190 likes | 328 Views
Virtual Organization Membership Service eXtension (VOX). Ian Fisk On behalf of the VOX Project Fermilab. Richard Baker (BNL) Lothar Bauderick (Fermilab) Eileen Berman (Fermilab) Gabriele Carcassi (BNL) Ian Fisk (Fermilab) Robert Gardner (University of Chicago) Gregory Graham (Fermilab)
E N D
Virtual Organization Membership Service eXtension (VOX) Ian Fisk On behalf of the VOX Project Fermilab
Richard Baker (BNL) Lothar Bauderick (Fermilab) Eileen Berman (Fermilab) Gabriele Carcassi (BNL) Ian Fisk (Fermilab) Robert Gardner (University of Chicago) Gregory Graham (Fermilab) Leigh Grundhoefer (University of Indiana) Anne Heavey (Fermilab) Joe Kaiser (Fermilab) Tanya Levshina (Fermilab) Ruth Pordes (Fermilab) Vijay Sekhri (Fermilab) Dane Skow (Fermilab) John Weigand (Fermilab) Yujun Wu (Fermilab) Authors and contributors CHEP 2004
Presentation overview • Introduction • Stakeholders and collaborators • VO Management Infrastructure at Fermilab • VO Membership Registration Service • Identifying the workflow • VO Concepts • VO Roles • VOMRS Architecture • WEBUI Screenshots • What’s next? • Summary CHEP 2004
Introduction US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab, the VOX Project (VO Management Service eXtension), to investigate and implement the requirements, both policy-related and technical, for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. This effort has resulted in a study and understanding of the necessary workflow, and the creation of a prototype VO Membership Registration Service (VOMRS), which is a principal component of the VOX project. CHEP 2004
Stakeholders and Collaborators • Stakeholders: • US CMS • Fermilab Computing Facility • iVDGL • SDSS • Collaborators • BNL – VOMRS architecture, registration process, common interfaces • EGEE(EDG)/DataTag – VOMS core and admin software • VDT (U of Wisconsin), Virginia Tech - ongoing communication and agreements with Globus on gatekeeper and authorization callouts CHEP 2004
VO Management Infrastructureat Fermilab (I) Local Center Registration Service VOX Project Privilege Project VOMS Project proxy certificate VOMRS VOMS Admin and Core Services register voms-proxy-init synchronize Fermilab GridCluster authenticate Gatekeeper & PRIMA module authorize GUMS authorize SAZ CHEP 2004
VO Management Infrastructureat Fermilab (II) VOX Project: • VOMRS (VO Membership Registration Service) provides a registration service that • allows a single point of registration with a VO • facilitates, negotiates and monitors the process of a member’s authorization to grid resources • provides centralized storage of membership information and a means to query said information • SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources VOMS Project: • EGEE (EDG) VOMS Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. • DataTag VOMS Core service gives out extended proxy upon member’s request. Privilege Project automates and facilitates the process of managing fine grain access to a local grid element: • PRIMA authorization module at the gatekeeper • elicits information from provided VOMS attributes and other sources • queries a site centralized grid user management server • GUMS (grid user management) server provides • site-consistent user and group assignment • interfaces and extensions to the data storage systems CHEP 2004
VOMRS: Identifying the workflow • Understand that VO registration is a multi-level process (institution, grid site, country, VO). • Identify necessary elements of the registration procedure and develop a model workflow. • Identify administrative roles and responsibilities. • Identify various implications of our model on sites and site policies. • Realize that the implementing technology must be flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes. CHEP 2004
VO Concepts • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job … • Experiment: represents research activities that are specific to a particular VO. • Group and group roles: an experiment contains groups. Group may have sub-groups. Group and group roles are included as attributes in a proxy certificate • Institution: is an organization whose members participate in experiments within a particular VO. • Grid site: is an institution that provides grid resources. Each site has policies that require specific personal information. • Personal information: private and public data about an individual that is collected by the VO. • Notification Event: an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any. • Role: defines actions that a VO Member can perform within the VO and information that a VO Member can access. A VO member can have one or more roles. A VO member event notification depends on member’s role. CHEP 2004
Roles (I) • Applicant: • An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved. • Member: • An applicant who has been approved. A member can submit jobs to the Grid. By default a member is assigned to an experiment wide group. • VO administrator: • A designated VO member who is in charge of registration and has access to all information collected by the VO. He is responsible for assigning administrative roles. CHEP 2004
Roles (II) • Institutional VO representative: • Vouches for the identity of an applicant. • Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution. • Grid site administrator: • Assigns/revokes the role of System Administrator or Local Resource Provider to/from the VO members affiliated with the site • Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site. • Local resource provider: • Administers authorization a member to use the grid resource (this could include addition of this member to the gridmapfile, mapping member to local account, etc) CHEP 2004
Registration Flow Institution notify approve Member VO Central Node EDG VOMS Proxy Server Representative register query Applicant synchronize notify approve notify approve VOMRS notify approve Grid Site Grid Site notify approve Site Admin Site Admin LRPS LRPS CHEP 2004
VOMRS Architecture Member Server CLI GSI Event Manager Client IF Synchronizer EDG VOMS ADMIN API Registrar ( Workflow Manager) EDG Trust Manager HTTPS/SSL WEB CLIENT VOMRS DB EDG VOMS DB Web Services /Servlets CHEP 2004
VOMRS WEBUI (Home page, Group page…) CHEP 2004
VOMRS WEBUI(registration) USCMS VO Registration CHEP 2004
VOMRS WEBUI(member search) CHEP 2004
VOMRS WEBUI (subscribe to event) Notification Event Example: Date: Tue, 21 Sep 2004 13:43:20 -0600 From: USCMS-admin@hotdog62.fnal.gov Subject: AUTOMATIC NOTIFICATION FROM VOMRS USCMS To: undisclosed-recipients: ; Dear Administrator, We have received a request from a person with Distinguished Name /DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073 issued by Certificate Authority /DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1 to join VO USCMS. You can check member's personal information. You can approve or deny member's request. VO Administrator CHEP 2004
What’s Next? • Continue collaboration with, BNL, SDSS, ivDGL, LCG User Registration Task Force etc • Implement multiple new features requested by collaborators: • VO membership expiration and renewal processes • Email verification • Interface to organizational human resource database (LCG requirement) • Continue support for VOMRS instances installed at Fermilab and BNL • Deploy test installation of VOMRS at CERN CHEP 2004
Summary The VO Membership Registration Service that allows grid user to become a member of Virtual Organization has been developed. It provides a flexible mechanism to collect member’s personal data as well as manage registration workflow. Several instances of VOMRS has been deployed at Fermilab and BNL. We greatly appreciate discussions, support and software contributions provided by our collaborators. There are still a lot of features that need to be implemented. • More info: http://www.uscms.org/s&c/VO • E-mail: vo-project@fnal.gov CHEP 2004