Virtual%20Organization%20Management%20Registration%20Service%20(VOMRS) - PowerPoint PPT Presentation

About This Presentation
Title:

Virtual%20Organization%20Management%20Registration%20Service%20(VOMRS)

Description:

signs the AUP for the VO. selects group(s) and group role(s) ... Expired: indicates that certificate issuer does not currently have a valid certificate ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 22
Provided by: cd749
Category:

less

Transcript and Presenter's Notes

Title: Virtual%20Organization%20Management%20Registration%20Service%20(VOMRS)


1
Virtual Organization Management Registration
Service (VOMRS)
  • T. Levshina
  • J. Weigand
  • S. White
  • Co-Authors
  • L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,
    P. Mhashilkar,
  • R. Pordes, A. Sill, D. Yocum

2
Talk Outline
  • Who needs VOMRS?
  • Project Timeline
  • VOMRS Scope
  • Place in the GRID World
  • Architecture
  • Main Features Overview
  • Implementation and Distribution
  • Deployment
  • Future
  • Summary

3
Who needs VOMRS?
  • VO that comprises of
  • Numerous members
  • Multiple institutions
  • VO that needs to maintain
  • Hierarchy of administrators
  • Delegation of responsibilities
  • Persistent membership status
  • VO and institutional membership expiration
  • Dynamic set of collected personal information
  • VO that requires notification about
  • changes in VO membership or structure
  • actions required form members or administrators

4
Project Timeline
  • Initiated on 1/24/03
  • Identifying stokeholder
  • Gathering requirements
  • High level design
  • Database and low level design
  • First production release of VOX (v1.0.0) -
    3/1/2004
  • VOMRS
  • LRAS (now obsolete, replaced by GUMS)
  • SAZ (now maintained by other group at Fermilab)
  • Features added to VOMRS since the first release
  • Implemented interface to third-party
    registration dbms (e.g. interface to CERN HR DB,
    SAMDB )
  • Implemented Oracle support
  • Implemented two phases of registration that
    include email verification
  • Introduced VO and institutional membership
    expiration 
  • Introduced VO-level management of CAs
  • Implemented selection of groups and group roles
    by member and admin
  • Added multipart messaging, improved message
    format
  • Implemented customizable on-line help
  • Current release (1.2.3) July, 2006

5
VOMRS Scope
  • VOMRS offers a comprehensive set of services that
    facilitates secure
  • and authenticated management of VO membership,
    grid resource
  • authorization and privileges
  • implements a registration workflow providing
    means for collaborators to register with a
    Virtual Organization (VO)
  • supports management of multiple grid certificates
    per member
  • permits VO-level control of member's privileges
  • provides email notifications of selected events
  • supports VO-level control over its trusted set of
    Certificate Authorities (CA)
  • permits delegation of responsibilities within the
    various VO administrators
  • manages groups and group roles
  • is capable of interfacing to third-party systems
    and pulling or pushing relevant member
    information from/to them

6
VOMRS Place in the GRID World
Grid Facility
VOMRS
register
CE
Globus Gatekeeper
SE
SRM
JobManager
membership/ privileges
get proxy
callouts
callouts
get uid, gid, rootpath
gPlazma
PRIMA
VOMS
Is authorized?
membership/ privileges
Facility Authorization Management
get uid
GUMS
submit job
7
VOMRS Architecture
gLite VOMS DB
VOMRS Host
Client Host
SAM DB Host
VOMS Admin API
GSI Authentication
CLI
SAM ADMIN API
SOAPSSL Authentication
CLI
gLite Trust Manager
ORGDB Host
HTTPSSL Authentication
Service Broker
LCG ORGDB API
VOMRS Admin
Service
WEB CLIENT
VOMRS DB
8
VOMRS Entities
  • Certificate Authorities
  • Allows list management of CAs accepted in VO
  • Offers a consistent way of managing membership
    status for members whose certificate CAs become
    obsolete or invalid
  • Groups and Group Roles
  • Supports hierarchy of groups
  • Allows creation/deletion of group roles and their
    association with group
  • Provides interface to manage groups and group
    roles
  • Institutions and Sites
  • Provides interface to manage Institutions and
    Sites
  • Requires member affiliation with Institution
    expiration date imposed
  • Personal Data Set
  • Supports real time editing of data set collected
    during registration
  • Distinguishes between private and public data,
    persistent and non persistent data, etc

