130 likes | 319 Views
VOMS. Authorization workflow. voms-proxy-init. 0. Submission site. User. VOs. Execution site. site GUMS Server. Gatekeeper. PRIMA. grid3-user…txt. gums-host. The user, member of VO “foo”, wants to submit a job with a role “bar” to the gatekeeper of site “X”. VOMS.
E N D
VOMS Authorization workflow voms-proxy-init 0 Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host The user, member of VO “foo”, wants to submit a job with a role “bar” to the gatekeeper of site “X”.
VOMS Authorization workflow voms-proxy-init 1 Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host The user run “voms-proxy-init –voms foo:/foo/Role=bar”, to generate his VO authorized proxy.
VOMS Authorization workflow voms-proxy-init 2 Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host Voms-proxy-init creates a normal user proxy, and then sends it to the foo VO VOMS server.
VOMS Authorization workflow voms-proxy-init 3 Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host The VOMS server returns the VOMS proxy, signed by the VO, that authorizes the user to act as “bar”.
VOMS Authorization workflow voms-proxy-init 4 Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA grid3-user…txt gums-host The user submits the job to site X
VOMS Authorization workflow voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA 5 grid3-user…txt gums-host The gatekeeper, through the globus call-out, delegates the PRIMA module to decide what local user account to should be used for the given GRID credential.
VOMS Authorization workflow voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA 6 grid3-user…txt gums-host Prima extracts the Proxy information and sends a message to asks GUMS which local account should be used. (The message is a SAML authorization request)
VOMS Authorization workflow voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA 7 grid3-user…txt gums-host GUMS consults its configuration, the local copy it keeps of the different database, and determines that the corresponding credential should be mapped to “foobar1”. GUMS returns a message, a SAML successful response with the obligation account=“foobar1”
VOMS Authorization workflow voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA 8 grid3-user…txt gums-host PRIMA interprets the response, and return the account “foobar1” to the gatekeeper.
VOMS Authorization workflow voms-proxy-init Submission site User VOs Execution site site GUMSServer Gatekeeper PRIMA 9 grid3-user…txt gums-host The gatekeeper sets the uid to “foobar1” and submits the job. Note: a cron jobs on the gatekeeper contact GUMS to retrieve the inverse map needed for accounting.