CAT'S EYE vo DR vo Cho DR Piano (KEY) vo DR KEY vo DR KEY ...
VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization...
-
Upload
gordon-bailey -
Category
Documents
-
view
214 -
download
0
Transcript of VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization...
![Page 1: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/1.jpg)
VO Privilege Activity
![Page 2: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/2.jpg)
VO Privilege Activity
• The VO Privilege Project develops and implements fine-grained authorization to grid-enabled resources and services
• Started Spring 2004• Sposored by US CMS (Fermilab) and US ATLAS
(BNL)• People: Fermilab, BNL, PPDG• Technologies: VOMS, VOMRS, Gridmap and
SRM/DCache callout interface, GUMS, gPLAZMA, and SAZ
![Page 3: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/3.jpg)
VO Privilege ActivityMotivations
• Improve user account assignment at grid sites– Make user-to-account mapping flexible and
dynamic, using remote Grid Identity Mapping Services
– Base user-to-account mapping on both user role and least privilege access
• Reduce account management administrative overhead
![Page 4: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/4.jpg)
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
VO Privilege ActivityArchitecture
![Page 5: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/5.jpg)
Resource Selection Service (ReSS) Activity
![Page 6: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/6.jpg)
The Resource Selection Activity
• The Resource Selector is a component of the OSG Job Management Infrastructure.
• The project started in Sep 2005 with a planned duration of 9 months
• Sponsored by PPDG as a DZero contribution to the Common Project
• People: Fermilab, OSG TG-MIG group, PPDG
![Page 7: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/7.jpg)
The Resource Selection ActivityMotivations
• A Resource Selector allows…– …expressing requirements on the resources
in the job description• without a Resource Selector, the user is
responsible for selecting the resource for the job
– …the user to refer to abstract characteristics of the resources in the job description
• without a Resource Selector, the user must use concrete resource attribute values in the job description (e.g. to initialize the job environment)
![Page 8: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/8.jpg)
The Resource Selection ActivityDeliverables
• The Resource Selection Activity has two major goals
1. Enable OSG resource usage by DZero. Jobs will be prepared and data will be handled by the SAM-Grid.
2. Develop and deploy a Resource Selection Service that VOs with requirements on job management similar to DZero can use.
![Page 9: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/9.jpg)
The Resource Selection ActivityArchitecture
CondorMatch Maker
InfoGatherer
classads
CEMon
CE
Gate1
job-managersjob-managersjob-managers
jobs info
CLUSTER
CEMon
CE
Gate2
job-managersjob-managersjob-managers
jobs info
CLUSTER
CEMon
CE
Gate3
job-managersjob-managersjob-managers
jobs info
CLUSTER
classads classads classads
CondorScheduler
jobWhat Gate?
Gate 3
job
![Page 10: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/10.jpg)
OSG Auditing Activity
![Page 11: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/11.jpg)
OSG Auditing Activity
• The activity develops a system to record a suitable audit trail for grid services– Audit trail is a set of log entries to determine
who did what, when, where and how– Audit trail is critical for both debugging and
security investigations
• Started Winter 05
![Page 12: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/12.jpg)
OSG AuditingGoals
• Provide tools to the site to gather audit events, process them, correlate them, in order to facilitate post-mortem investigations and malicious use detection – Security concerns impose that a site auditing service could allow
queries that do not expose much data (e.g. yes/no question such as: did this DN submit more than 10 jobs in the past 24 hours?). The feasibility/utility of across-site auditing is under investigation.
• Determining what has happened in a GRID environment– Chain of events to follow: user contacts a resource broker, which
submits to a gatekeeper, which starts a batch job, which execute on a node, which starts a file transfer, …
![Page 13: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/13.jpg)
Auditing at a site(an example)
GridFTP
…
GKGRAM
Centralizedlogging
ParsingAuditingService
Allows to search through events and make correlation. The user will use a GUI or command line tools to navigate through the data, and will retrieve pointers to the actual log entries when needed.
We need to make sure the services actually provide enough information.
Some sites already have a way to collect and store logs, based on syslog or other standard practices. We want to leverage and integrate within the framework.
Site
Cyber security
![Page 14: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/14.jpg)
OSG Accounting Activity
![Page 15: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/15.jpg)
OSG Accounting Activity
• The goal of the activity is to develop a system to track the consumption of OSG services and resources user by user
• Sponsored by SLAC, Fermilab and PPDG
• Started Summer 2005
• More Info: google “osg accounting”
![Page 16: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/16.jpg)
OSG Accounting ActivityMotivation
The OSG infrastructure must provide its users with precise and reliable information about resources consumption.
Availability of such information will • allow resource providers to directly link resources
consumption with VOs and science projects goals,• improve resource planning and organization at the
resource providers sites• eventually, support automatic resource allocations and
consumption based on an economic model.
![Page 17: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/17.jpg)
OSG Accounting ActivityArchitecture
![Page 18: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/18.jpg)
OSG Accounting Activity
![Page 19: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/19.jpg)
OSG Edge Services Framework Activity
![Page 20: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/20.jpg)
OSG Edge Services Framework Activity
• In OSG, services on the “Edge” of the Grid/Fabric site boundaries grant users access to site private services.
• Started in September 2005.• Collaboration: Physicists, Computer Scientists &
Engineers, Software Architects.• People: USALTLAS, USCMS, Globus Alliance,
ANL, U. Chicago, UC San Diego• Web collaborative area –
http://osg.ivdgl.org/twiki/bin/view/EdgeServices
![Page 21: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/21.jpg)
OSG Edge Services Framework Activity Vision
OSG site provides access to a shared compute & storage cluster via two types of services. Those shared between VOs, and those that are VO specific.VO specific service deployment is made possible via a shared services framework.
![Page 22: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/22.jpg)
OSG Edge Service Framework ActivityMotivation
• OSG has many VOs each with many different requirements
• Resources may be partitioned into specific, VO-dedicated servers along side shared, open grid services used by many VOs.
• Each VO may want to use different software to implement any particular kind of an edge service
• Each VO may put different requirements on edge service in terms of resource usage.
![Page 23: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/23.jpg)
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
XEN vm
Based on XEN&
Gt4 work spaces
![Page 24: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/24.jpg)
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
dom0
![Page 25: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/25.jpg)
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
dom0
![Page 26: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/26.jpg)
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
dom0
![Page 27: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/27.jpg)
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
dom0
![Page 28: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/28.jpg)
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO User
domU dom0
XEN
![Page 29: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/29.jpg)
ESF - Phase 1
ESF
SE
Site
CMS
Role=VO User
CE
dom0domU
![Page 30: VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.](https://reader036.fdocuments.us/reader036/viewer/2022062519/5697bfa81a28abf838c9911c/html5/thumbnails/30.jpg)
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO User
dom0domU