Grid User Management System
description
Transcript of Grid User Management System
Grid User Management System
Gabriele Carcassi
HEPIX 2004
18 October 2004
Outline
• What GUMS is
• How it is used at BNL
• What the current functionalities are
• Roadmap and future
GUMS …
• … is a site tool
ATLAS
VOMS
BrookhavenNationalLab
BNL
GUMS
CERN
CERN
GUMS
site site
VO
ATLASCMS
VOMS
VO
CMS
GUMS …
• … translates a Grid identity to a local identity (certificate -> local user)
BNL
GUMS
/DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi
carcassi
Gridresource
Resource AuthZ Service – Grid Identity MappingSimpler case show, equivalent to grid-mapfile
GUMS …
• … is centralized: one server per site
BNL
GUMS
Gridresource
Gridresource
Gridresource
Gridresource
Allows to control identity mapping from a single placeKeeps the site consistent
GUMS …
• … allows a site policy
Test servers for USATLAS
Allow:All LCG test VO
mapped to ‘lcgt’ All USATLAS group
mapped to ‘usatlast’
Allow:Members of Grid3 VO mapped with accounts taked from a poolMembers on a speciallist from a database mapped to ‘special’
Grid3 production servers
Other machines
Allow:Members of … mapped to …
All groups and mappings definitionsare specified in a single XML file
Use at BNL since May 2004
ATLAS
VOSTAR
VOPHENIX
VO…
VO
GUMSserver
Gridresource
Gridresource
Gridresource
mapfilecache
GUMSDB
GUMS contacts VO servers and update local database with members
GUMS generates the maps according to the policy and stores it in a special DB table
The gatekeepers contact the database to retireve their mapping
1.
2.
3.
1.
2.
3.
Use at BNLGUMS Policy example
<gums> <persistanceFactories> <persistenceFactory name='mysql' className='gov.bnl.gums.MySQLPersistanceFactory' /> </persistanceFactories> <groupMappings> <groupMapping name='usatlasPool'> <userGroup className='gov.bnl.gums.LDAPGroup' server='grid-vo.nikhef.nl' query='ou=usatlas,o=atlas,dc=eu-datagrid,dc=org‘ persistanceFactory='mysql' name='usatlas' /> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.AccountPoolMapper' persistanceFactory='mysql' name='bnlPool' /> <accountMapping className='gov.bnl.gums.GroupAccountMapper' groupName='usatlas1' /> </compositeAccountMapping> </groupMapping> <groupMapping name='star'> <userGroup className='gov.bnl.gums.VOMSGroup' url='https://vo.racf.bnl.gov:8443/edg-voms-admin/star/services/VOMSAdmin‘ persistanceFactory='mysql' name='star' sslCertfile='/etc/grid-security/hostcert.pem' sslKey='/etc/grid-security/hostkey.pem'/> <compositeAccountMapping> <accountMapping className='gov.bnl.gums.ManualAccountMapper' persistanceFactory='mysql' name='bnlMapping' /> <accountMapping className='gov.bnl.gums.NISAccountMapper' jndiNisUrl='nis://nis2.somewhere.com/rhic.bnl.gov' /> </compositeAccountMapping> </groupMapping> … </groupMappings> <hostGroups> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='star*.somewhere.gov' groups='star' /> <hostGroup className="gov.bnl.gums.WildcardHostGroup" wildcard='gums.somewhere.gov' groups='star,phenix,usatlasPool' /> … </hostGroups></gums>
Open architecture
• All critical pieces are defined through interfaces and specified in the configuration
PersistenceFactory
persistenceimpl.
persistenceimpl.
UserGroup
AccountMapper
GroupMapper
HostGroup
<creates>
*
<creates>
Allows integration with site specific services(i.e. HR databases, LDAP, information services, …):1. Implement the interface (only dependency on GUMS)2. Put jar in the lib folder3. Modify the policy file
Features implemented
• Persistence:– MySQL
• UserGroups:– LDAP VO, VOMS, manual list of users
(persistence)
• AccountMappers:– Group account, best effort NIS mapping,
account pool, manual mapping (persistance)
• All are being used at BNL
Future plans
• Version 1.0 will be ready by OSG-0 release (February 2005)
• Target functionalities:– Account pooling
• Tested already setup within grid3
– Web service interface for GUMS– Role based authorization
• part of Privilege Project, joint USATLAS and USCMS project
Account Pooling
• A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts
Will allow BNL cybersecurity to perform auditingTo go in production we need:1. Assign the group id after the assignment2. Make sure it doesn’t disrupt accounting
and applications
…grid0009grid0010grid0011grid0012grid0013grid0014grid0015grid0016grid0017
…
/DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi
/DC=org/DC=doegrids/OU=People/CN=Dantong Yu
/DC=org/DC=doegrids/OU=People/CN=Razvan Popescu
/DC=org/DC=doegrids/OU=People/CN=Dantong Yu
GT3 GUMS service
• Use gatekeeper call-out to contact GUMS directly
ATLAS
VOSTAR
VOPHENIX
VO…
VO
GUMSserver
Gridresource
Gridresource
Gridresource
GUMSDB
Role based authorization
• Use of callout and of VOMS extended proxy
BNL
GUMS
/DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi
carcassi
Gridresource
BNL
GUMS
/DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi
usatlasprod
Gridresource
/VO=ATLAS/Group=USATLAS/Role=production-leader