footer