9
VOMRS Administrators
  • Allows for delegation of responsibilities within
    the VO
  • VO Admin
  • responsible for maintaining the VOMRS. A VO admin
  • manages data pertaining to institutions, sites,
    CAs, members
  • privileges, and can modify the set of personal
    information
  • required by the VO
  • Representative
  • responsible for approving/denying applicants'
    requests for
  • VO membership based on personal knowledge about
    each
  • individual applicant's identity and institutional
    affiliation
  • Group Owner and Group Manager
  • responsible of managing the group's membership.
    Group Manager
  • can create new subgroups and associate group
    roles with them
  • Site Admin and Local Resource Provider
  • able to access members information

10
Membership Registration
  • In order to access VOMRS a user is required to
    have a valid certificate
  • whose CA is recognized by the VO
  • Registration consists of two steps
  • During Phase I a new user
  • fills out personal information
  • selects a Representative
  • provides email address
  • After receiving email notification, a user
    proceeds to Phase II, and
  • signs the AUP for the VO
  • selects group(s) and group role(s)
  • In order to become a VO member with grid resource
    privileges, the
  • user's registration must be approved by user's
    Representative or VO
  • Admin.

11
WEB UI Example (Registration)
Phase II
Phase I
12
Notification Events
  • An event in the VOMRS constitutes any changes to
  • member's status/privileges
  • new administrative role is assigned
  • certificate is suspended
  • member is assigned to group
  • structure of the VO
  • creation of a new group
  • expiration of a CA
  • addition of an institution
  • Events can trigger a call to external system via
    registered interface.
  • Some events can required action to be taken by a
    VO member
  • a Representative is asked to approve/deny
    registration
  • a member is asked to sign a new AUP
  • The events to which member can subscribe depend
    upon member's
  • roles and membership status.

13
Membership and Certificate Statuses
  • Membership status
  • New
  • Approved
  • Denied
  • Suspended member is currently not in good
    standing in the VO
  • Expired occurs when a new Usage Rules document
    must be signed member's validity period has
    expired member's institutional affiliation has
    expired
  • Certificate status
  • New
  • Approved
  • Denied
  • Suspended the certificate has been somehow
    compromised
  • Expired indicates that certificate issuer does
    not currently have a valid certificate
  • Multiple certificates per member
  • Each VO member has at least one registered
    certificate
  • A valid member can request additional
    certificates
  • Each such request should be approved by VO Admin
  • Member can access VOMRS by using one of the
    approved certificates

14
Groups and Group Roles
  • A group may have a Group Owner that controls
    subgroups creation, appoints Group Managers. Each
    Group Owner is a Group Manager.
  • A group may have a Group Manager responsible for
    managing group membership
  • A group role is created by a VO Admin
  • A group role can be linked by a Group Owner to a
    particular group and assigned an access to this
    group role within this group.
  • A group is an organizational entity defined by
    the VO.
  • A group has an access type (Open, Restricted), a
    description and set of group roles associated
    with it.
  • Groups may be organized hierarchically such that
    the ownership attribute of a parent group is
    automatically inherited by a child group.
  • The hierarchy starts with a single VO-wide root
    group, owned by a VO administrator, to which all
    members get automatically assigned.

