Virtual Organization Management Registration Service VOMRS Status

1
Virtual Organization Management Registration
Service (VOMRS) Status

• T. Levshina

2
VOMRS Place in the GRID World
Grid Facility
VOMRS
register
CE
Globus Gatekeeper
SE
SRM
JobManager
membership/ privileges
get proxy
callouts
callouts
get uid, gid, rootpath
gPlazma
PRIMA
VOMS
Is authorized?
membership/ privileges
Facility Authorization Management
get uid
GUMS
submit job
3
Who needs VOMRS?

• VO that comprises of
• Numerous members
• Multiple institutions
• VO that needs to maintain
• Hierarchy of administrators
• Delegation of responsibilities
• Persistent information about membership
• Dynamic set of collected personal information
• VO that requires notification and coordination
  when there are
• changes in VO membership or structure
• actions required form members or administrators

4
VOMRS vs. VOMS-admin

• Maintains persistent membership status
• Allows multiple certificates per member
• Supports of local and web AUP and its versioning
• Keeps institutional and VO membership expiration
• Handles request for group/group role assignment
• Provides description of the group/group roles,
  ability to link role to a particular group
• Maintains dynamic set of personal information per
  VO, private and public set of personal
  information
• Is capable of interfacing third party ID Provider
  (such as Fermilab LDAP CNAS, CERN Human Resource
  database etc)
• Handles event notification, and ability to select
  set of subscribed events
• Decreases load on VO Admin by introducing the
  hierarchy of administrators such as
  Representative, Group Managers etc, and
  registration workflow.

5
Project Timeline (I)

• Initiated on 1/24/03
• Identifying stakeholder
• Gathering requirements
• High level design
• Database and low level design
• First production release of VOX (v1.0.0) -
  3/1/2004
• VOMRS
• LRAS (now obsolete, replaced by GUMS)
• SAZ (now maintained by other group at Fermilab)
• Features added to VOMRS since the first release
• Implemented interface to third-party
  registration dbms (e.g. interface to CERN HR DB,
  SAMDB, CNAS )
• Implemented Oracle support
• Implemented two phases of registration that
  include email verification
• Introduced VO and institutional membership
  expiration 
• Introduced VO-level management of CAs
• Implemented selection of groups and group roles
  by member and admin
• Added multipart messaging, improved message
  format
• Implemented customizable on-line help
• Current release (1.2.3) July, 2006

6
Project Timeline (II)

• Upcoming release (1.3.0) will be released as
  soon as there are no bugs
• Modification of group/group role handling (see
  details in http//www.uscms.org/SoftwareComputing/
  Grid/VO/design/draft2.pdf)
• Modification of AUP handling (see details at
  https//savannah.cern.ch/bugs/?funcdetailitemite
  m_id15164)
• Simplification of handling addition for a new
  certificates
• Improvement of performance (bulk selection)
• Changes in configuration in order to accommodate
  oracle connection to multiple servers.
• Chris Kendrick (VPAC) Markus Binsteiner (VPAC)
  are testing
• beta version
• Lanxin Ma (CERN) is testing it for Oracle LCG
  environment

7
Implementation and Distribution

• Implementation details
• Java based ( 1.4.1 and higher)
• WEB UI uses JavaScript
• Configuration scripts are written in python (1.5
  and higher)
• Configuration files are in xml format
• DBMS Oracle or MySQL
• Product distribution
• The current distribution of VOMRS software is
  built with gLite 1.4 trustmanager package and can
  be synchronized with gLite VOMS.
• VOMRS components are distributed using Pacman
  package manager and are available from the
  cachehttp//www.uscms.org/SoftwareComputing/Grid
  /VO/VOMRS
• RPMs are available fromhttp//www.uscms.org/Soft
  wareComputing/Grid/VO/downloads.html

8
Current Deployment

• Fermilab
• 14 instances that are synchronized with
  corresponding installation of VOMS (VDT 1.3.11).
  VOMRS and VOMS are running on the same node
• Total number of registered users gt 5,000
• CERN
• 4 instances are using LCG Registration Type and
  connect to CERN HR DB
• 5 instances are using General Registration Type
  
