1 / 36

Asif Saleem , Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources. Asif Saleem , Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington. Overview. Using Virtual Organisation Management ( VOM) portal

nile
Download Presentation

Asif Saleem , Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI resources Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

  2. Overview • Using Virtual Organisation Management (VOM) portal • How VOM portal can be utilised for • Managing Globus Toolkit enabled resources • Configuring Community Authorisation Service • Administering ICENI • Related Work • Conclusions

  3. Why do we need VO Management? • VO’s consists of • dynamic set of distributed resources. • distributed user base. • distributed management infrastructure.

  4. Contd… • VO’s need to provide services for • User authentication and authorisation • Defining and enforcing access control and usage policies • Every project is having to develop it’s own customised VO management setup • Need to replace current manual processes which do not scale well • policy based automated systems

  5. Virtual Organisation Management (VOM) portal • Portal for remote VO management. • Grid service to download and upload information into the VOM database. • Client tools to interact with the service through Grid Security Infrastructure (GSI) authenticated network connections. • VOM Portal facilitates • User registration into VO using grid certificates. • Resource Access Control • Resource Usage Accounting and Reporting.

  6. VOM Roles • Ordinary users belonging to a VO/community & wanting to use grid resources. • Resource managers wanting to make their grid enabled machines accessible to a VO/community. • Administrators of a VO managing access control & monitoring usage of constituent users & resources.

  7. VOM Usage: User • Precondition: should have a certificate issued by CA accepted by VO. • Registers with VO • Request propagated to VO Admin & on approval to respective resource managers for account creation. • Views his usage log on web. • Does not need to chase each site/resource in VO & sign separate usage policy forms.

  8. VOM Usage: Resource Manager • Precondition: • Should have a certificate issued by CA accepted by VO. • Manages/owns a grid-enabled resource • Setup access control and logging capability by deploying client on his grid-enabled resource. • Approve/Reject/Disable user access. • Can view own usage stats/graphs.

  9. VOM Usage: VO Administrator • Precondition: • should have a certificate issued by CA accepted by VO. • Approve user enrolment requests through web page. • Manage constituent resources. • Monitor usage of various users/resources or whole VO. • View stats/graphs of historical VO usage.

  10. User Interface Workflow

  11. VOM Implementation • Server • Java servlets hosted in Tomcat container • GT3 based web service • Apache with mod_jk Tomcat support • Client • Java based • Connects to web service using secure (GSI) connection

  12. Managing Globus Toolkit enabled resources • Resource access control • through automated grid-map file management • Resource Usage Logging and Reporting • through instrumented job-managers provided • Resource owner needs to setup respective clients, which connect to the VOM server over a secure connection

  13. Resource Access Control

  14. Resource Usage Service

  15. Configuring Community Authorisation Service • Allows resource providers to specify fine-grained access control for the community rather than individual users • Community manages itself • grid-proxy-init –––––> cas-proxy-init

  16. Configuring CAS • CAS lacks a web interface for configuring VO’s trust relationships • VOM provides a source of authenticated & authorised users • The VO admin uses CAS to setup the VO's trust relationships (e.g. adding new users and objects) and to grant them fine-grained access control to the VO's resources.

  17. Administering ICENI • Each resource running ICENI has a • Domain Manager: implements fine-grained access control policies relating to the resources in the private administrative domain • Policy Manager: used to define access control policy at role, group, organisation or individual user level • Identity Manager:used to authenticate users accessing resources, and authorise them against the access policy defined by the resource

  18. ICENI Architecture ICENI Architecture Web Services Gateway Public Computational Community Computational Resource Application Portal CR SR Identity Manager JavaCoG Globus Private Administrative Domain Storage Resources Domain Manager CR CR Resource Browser Public Computational Community SR SR Network Resources SR Software Resources Application Mapper Policy Manager Resource CR Application Component Broker Design Tools Resource Manager SR Design Tools Gateway between private Public Private and public regions

  19. Contd… • VOM Admin can also switch roles/groups a user belongs to within ICENI. • Needs a ICENI plugin installed on VOM server. • ICENI Role Management GUI

  20. Related Work • VOMS • CAS • GUMS • PERMIS • Akenti

  21. Virtual Organisation Membership Service (VOMS) • Developed for DataTAG by INFN and for DataGrid by CERN • Database of user roles and capabilities • Administrative tools • Client interface • voms-proxy-init • Uses client interface to produce an attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server • Works with non-VOMS services, but gives more info to VOMS-aware services • Allows VOs to centrally manage user roles and capabilities

  22. VOMS Shortcomings • Lacks web interface for user/resource registration • Only maintains certificate DN & their assoc. groups info • Lacks any other info e.g. personal info, usage logs • Does not collect any resource specific, site specific data • Additional attributes in certificates do not conform to any standard => only VOMS enabled software can use it. • Extensions planned @ • EU Data Grid / LCG • Local Centre Authorisation Service (LCAS) • Local Credential MAPping Service (LCMAPS) • Java based Trust Manager • FermiLab as part of US CMS, SDSS, and iVDGL projects • VOM Registration Server(VOM RS) • VOMS eXtension (VOX) e.g. Site AuthoriZation (SAZ) and Local Resource Authorization Service (LRAS)

