VO Management

1
VO Management
2
Outline

• VO Management in running projects
• EGEE gLite
• Open Science Grid (OSG) VO Privilege
• VOMRS Features
• Using VOMRS with GT4
• Pragmatic solution volist merge-gridmap
• merge-gridmap Flowchart
• Serving multiple VOs Sub-VOs

3
VOMS/VOMRS in EGEE gLite

VOMRS
(Igor Sfiligoi gLite Authentication)
4
VOMS/VOMRS in OSG
VOMRS
Grid Facility
register
CE
Globus Gatekeeper
SRM
JobManager
SE
membership/ privileges
get proxy
callouts
callouts
get uid, gid, rootpath
gPlazma
PRIMA
membership/ privileges
Is authorized?
SAZ
VOMS
Facility Authorization Management
get uid
GUMS
submit job
(Tanya Levshina VOMRS)
5
VOMRS Features

• secure authenticated management of VO
  membership, grid resource authorization and
  privileges
• 2-phase registration workflow to register with a
  VO
• Dynamic set of collected personal information
• Management of multiple grid certificates per
  member
• VO-level control of member's privileges
• Email notifications of selected changes and
  events
• Permits delegation of responsibilities within the
  various VO administrators and group managers
• Manages hierarchies of groups and group roles
• Interfaces to third-party systems like VOMS

6
VOMRS GT4

• Pragmatic solution Use VOMRS as
• VO Information Service

Grid resource
group name
VOMRS DB
local grid- mapfile
volist servlet
merge-gridmap
local config
List (DNID)
(crontab)
grid- mapfile
Auth lists
VOMRS
Globus Gatekeeper
register
Submit job
JobManager
7
Merge-gridmap flow
RunAs aliases

Create sudoers entries
volist/ VOMRS
wget
VO list
Lower priority
Command entries
Map to pool account schema
Write grid-mapfile
grid- mapfile
Prefixformat agd .3d
Remove DNs with unknown account names
Remove non-allowed DNs
Allowed DNs
List of unknown accounts
Check accounts existence
Remove denied DNs
Denied DNs
Merge with local map
local grid- mapfile
Higher priority
Remap DNs to non-pool accounts
Remap DNID
8
Serving multiple (Sub-)VOs
local grid- mapfile

VOMRS DB
Grid resource
volist servlet A
merge-gridmap
Config Sub-VO /Omega/Uno
VOMRS A
Config VO /Alpha
merge-gridmap
VOMRS DB
Auth lists
volist servlet ?
merge-gridmap
Config VO /Omega
VOMRS ?
grid- mapfile
9
Summary

• Using volist/merge-gridmap with VOMRS
• offers a lean VO management tool
• promises the chance to switch to future EGEE or
  OSG/VO-Privilege developments via the VOMS
  interface of VOMRS
• provides the possibility to delegate access right
  management to a central VO management but to keep
  fine-grained local control
• allows a resource to serve multiple VOs

10
Appendix Glossary

• VOMRS
• Virtual Organisation Management Registration
  Service
• http//www.uscms.org/SoftwareComputing/Grid/VO/
• VOMS
• Virtual Organization Membership services
• http//infnforge.cnaf.infn.it/voms/
• LCMAPS
• Local Credential MAPping Service

11
Glossary II

• GUMS
• Grid User Management System
• http//grid.racf.bnl.gov/GUMS/index.html
• PRIMA
• PRIvilege Management and Authorization
• http//computing.fnal.gov/docs/products/voprivileg
  e/prima/prima.html
• SAZ
• Site AuthoriZation service
• http//www.fnal.gov/docs/products/saz/v_vo1/SAZ.ht
  m

12
Glossary III

• gPlazma
• Grid-aware PLuggable AuthoriZation Management
• http//www.dcache.org/manuals/Book/cf-gplazma.shtm
  l