Grid User Management System - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Grid User Management System

Description:

GUMS generates the maps according to the policy and stores it in a special DB table ... name='mysql' className='gov.bnl.gums.MySQLPersistanceFactory' ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 15
Provided by: gabriele3
Category:

less

Transcript and Presenter's Notes

Title: Grid User Management System


1
Grid User Management System
  • Gabriele Carcassi

2
Outline
  • What GUMS is
  • How it is used at BNL
  • What the current functionalities are
  • Roadmap and future

3
GUMS
  • is a site tool

ATLAS
CMS
ATLASVOMS
CMSVOMS
VO
VO
Brookhaven National Lab
CERN
BNL GUMS
CERN GUMS
site
site
4
GUMS
  • translates a Grid identity to a local identity
    (certificate -gt local user)

/DCorg/DCdoegrids/OUPeople/CNGabriele Carcassi
BNL GUMS
Grid resource
carcassi
Simpler case show, equivalent to grid-mapfile
5
GUMS
  • is centralized one server per site

Grid resource
Grid resource
Grid resource
Grid resource
BNL GUMS
Allows to control identity mapping from a single
place Keeps the site consistent
6
GUMS
  • allows a site policy

Grid3 production servers
Allow Members of Grid3 VO mapped with
accounts taked from a pool Members on a
speciallist from a database mapped to special
Test servers for USATLAS
Allow All LCG test VO mapped to lcgt All
USATLAS group mapped to usatlast
Allow Members of mapped to
All groups and mappings definitions are specified
in a single XML file
Other machines
7
Use at BNL since May 2004
Grid resource
ATLASVO
STAR VO
PHENIX VO
VO
Grid resource
Grid resource
1.
GUMS server
3.
2.
mapfile cache
GUMS DB
GUMS contacts VO servers and update local
database with members
The gatekeepers contact the database to retireve
their mapping
1.
3.
GUMS generates the maps according to the policy
and stores it in a special DB table
2.
8
Use at BNL
GUMS Policy example
ltgumsgt ltpersistanceFactoriesgt
ltpersistenceFactory name'mysql'
className'gov.bnl.gums.MySQLPersistanceFactory'
/gt lt/persistanceFactoriesgt ltgroupMappingsgt
ltgroupMapping name'usatlasPool'gt
ltuserGroup className'gov.bnl.gums.LDAPGroup'
server'grid-vo.nikhef.nl' query'ouusatlas,oatl
as,dceu-datagrid,dcorg
persistanceFactory'mysql' name'usatlas' /gt
ltcompositeAccountMappinggt
ltaccountMapping className'gov.bnl.gums.ManualAcco
untMapper' persistanceFactory'mysql'
name'bnlMapping' /gt ltaccountMapping
className'gov.bnl.gums.AccountPoolMapper'
persistanceFactory'mysql' name'bnlPool' /gt
ltaccountMapping className'gov.bnl.gums.GroupAc
countMapper' groupName'usatlas1' /gt
lt/compositeAccountMappinggt lt/groupMappinggt
ltgroupMapping name'star'gt ltuserGroup
className'gov.bnl.gums.VOMSGroup'
url'https//vo.racf.bnl.gov8443/edg-voms-admin/s
tar/services/VOMSAdmin
persistanceFactory'mysql' name'star'
sslCertfile'/etc/grid-security/hostcert.pem'
sslKey'/etc/grid-security/hostkey.pem'/gt
ltcompositeAccountMappinggt ltaccountMapping
className'gov.bnl.gums.ManualAccountMapper'
persistanceFactory'mysql' name'bnlMapping' /gt
ltaccountMapping className'gov.bnl.gums.NISA
ccountMapper' jndiNisUrl'nis//nis2.somewhere.com
/rhic.bnl.gov' /gt lt/compositeAccountMappinggt
lt/groupMappinggt lt/groupMappingsgt
lthostGroupsgt lthostGroup className"gov.bnl.gum
s.WildcardHostGroup" wildcard'star.somewhere.gov
' groups'star' /gt lthostGroup
className"gov.bnl.gums.WildcardHostGroup"
wildcard'gums.somewhere.gov' groups'star,phenix,
usatlasPool' /gt lt/hostGroupsgt lt/gumsgt
9
Open architecture
  • All critical pieces are defined through
    interfaces and specified in the configuration

persistence impl.
UserGroup
Persistence Factory
ltcreatesgt
GroupMapper
ltcreatesgt
persistence impl.
Account Mapper

HostGroup
  • Allows integration with site specific services
  • (i.e. HR databases, LDAP, information services,
    )
  • Implement the interface (only dependency on GUMS)
  • Put jar in the lib folder
  • Modify the policy file

10
Features implemented
  • Persistence
  • MySQL
  • UserGroups
  • LDAP VO, VOMS, manual list of users (persistence)
  • AccountMappers
  • Group account, best effort NIS mapping, account
    pool, manual mapping (persistance)
  • All are being used at BNL

11
Future plans
  • Version 1.0 will be ready by OSG-0 release
    (February 2005)
  • Target functionalities
  • Account pooling
  • Tested already setup within grid3
  • Web service interface for GUMS
  • Role based authorization
  • part of Privilege Project, joint USATLAS and
    USCMS project

12
Account Pooling
  • A generic grid user will be assigned a generic
    grid account (no recycling) from a pool of
    pre-created accounts


/DCorg/DCdoegrids/OUPeople/CNGabriele Carcassi
grid0009
/DCorg/DCdoegrids/OUPeople/CNDantong Yu
grid0010
grid0011
/DCorg/DCdoegrids/OUPeople/CNRazvan Popescu
grid0012
grid0013
/DCorg/DCdoegrids/OUPeople/CNDantong Yu
grid0014
grid0015
  • Will allow BNL cybersecurity to perform auditing
  • To go in production we need
  • Assign the group id after the assignment
  • Make sure it doesnt disrupt accountingand
    applications

grid0016
grid0017

13
GT3 GUMS service
  • Use gatekeeper call-out to contact GUMS directly

Grid resource
ATLASVO
STAR VO
PHENIX VO
VO
Grid resource
Grid resource
GUMS server
GUMS DB
14
Role based authorization
  • Use of callout and of VOMS extended proxy

/DCorg/DCdoegrids/OUPeople/CNGabriele Carcassi
BNL GUMS
Grid resource
carcassi
/DCorg/DCdoegrids/OUPeople/CNGabriele Carcassi
/VOATLAS/GroupUSATLAS/Roleproduction-leader
BNL GUMS
Grid resource
usatlasprod
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Grid User Management System" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!