  23. VOM comparison with VOMS • VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. • Both provide grid-map file management capability through slightly different ways • VOM does not provide attribute certificate generation capability

  24. Community Authorisation Service (CAS) • v1.0 released with Globus Toolkit version 3.2 • Allows resource providers to specify fine-grained access control for the community rather than individual users • Community manages itself • grid-proxy-init => cas-proxy-init

  25. CAS Shortcomings • Functional • Lacks web front-end for user registration • Does not contain any info apart from DN, access rights • Resource logging & account mapping gets complicated • due to use of totally new DN by CAS • Non-Functional • Takes ultimate control away from site/resource owners, which is not practical in real world scenarios • Built on top of Grid Security Infrastructure (GSI) hence dependency on Globus. • royalty-free license from RSA needed to use it in other projects • Currently only a customised version of grid-ftp (supplied with CAS distribution) supports CAS credentials • Hard to install & configure and more a prototype than a production ready system as claimed

  26. VOM comparison with CAS • VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. • Both provide resource access control management mechanisms • VOM through grid-map file management • CAS by abstracting the grid identities (i.e. user certificates) and using the community identities at resources as access control mechanisms • VOM does not provide new proxy certificate generation capability like CAS.

  27. Grid User Management System (GUMS) VO User Registry Database VO #3 … VO #2 Database Site User Info Database grid-mapfile • US Atlas Grid • Provides user registration facility. • Shortcomings • Lacks a web interface for user/resource registration, currently through email. Pull Site cron job

  28. PrivilEge and Role Management Infrastructure Standards Validation(PERMIS) Admin Role Action approve Target User rights page AEF=(application Dependent) Access control Enforcement Function • Privilege Management Infrastructure (PMI) which uses attribute certificates conforming to the X.509 standard • Policy driven engine accessible through a java API uses LDAP to store policies and attribute certificates • Policies are written in XML Access Request Present Access Request Target Decision Request e.g. DN+Access Request Decision e.g. Grant/Deny PERMIS API Implementation ADF= (application independent) Access control Decision Function Retrieve Policy and Role ACs LDAP Directories

  29. PERMIS Shortcomings • It just provides an authorisation framework using attribute certificates => policy driven authorisation • Does not store any other data about users e.g. personal, usage etc. • Does not store any data about resources, sites etc. • Not intended to provide overall VO management capability e.g. authentication of users or accounting of user/resource usages

  30. Akenti Policy Language • Provides a policy language based on XML • Can be used for certificate based authorisation • Shortcomings • Needs customised front end • No notion of VO • Conceptually similar to PERMIS

  31. VOM comparison with PERMIS & Akenti • VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc. • Both PERMIS & Akenti provide rich policy authorisation engine. VOM does not provide policy authorisation language, API or engine. => complimentary

  32. Open Issues - VO Deployment issues V E R T I C A L V E R T I C A L Horizontal (National Grid Service) NGS London 2 Cambridge 2 Manchester Oxford Edinburgh London 1 Cambridge 1

  33. Future Work • Explicit RBAC using proposed NIST standard • Explicit policy management • Separate Contract/SLA for VO, Resource, User joining VO • Resource specifies minimum/average/maximum service offered • Users specifies average & maximum service expectation • Explore use of GLUE information Schema for import/export of user/resource info • Explore pure web services implementation

  34. Conclusions • VOM provides a centralised management interface for managing a VO • Can be used for resource access control and usage accounting for the Globus Toolkit • Can be used as a secure web interface for configuring CAS • Can also be used for role-based identity management in ICENI

  35. Acknowledgments • Testing and evaluation of software done with the help from members of the UK Grid Engineering Task Force. • Deployed across the Level 2 UK e-Science Grid to provide user management and accounting capability (http://www.grid-support.ac.uk/l2g/). • Work done as part of OSCAR-G project funded by DTI, Compusys & Intel (THBB/C/008/00028) • CAS evaluation funded by JISC AAA programme

  36. Acknowledgements • Director: Professor John Darlington • Research Staff: • Nathalie Furmento, Stephen McGough, William Lee • Jeremy Cohen, Marko Krznaric, Murtaza Gulamali • Laurie Young, Jeffrey Hau • David McBride, Ali Afzal • Support Staff: • Oliver Jevons, Sue Brookes, Glynn Cunin, Keith Sephton • Alumni: • Steven Newhouse, Yong Xie, Gary Kong • James Stanton, Anthony Mayer, Angela O’Brien • Contact: • http://www.lesc.ic.ac.uk/  e-mail: lesc@ic.ac.uk

More Related