1 / 21

VOMS: Status & Plans

VOMS: Status & Plans. Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005. Current status. Included in EGEE RC1 tag. Passed Stress test from JRA3. Included in LCG 2.4 Included in VDT 1.3.1 Used in INFN-Grid since July 2004 (release 2.1.0).

quang
Download Presentation

VOMS: Status & Plans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VOMS:Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb 23-24 2005

  2. Current status • Included in EGEE RC1 tag. • Passed Stress test from JRA3. • Included in LCG 2.4 • Included in VDT 1.3.1 • Used in INFN-Grid since July 2004 (release 2.1.0)

  3. INFN-Grid experience - Core • Four VOs running: cdf, compchem, infngrid, planck. • Less than 300 certificates/month generated. • Problems: • Error messages are unclear. • In earlier days, sometimes the server hanged. • Same problem found by EGEE. Fixed in newer releases, and the fix is committed on the EGEE CVS. • Voms-proxy-init by itself works, but creates standard, non voms-enabled proxies, leading to job failure for VOMS-only VOs. • A warning message will be printed on screen warning the user of the fact.

  4. INFN-Grid experience - Admin • Versions 0.7.1 and 0.7.5 used throughout the experience to administrate VOMS. • Some problems have been found. The most notable: • The user search feature still does not work correctly. • The limit of 6 characters for a VO name. Here in INFN-Grid we have longer names: infngrid and compchem. • Removing a role from a user removed also the user himself. • In 0.7.1, not verified for 0.7.5.

  5. Future Plans From now to the end of the EGEE project

  6. Summary • DB Replica. • Oracle Support. • Multiple DNs. • APIs. • Fake proxy creation tool. • Certificate SN tracking. • Miscellanea.

  7. DB Replica • A replica system has very recently been released. • Only one master, multiple slaves. • Done using the DB replica mechanism. • Clients can contact indifferently every server. • Load balancing is done automatically by the client program. • Just specify –voms <nick>, and the client will contact one server at random among those serving the vo <nick> • In fact, it has already been committed, but the documentation is incomplete

  8. Oracle support • Requirement from LCG • DB support for VOMS will be in the form of plugins. • A plugin library will be available for each DB server type. • Initial distribution will contain MySQL and Oracle. • The plugin interface will be published. • Interaction with replicas: • First version: Only replicas between the same DB type. • Following version: Will make use of a multi-DB replica system. • One such system that will be investigated is Constanza.

  9. Multiple DNs (1/7) • Problem statement: • Users may have more than one certificate. • Current version of VOMS will consider them to belong to different users -> But it is the same user! • Or, a certificate may change over time. • And so, an user may lose property of his resources or access to them.

  10. Multiple DNs (2/7) • It will be possible to assign multiple certificates to the same userID (uid). • Will the admin interface work if the auto_increment is dropped from the definition of the uid field in the usr table? • Any certificate will work. • The generated AC will have as holder the certificate used for authentication with the server, but will include all known alternative names.

  11. Multiple DNs (3/7) • Also, a world-wide unique ID will be associated to every user. • Based on the creation of a 20-byte secure random number associated to each master VO server. • Combined with the user ID inside the VO. • Will be guaranteed to last as long as at least one alias of the user will remain registered with the VO. • User IDs will never be reused (Karoly?) • This, too, will be published in the AC.

  12. Multiple DNs (4/7) • Alias registration: Prerequisites • The user already has at least an alias registered -> Must have been added by the admin. • The user hold the private key of the new credential.

  13. Multiple DNs (5/7) • Alias registration: specifics • Done through a command line utility. • The user to the VOMS server. • The user Authenticates via GSI with the old credentials. • A challenge/response protocol is used to authenticate with the new credentials, inside the already established connection. • If all goes well, a row is added to the usr table, with the same user ID.

  14. Multiple DNs (6/7) • Alias Cancellation: prerequisites • The user must still hold either the credential being deleted, or a credential aliased with the one to delete. • Alias Cancellation: specifics • The user authenticates via GSI to the VOMS server. • The user sends the name of the alias to be removed, in the form of an (invalid?) certificate. • If the user holds the specified alias, then it is removed. • WARNING: It is possible to remove all aliases! Maybe force at least one to remain?

  15. Multiple DNs (7/7) • Command line implementation advantages: • Can be scripted. • Does not require support of uncommon protocols like HTTPG • Can be easily used in a web interface via CGI • Disadvantages: • Requires giving the server write access on the usr table • Workaround: Create a new ‘alias’ table to only contain new alias, and work on it ONLY. Has the additional advantage of ensuring that the user cannot delete himself from the VO.

  16. APIs • Unify the C and C++ APIs into the same library. • Add function to create a proxy from the APIs. • Right now, it can create ACs, but not include them into valid proxies. • Add Java APIs • Need to create ACs and proxies from Java. • Drop support for pre-AC servers. • N.B: After a year of ‘deprecated’ status, This will be removed in the next version.

  17. Fake Proxy Creation Tool • There is a need to create VOMS proxies without access to a server for TEST purposes. • Will allow the creation of proxies, both valid and invalid (to verify expected failure cases). • Will allow to specify everything that the ‘normal’ voms-proxy-init allows, plus: • The exact list of group/role/capabilities attributes. • The fake server certificate. • The fake server uri. • First version will permit to include only a single AC. • Following versions will allow inclusions of more ACs in the same proxy.

  18. Certificate SN tracking • LCG requested to keep track of the User’s Certificate Serial Number. • Simple solution: Add a field ‘sn’ to the usr table, and update it every time the user connects to the server. • Requires update access to the usr table. • Alternatively, a new ‘(dn, ca, sn)’ type table may be created.

  19. Miscellanea • Documentation improvements. • Error messages improvements. • Bug Fixes. • Support and interaction with Policy management systems. • Suggestions?

  20. Timescale • Replica (Done) • Voms-fake-init (real soon now) • Oracle (April 2005) • Multiple DNs (June-July) • APIs (….) • Bugfixes will be done throughout the whole time.

  21. Contacts • Developers: • vincenzo.ciaschini@cnaf.infn.it, valerio.venturi@cnaf.infn.it • Mailing list: • Voms-users@cnaf.infn.it • Projects under investigation: • Constanza: http://infnforge.cnaf.infn.it/projects/constanza/

More Related