Multi-Site%20VOs%20 - PowerPoint PPT Presentation

About This Presentation
Title:

Multi-Site%20VOs%20

Description:

Abhishek Singh Rana and Frank Wuerthwein UC San Diego. www.opensciencegrid.org ... UC San Diego. fkw_at_fnal.gov. The XVth International Conference on ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 28
Provided by: abhis3
Category:
Tags: 20vos | diego | multi | san | site | uc

less

Transcript and Presenter's Notes

Title: Multi-Site%20VOs%20


1
gPLAZMA grid-aware Pluggable AuthoriZation
Management(Introducing Role-based Access Control
in dCache)
The XVth International Conference on Computing
in High Energy and Nuclear Physics
(CHEP06) February 15, 2006 TIFR, Mumbai
Abhishek Singh Rana UC San Diego rana_at_fnal.gov
Frank Würthwein UC San Diego fkw_at_fnal.gov
2
Authors
RANA, Abhishek Singh (University of California,
San Diego, CA, USA) WÜRTHWEIN, Frank (University
of California, San Diego, CA, USA) PERELMUTOV,
Timur (Fermi National Accelerator Laboratory,
Batavia, IL,USA) KENNEDY, Robert (Fermi National
Accelerator Laboratory, Batavia, IL, USA) BAKKEN,
Jon (Fermi National Accelerator Laboratory,
Batavia, IL, USA) SKOW, Dane (Fermi National
Accelerator Laboratory, Batavia, IL, USA) FISK,
Ian (Fermi National Accelerator Laboratory,
Batavia, IL, USA) FUHRMANN, Patrick (DESY,
Hamburg, Germany) ERNST, Michael (DESY, Hamburg,
Germany)
3
Outline
  • OSG AuthZ approach
  • gPlazma architecture
  • gPlazma implementation
  • Example of end-to-end AuthZ for CEs and SEs
  • Status
  • Future Work

4
OSG AuthZ Approach
  • VO-Global specification of privilege attributes
    per Role.
  • Site central mapping of Role to sites
    implementation of privilege attributes.
  • Local enforcement of privilege attributes.
  • Use of VOMS extended X.509 Attribute Certificate
    specification for defining extra attributes
    (FQANs or Fully Qualified Attribute Names).
  • Based on RFC-3281. FQANs contain Role and VO
    membership information for a User.

5
OSG AuthZ Approach
  • VO defines Roles and associated privileges by
    specifying expected functionality.
  • E.g. cmssoft may install software in area that is
    read-only by all cmsuser jobs running on
    site/campus.
  • E.g. cmsphedex may have special access to
    SRM/dCache system.
  • Site maps VO scope identities to local scope
    identities.
  • Site wide management of mapping.
  • Service level granularity of mapping.
  • Site enforces VO privilege policies within local
    scope identities.
  • Authorization (VO-allowed) !(Site-vetoed)

6
Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site

Host 1
Site-wide Mapping Service
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
Host 2
7
Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site

Host 1
Site-wide Mapping Service
PEP
PDP
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
PDP
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
PEP
Host 2
PEP
Policy Enforcement Point
Policy Decision Point
PDP
8
gPLAZMA Architecture
SRM Door
GridFTP Door