15
Group and Group Role Assignment
  • A VO Member can request a group and a group role
    membership. A Member needs administrators
    approval in order to be assigned to a group or a
    group role.
  • A Group Manager can approve or deny members
    request
  • If a Member is assigned to be in a subgroup , he
    is automatically assigned to all the parent
    groups
  • If a Member is denied access to a group he is
    automatically denied access to all subgroups if
    this group

16
Interfacing Third Party Software
  • Interfaces can be registered with VOMRS and can
    be subscribed to
  • receive event notification. Currently there are
    three known interfaces
  • LCG Registration Type
  • User's registration in CERN HR DB is verified via
    query during Phase I of VOMRS registration. No
    data is downloaded from CERN DB to VOMRS.
  • VOMRS can be configured such that whenever an
    administrator queries a member's personal data,
    CERN HR DB is queried and both the VOMRS and CERN
    DB data display together.
  • SAM Registration Type
  • SAM DB is queried to obtain list of SAMs group
  • SAM DB is updated by using sam-admin commands
    when
  • Members status/privileges are changed
  • EGEE VOMS
  • VOMS is updated by using VOMS API when
  • Members status/privileges are changed
  • Members additional certificate is
    approved/suspended
  • A group is added/removed
  • A group role is added/removed

17
WEB Services Example
  • Access to VOMRS is also available via web
    services.
  • A certificate (or proxy) signed by a recognized
    CA is needed.
  • The list of services available for a particular
    user is defined by user's role and status within
    VOMRS.
  • Web Service example
  • java -Daxis.socketSecureFactory
    -DsslConfigFile fnal/vox/vomrs/client/SoapClient
    https//fermigrid0.fnal.gov8443/vo/Test/services
    /VOMRS getGroups
  • /test
  • /test/development
  • /test/production
  • /test/production/stream1
  • /test/production/stream2

18
Implementation and Distribution
  • Implementation details
  • Java based ( 1.4.1 and higher)
  • WEB UI uses JavaScript
  • Configuration scripts are written in python (1.5
    and higher)
  • Configuration files are in xml format
  • DBMS Oracle or MySQL
  • Product distribution
  • The current distribution of VOMRS software is
    built with gLite 1.4 trustmanager package and can
    be synchronized with gLite VOMS.
  • VOMRS components are distributed using Pacman
    package manager and are available from the
    cachehttp//www.uscms.org/SoftwareComputing/Grid
    /VO/VOMRS
  • RPMs are available fromhttp//www.uscms.org/Soft
    wareComputing/Grid/VO/downloads.html

19
Current Deployment
  • Fermilab
  • 14 instances that are synchronized with
    corresponding installation of VOMS (VDT 1.3.10).
    VOMRS and VOMS are running on the same node
  • Total number of registered users gt 5,000
  • CERN
  • 4 instances are using LCG Registration Type and
    connect to CERN HR DB
  • 5 instances are using General Registration Type
  • All instances are synchronized with corresponding
    installation of VOMS (gLite 1.4). VOMRS and VOMS
    are running on the same node.
  • Total number of registered users gt 1,500
  • BNL
  • 2 instances (all are synchronized with
    corresponding installation of VOMS).
  • Test installations
  • 2 instances in Texas Tech University are
    synchronized  with corresponding installation of
    VOMS (VDT 1.3.7)
  • 2 instances in University of Melbourne

20
Future
  • Privilege Project
  • Prima/SAML callouts
  • GUMS
  • gPlazma
  • VOMRS
  • SAZ

21
Summary
  • VOMRS is a successfully implemented VO
    registration service providing the means to
    better identify and communicate with VO members,
    and to assign grid privileges to them.
  • Through the use of its multiple administrative
    roles, VOMRS allows for delegation of
    responsibilities within the VO while still
    providing a high level of control over privileges
    granted.
  • As a highly configurable service, it can meet the
    needs of a wide variety of VOs , both in terms of
    membership size and complexity of privileges
    required.
  • Its installation at numerous sites has resulted
    in increased requests for additional features to
    improve management and control of VO membership.
  • Fermilab is committed to future support of this
    product for the LCG and OSG.
  • A lot of people took part in gathering and
    understanding requirements, testing and providing
    us with valuable feedback. Thanks a lot to all of
    them!
  • More information can be found http//www.uscms.or
    g/SoftwareComputing/Grid/VO
  • E-mail vo-project_at_fnal.gov
Write a Comment
User Comments (0)
About PowerShow.com