• All instances are synchronized with corresponding
  installation of VOMS (gLite 1.4). VOMRS and VOMS
  are running on the same node.
• Total number of registered users 2,000 (CMS
  437, Atlas 745, Alice 146, LHCb 103, DTEAM
  428,)
• BNL
• 2 instances (all are synchronized with
  corresponding installation of VOMS).
• Test installations
• 2 instances in Texas Tech University are
  synchronized  with corresponding installation of
  VOMS (VDT 1.3.7)
• 2 instances in University of Melbourne

9
Current effort on VOMRS

• Current efforts
• One person since 1/10/2005, in 2006 50 FTE (T.
  Levshina)
• John Weigand participated in development until
  3/1/2005, now provides help when Oracle expertise
  is required as well as participates in some of
  LCG RTF meetings lt 1 FTE
• CERN provides VOMRS support for VOMRS users
  registered there (Lanxin Ma 10 FTE)
• 10 of FTE (V. Sergeev) is allocated for future
  support at Fermilab
• The responsibilities includes
• participating in LCG RTF work
• bug fixes
• new features implementation
• testing
• writing documentation
• packaging
• maintaining the web site
• users and admins support at Fermilab
• high level support at CERN

10
Future (I)

• VOMRS is now a part VO Services Project
• Immediate plans - release vomrs-1.3.0
• Final testing is performed at CERN and VPAC
  (Melbourne)
• Help with upgrade at Fermi and CERN
• Major Challenge Database upgrade with new schema
• Next release (vomrs-1.3.1)
• Use a new Oracle OCI driver (not a lot of work
  but a lot of testing) -  https//savannah.cern.ch/
  bugs/?19690
• Implement work around kernel hangs of RAC nodes,
  which have been reported  and are
  beinginvestigated by Oracle and RedHAT
• https//uimon.cern.ch/twiki/bin/view/PSSGroup/OCIC
  lientHangProtection
• Change the way VOMRS handles CERNID and DoB
  validation -  https//savannah.cern.ch/bugs/?18947
  
• Preserve search criteria over multiple http
  requests within session
• Allow changes in configuration file and online
  help without tomcat restart
• VOMRS should be able to synchronize with multiple
  VOMS (Keith Chadwicks request to solve VOMS
  replication)
• Help VDT team to add VOMRS to VDT distribution
• Release v 1.4.0
• Address general attributes"  feature introduced
  in VOMS
• Come up with more flexible way to add interfaces

11
Future (II)

• Possible long-term future directions for VOMRS
  may utilize the new technologies
• with the goal of lowering the maintenance effort
  
• Shibbolized VOMRS in order to interface
  shibbolized ID Providers
• Re-write database part to use Hibernate to use
  persistent classes following object-oriented
  idiom
• No need to write sql gluing code to populate
  objects
• Everything may be done in Java and DB schema is
  generated from java code
• Caching policies are very powerful (session,
  global, etc). In general should be more efficient
  then handwritten code
• Easy integration with application servers, JNDI
  etc or in standalone mode
• Became standard, EJB 3.0 persistency is built on
  top of hibernate
• Re-write web UI by using struts
• Standard MVC framework
• Tag library provides a lot of implementation
  freebees
• Extendable validation framework simplifies field
  validation either on server or client from the
  same source
• Central error processing facility (global or page
  base)
• Powerful hierarchy of interceptors for
  customization purposes
• Investigate existence and usability of a 
  standard workflow model that can replace in the
  one we have invented in VOMRS

12
Summary

• VOMRS is a successfully implemented VO
  registration service providing the means to
  better identify and communicate with VO members,
  and to assign grid privileges to them.
• Through the use of its multiple administrative
  roles, VOMRS allows for delegation of
  responsibilities within the VO while still
  providing a high level of control over privileges
  granted.
• As a highly configurable service, it can meet the
  needs of a wide variety of VOs , both in terms of
  membership size and complexity of privileges
  required.
• Its installation at numerous sites has resulted
  in increased requests for additional features to
  improve management and control of VO membership.
  
• More information can be found http//www.uscms.or
  g/SoftwareComputing/Grid/VO
• E-mail privilege-project_at_fnal.gov

13
VOMRS Architecture
gLite VOMS DB
VOMRS Host
Client Host
SAM DB Host
VOMS Admin API
GSI Authentication
CLI
SAM ADMIN API
SOAPSSL Authentication
CLI
gLite Trust Manager
ORGDB Host
HTTPSSL Authentication
Service Broker
LCG ORGDB API
VOMRS Admin
Service
WEB CLIENT
VOMRS DB