Post on 26-Dec-2015
2006-12-19 1VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
AGD Grid Account Management
2006-12-19 2VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
AGD Grid Account Management
VO Management in running projects: EGEE gLite Open Science Grid (OSG) – VO Privilege
VOMRS Features Using VOMRS with GT4
Pragmatic solution: volist & merge-gridmap manage-local-gridaccounts: Flowchart Serving multiple VOs & Sub-VOs
2006-12-19 3VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
VOMS/VOMRS in EGEE gLite
VOMRS
(Igor Sfiligoi: gLite Authentication)
4VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
VOMS/VOMRS in OSG
VOMRS
VOMS
Globus Gatekeeper
GUMS
Facility Authorization Management
Grid FacilityCE
Cer
tific
ate
register
submit job
callouts
membership/privileges
get uid
Is authorized?
JobM
anag
er
Certificate
Pro
xy
get proxy
job
job
Member
mem
bers
hip/
priv
ilege
s
PRIMA
SE SRM callouts
gPlazma
get uid, gid, rootpath
SAZ
(Tanya Levshina: VOMRS)
5VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
AGD Grid Account Management
VOMRS : VO Management,
volist : communication
manage-local-gridaccounts: local process
VOMRS
VOMRSDB
“volist“servlet
Member
Certificate
register
Grid resource
Globus Gatekeeper
JobM
anag
er
job
grid-mapfile
manage-local
-grid-accounts
job
localgrid-
mapfile
localconfig
Authlists
groupname
Proxy
Certificate
Submit job
List(DN+ID)
&more
(cronjob)
Site-RA
User
manage
NFS homes accounts homes
6VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
VOMRS Features
secure & authenticated management of VO membership, grid resource authorization and privileges:
2-phase registration workflow to register users with a VO Dynamic set of collected personal information Management of multiple grid certificates per member VO-level control of member's privileges Email notifications of selected changes and events Permits delegation of responsibilities within the various VO
administrators and group managers Manages hierarchies of groups and group roles Interfaces to third-party systems like VOMS
7VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
volist
Features: interfacing VOMRS database via jndi extracting required information via sql-statements multiple options for data retrieval
SELECT CONCAT('"',a.distinguished_name,'"') AS dn, a.member_id-1 AS id
FROM member_dns a, members b
WHERE a.is_primary_ind='Y' AND a.member_id=b.member_id AND
b.member_status='Approved';
implemented as webapplication for tomcat container http queries (htpasswd-security) https queries (htpasswd-security + certification based authentication of
host)wget --http-user Kerr --http-passwd Einstein \
"http://mintaka.aip.de:8080/volist/vomembers?print_id=1"
8VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
Manage local grid accounts
volist/VOMRS
VOlist
wget/https
Map to poolaccount schema
Remove non-allowed DNs
Remove denied DNs
Remap DNs to non-pool accounts
AllowedDNs
DeniedDNs
RemapDN+ID
Remap withlocal gridmap
localgrid-
mapfile
Check accountexistence
Logunknownaccounts
Create account for new
DN
Higherpriority
Writegrid-mapfile
grid-mapfile
Createsudoers entries
RunAsaliases
Commandentries
Log newaccounts
Keep copy
use visudo
Localpolicies
Prefix+format“agd” %.3d
9VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
ManageLocalGridAccounts.pl
Features: Queries list of VOMRS servers via volist for generating actual list of VO
members parses listing into an adaptable schema of locally configurable usernames and
groups (accounts) creates accounts on demand with checking existence and home allows for nfs-homes in cluster environments (separates creation of
accounts and homes, if required) addition: create_remote_homes.pl: takes local list from the script and creates
via ssh (or rsh) homes, accounts and gridmap on nfs-host creates new gridmap file is designed to run as a regular cron job
takes a list of VORMS-servers and option lists for different VO
10VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
Serving multiple (Sub-)VOs
VOMRS
VOMRSDB
VOMRSA
VOMRSDB
“volist“servlet
A
“volist“servlet
Grid resource
manage-gridmap
localgrid-
mapfile
ConfigSub-VO
/Omega/Uno
Authlists
manage-gridmap
manage-gridmap
grid-mapfile
ConfigVO
/Alpha
ConfigVO
/Omega
11VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
Differences to GUMS
GUMS : duplicates VO-Management locally
by creating locally another VO-management tool requires manual administration of local accounts ‚is a "site tool" as opposed to a "VO tool“‘
implements (weak) interaction with gatekeepers substitutes the gridmap file requires local (java) coding for group/account mappings does not generate accounts „on demand“ does not have a clean separation of VO-Management, information
retrieval and local resource policies requires additionally PRIMA on local resources requires additional exchange mechanism for information exchange
VOMRS & UNICORE already has a clean implementation against OGSA AuthZ Interface
(callout)
12VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
Summary
Using volist+ManageLocalGridUser.pl with VOMRS separation into three independent steps
managing VOs with VORMS• user registration• local RA manages membership for their users• central VO managers manage VO membership
retrieval of information from VORMS: • volist: queries and retrieval of different sets of information
– for resource-providers– other middleware : UNICORE
• VOMS VOMRS exchange local grid-account management with
• ManageLocalGridUser.pl with – different mapping schema and choices– one-to-one mapping
13VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
D-Grid Development
Thinking ahead: Currently:
HEP uses VOMS All other CG use Globus: they need VOMRS UNICORE will remain a special thing for HPC, but UUDB has to be
served as well All need a regular (and flexible) means to manage their VO
Since VOMRS is independent of underlying middleware, we should use this on the VO-Management level
Since almost every CG uses Globus, a solution for VO Management has to be based on this fact
VOMS is heavily relying on gLite, so it’s a non-option for all CG except HEP D-Grid Call II:
new CG are waiting to be integrated into D-Grid they will base their grid infrastructure on Globus
14VO Management in D-Grid, 2. WS , H. Enke (AstroGrid-D)2006-12-19
D-Grid Development
Thinking ahead: very few CG, except HEP and AGD, have a VO-Management established Core D-Grid registers ~30..40 users
But: if only this amount of users comes from each CG, which hopefully will be the situation within the next year, a centralized approach will become unmanageable or inefficient (aka: users with certificates waiting on end to be registred on local resources, which already now is a common experience).
Consequence: establishing a CG-centered VO-level management now with a VOMRS for each CG interchange of data between those servers on a regular basis separating VO-Management and local user management linking both with simple tools
will be an absolute necessity now
Inefficient VO-Management is one of the main obstacles for getting users interested in grid infrastructure and thus for the transformation from a playing ground for informatic freaks into a production means for science