1 / 16

Infrastructure Service Directory for e-Infrastructures

Comprehensive directory service listing infrastructure services for e-infrastructures, enabling resource tagging, role-based permissions, object management, and extensibility with support for multiple authentication methods.

pereda
Download Presentation

Infrastructure Service Directory for e-Infrastructures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC Wiki: https://wiki.egi.eu/wiki/GOCDB EGI Production Instance: https://goc.egi.eu Src: https://github.com/GOCDB Info Doc: https://wiki.egi.eu/w/images/d/d3/GOCDB5_Grid_Topology_Information_System.pdf

  2. Infrastructure Service Directory • List infrastructure services including technical and contact details offered by a site (human + machine accessible) • Domain Objects • A subset of GLUE2: Projects, Admin-Domains (NGIs), Sites, Services, Service-Groups, Endpoints, Downtimes, Users, Roles • Interfaces • Web Portal (view/input/edit) + REST style API to query in XML • Tagging • Resource owners tag their objects with >1 ‘scope-tags’ to provide.. • Fine-grained resource grouping / filtering (eg declare multiple project affiliations) • No resource duplication across ‘n’ projects (DRY – essential for data integrity) Auth abstractions to support multiple AAI (x509, SAML2,..) ....

  3. What in general can GOCDC support? • Register domain objects for e-infrastructures: • Admin-domains, groups, sites, services, service-groups, endpoints, downtimes, users, roles • Enforces business rules for object management • Role based permission model • Resource tagging for fine-grained resource filtering/selection • Groups manage their own users and resources • Add/edit/delete resource objects • Grant/revoke roles over objects • Extensible: Add custom key-value pairs to domain objects • Auth abstractions to support multiple AAI (x509, SAML2,..)

  4. Comprehensive Role/Permission Model Users own Roles over objects that grant permissions: Groups Projects Sites

  5. Categorise Resources by Scope Tags • Resource owners tag their sites/services/groups • Available tags are defined by GOCDB admins to avoid tag proliferation • Defines core categories/groupings with no duplication • Essential to maintain integrity of information across different infrastructures, sub-groups, projects… Service A Service B Scope Tags Filter using ‘scope’ and ‘scope_match’ (Portal+API)

  6. Extensibility Mechanism • Extension Properties: define custom ‘Key=Values’ on objects • Fine grained filtering of objects by property name + value • Also supported in API using AND|OR|NOT expression • Allows content to be organised into custom categories • Good for rapid prototyping and building folksonomies e.g. filter Sites by VAT extension

  7. Deployment Scenarios • Standalone instance per project / infrastructure • Pro: Full control, easy to customise • Con: May need to duplicate GOCDB entries across infrastructures (consider a single site that contributes to multiple projects) • Single shared instance that hosts multiple projects/infrastructures under different scopes • Pro: Easy/cheap, single resource tagged for multiple infrastructures/projects • Con: More difficult to customise • Optional: Separate/standalone failover instance • Securely downloads dump of DB every hour.

  8. Useful Links • Wiki: https://wiki.egi.eu/wiki/GOCDB • EGI Production Instance: https://goc.egi.eu • Src: https://github.com/GOCDB • Info Doc: https://wiki.egi.eu/w/images/d/d3/GOCDB5_Grid_Topology_Information_System.pdf • Technical • Strongly constrained relational model using Doctrine Object-relational mapping • AAI abstractions inspired by SpringSecurity3 API (AuthProvider, AuthToken, AuthManager, SecurityContextServer, UserDetailsService)

  9. Core Domain model closely follows a sub-set of GLUE 2

  10. Images EGI EUDAT

  11. Role / Permissions Model a) User Principle: /x509/DN/str a) User owns b) Roles that link c) OwnedObjects to d) RoleTypes Can add new: • RoleStatus values • RoleTypes • Owned Objects REQUESTED, GRANTED b) Role d) RoleType SiteAdmin, SecurityOfficer, … c) OwnedObject <<abstract>> Project, NGI, Site, Service, SG, … <grants> Permissions: EDIT, DELETE, GRANT_ROLE, REVOKE_ROLE

  12. PI methods https://wiki.egi.eu/wiki/GOCDB/PI/Technical_Documentation ....

  13. Extensibility Mechanism in PI • Selected PI methods support ‘extensions’ URL parameter (get_site, get_service, get_downtime, get_service_group) • Defines a (key=value) expression • (K=V) pairs prefixed with AND, OR, NOT • E.g. • &extensions=(VO=) (blank for wildcard value) • &extensions=(VO=foo)AND(VO=bar)OR(V02=baz) • &extensions=(VO=foo)AND(VO=bar)OR(V02=baz)NOT(V03=) • Pattern matching on values only, no notion of greater or less than e.g. can’t do (SampleRate>=20) ....

  14. Extensibility Mechanism in PI https://goc.egi.eu/gocdbpi/private/?method=get_site&extensions=(P4U_Pilot_VAT=20)AND(P4U_Pilot_Cloud_Wall=) 2 Sites selected with specified extensions …body elements hidden… User Guide on GOCDB docs/wiki: https://wiki.egi.eu/wiki/GOCDB/Input_System_User_Documentation#Extension_Properties ....

  15. Authentication Abstractions • The authentication logic is abstracted into its own module in GOCDB: • Isolates the bulk of the GOCDB code from authentication-mechanism changes • Allow extension: plug-in support for different authentication mechanisms using new AuthProviderand AuthToken • (still requires work to implement a new AuthProvider for chosen auth-scheme!). • X509 and SAML2 integrated into EGI instance • Inspired by core interfaces and classes copied from Spring Security 3 framework ....

  16. Key Authentication Abstractions Manages >1 AuthProviders • <IAuthManager> • <IAuthenticationProvider> • X509AuthProvder, UserPasswordAuthProvider, SAML2 • <IUserDetailsService> • GOCDBUserDetailsService • <IAuthToken> • X509AuthToken, • SamlAuthToken • <ISecurityContextService> Queries user store Creates auth token (added to session prevent re-authentication across page requests) GOCDB calls out to SecurityContextService (is user authenticated?) ....

More Related