Bias ACCESS Priority 2 Apply
Authorization Response AuthZ Record
Priorities
Switches
GridFTP Callout
Storage Metadata AuthZ
Storage Metadata AuthZ
Authorization Services
Plugins
Storage Providers Policies
Legacy Grid AuthN (gridmapfile)
VO Identity Mapping Service
SRM Callout
Legacy Storage AuthZ (dcache.kpwd)
VO Identity Mapping Client
https/SOAP SAML
Bias DENIAL Priority 1 Apply
Assertion Response Allow OR Deny
GUMS-based VO Role Mapping AuthZ
VO Role Mapping AuthZ (gPLAZMA native)
Storage Metadata AuthZ
Site Assertion
Future Additions
Future Additions
9
GriPhyN All Hands Meeting Argonne National
Laboratory, April 29 2005
The Open Science Grid Consortium
gPLAZMA Implementation
voms-proxy-init Proxy with VO Membership Role
attributes
srmcp
DATA
DATA
SRM Server
GridFTP Server
SRM-dCache
User Authorization Record
GridFTP Callout
SAML response
PRIMA SAML Client
Storage Authorization Service
Storage metadata
gPLAZMA
https/SOAP
SRM Callout
SAML query
Get storage authz for this username
gPLAZMALite Authorization Service
If authorized, get username
gPLAZMALite grid-mapfile
GUMS Identity Mapping Service
dcache.kpwd
Abhishek Singh Rana, UCSD
www.opensciencegrid.org
10
GriPhyN All Hands Meeting Argonne National
Laboratory, April 29 2005
The Open Science Grid Consortium
gPLAZMA Implementation
voms-proxy-init Proxy with VO Membership Role
attributes
1
srmcp
DATA
DATA
SRM Server
GridFTP Server
9
SRM-dCache
2
10
13
User Authorization Record
GridFTP Callout
SAML response
11
12
PRIMA SAML Client
Storage Authorization Service
Storage metadata
gPLAZMA
https/SOAP
4a
8
SRM Callout
3
4
SAML query
Get storage authz for this username
5
gPLAZMALite Authorization Service
4b
6
If authorized, get username
7
gPLAZMALite grid-mapfile
4c
GUMS Identity Mapping Service
dcache.kpwd
4d
Abhishek Singh Rana, UCSD
www.opensciencegrid.org
11
Example of end-to-end AuthZ for CEs and SEs
12
SE SRM-dCache
  • Different doors for different authz methods.
  • Same underlying local authz mechanism.
  • Can be mapped to sites UID/GID domain.
  • Or be restricted to SRM-dCache only.
  • Examples
  • USCMS-VO at FNAL Site UID domain.
  • CDF-VO at FNAL Site Kerberos domain.

13
SE SRM-dCache
  • gPLAZMA extends SRM-dCache separation of SE authz
    and CE authz to OSG approach.
  1. gPLAZMA authenticates.
  2. gPLAZMA uses PRIMA Java SAML libraries to form a
    SAML query and contacts Storage Authz Service.
  3. Storage Authz Service contacts GUMS and Storage
    Metadata Service.
  4. GUMS translates DN, Membership, Role to
    Username.
  5. Storage Metadata Service translates Username to
    Storage-privilege Set.
  6. Storage-privilege Set is UID, GID, permitted
    storage area, R/W permissions.
  7. Storage-privilege Set is User-level ACL governed
    by DN, Membership, Role.
  8. Storage Authz Service forms a User Authorization
    Record into a SAML response and sends it back to
    gPLAZMA at SE.

14
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
15
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
16
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
17
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
PEP
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
18
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
19
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
20
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
PEP
gPLAZMALite Authorization Services suite
21
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
OGSA AuthZ interface
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
22
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS Virtual Organization Membership Service
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Grid User Management System
PRIMA C SAML libraries
CE
GUMS
PRIMA A System for Privilege Management and
Authorization in Grids
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA grid-aware Pluggable Authorization Managem
ent System
SRM-GridFTP gPLAZMA callout
SAZ Site Authorization Service
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
23
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS INFN teams, Italy
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Gabriele Carcassi, BNL
PRIMA C SAML libraries
CE
GUMS
PRIMA Markus Lorch, VT
Storage Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA Abhishek Singh Rana, UCSD Timur
Perelmutov, FNAL
SRM-GridFTP gPLAZMA callout
SAZ Vijay Sekhri, FNAL John Weigand, FNAL
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
SRM-dCache DESY/FNAL teams
gPLAZMALite Authorization Services suite
24
Status
  • gPLAZMA native role-based authz mode deployed at
    USCMS tier-2 production site at UCSD. Work in
    progress for deployment at tier-1 at FNAL.
  • GUMS role-based authz mode in final stages of
    development/packaging.
  • Deployment and usage of all modes on USCMS
    production dCache sites expected before Service
    Challenge 4.

25
Known Limitations
  • Not (yet) implemented for dcap.
  • Scalability of site central call-out not yet
    understood.(gPLAZMA native a viable fallback)
  • vi/emacs is only administrative interface.
  • Options for communicating desired policies from
    VO to site are less than satisfactory. (general
    problem of role based authz!)

26
Future Work
  • Add MySQL based backend to replace storage authz
    records configuration file.
  • Complete gPLAZMA for dcap.
  • Understand scalability of site-wide call-out.
  • Add XACML based authorization engine to
    dynamically assign storage authz mappings at
    Site.
  • Explore XACML/SAML rule-based policy declaration
    (VO-level) and policy computation (Site-level).

27
Thank You.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Multi-Site%20VOs%20" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!