Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community A

1
Using the Virtual Organisation Management portal
to manage policy within Globus Toolkit, Community
Authorisation Service and ICENI resources

• Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven
  Newhouse, John Darlington

2
Overview

• Using Virtual Organisation Management (VOM)
  portal
• How VOM portal can be utilised for
• Managing Globus Toolkit enabled resources
• Configuring Community Authorisation Service
• Administering ICENI
• Related Work
• Conclusions

3
Why do we need VO Management?

• VOs consists of
• dynamic set of distributed resources.
• distributed user base.
• distributed management infrastructure.

4
Contd

• VOs need to provide services for
• User authentication and authorisation
• Defining and enforcing access control and usage
  policies
• Every project is having to develop its own
  customised VO management setup
• Need to replace current manual processes which do
  not scale well
• policy based automated systems

5
Virtual Organisation Management (VOM) portal

• Portal for remote VO management.
• Grid service to download and upload information
  into the VOM database.
• Client tools to interact with the service through
  Grid Security Infrastructure (GSI) authenticated
  network connections.
• VOM Portal facilitates
• User registration into VO using grid
  certificates.
• Resource Access Control
• Resource Usage Accounting and Reporting.

6
VOM Roles

• Ordinary users belonging to a VO/community
  wanting to use grid resources.
• Resource managers wanting to make their grid
  enabled machines accessible to a VO/community.
• Administrators of a VO managing access control
  monitoring usage of constituent users resources.

7
VOM Usage User

• Precondition should have a certificate issued by
  CA accepted by VO.
• Registers with VO
• Request propagated to VO Admin on approval to
  respective resource managers for account
  creation.
• Views his usage log on web.
• Does not need to chase each site/resource in VO
  sign separate usage policy forms.

8
VOM Usage Resource Manager

• Precondition
• Should have a certificate issued by CA accepted
  by VO.
• Manages/owns a grid-enabled resource
• Setup access control and logging capability by
  deploying client on his grid-enabled resource.
• Approve/Reject/Disable user access.
• Can view own usage stats/graphs.

9
VOM Usage VO Administrator

• Precondition
• should have a certificate issued by CA accepted
  by VO.
• Approve user enrolment requests through web page.
• Manage constituent resources.
• Monitor usage of various users/resources or whole
  VO.
• View stats/graphs of historical VO usage.

10
User Interface Workflow
11
VOM Implementation

• Server
• Java servlets hosted in Tomcat container
• GT3 based web service
• Apache with mod_jk Tomcat support
• Client
• Java based
• Connects to web service using secure (GSI)
  connection

12
Managing Globus Toolkit enabled resources

• Resource access control
• through automated grid-map file management
• Resource Usage Logging and Reporting
• through instrumented job-managers provided
• Resource owner needs to setup respective clients,
  which connect to the VOM server over a secure
  connection

13
Resource Access Control
14
Resource Usage Service
15
Configuring Community Authorisation Service

• Allows resource providers to specify fine-grained
  access control for the community rather than
  individual users
• Community manages itself
• grid-proxy-init gt cas-proxy-init

16
Configuring CAS

• CAS lacks a web interface for configuring VOs
  trust relationships
• VOM provides a source of authenticated
  authorised users
• The VO admin uses CAS to setup the VO's trust
  relationships (e.g. adding new users and objects)
  and to grant them fine-grained access control to
  the VO's resources.

17
Administering ICENI

• Each resource running ICENI has a
• Domain Manager implements fine-grained access
  control policies relating to the resources in the
  private administrative domain
• Policy Manager used to define access control
  policy at role, group, organisation or individual
  user level
• Identity Manager used to authenticate users
  accessing resources, and authorise them against
  the access policy defined by the resource

18
ICENI Architecture
ICENI Architecture



19
Contd

• VOM Admin can also switch roles/groups a user
  belongs to within ICENI.
• Needs a ICENI plugin installed on VOM server.

• ICENI Role Management GUI

20
Related Work

• VOMS
• CAS
• GUMS
• PERMIS
• Akenti

21
Virtual Organisation Membership Service (VOMS)

• Developed for DataTAG by INFN and for DataGrid by
  CERN
• Database of user roles and capabilities
• Administrative tools
• Client interface
• voms-proxy-init
• Uses client interface to produce an attribute
  certificate (instead of proxy) that includes
  roles capabilities signed by VOMS server
• Works with non-VOMS services, but gives more info
  to VOMS-aware services
• Allows VOs to centrally manage user roles and
  capabilities

22
VOMS Shortcomings

• Lacks web interface for user/resource
  registration
• Only maintains certificate DN their assoc.
  groups info
• Lacks any other info e.g. personal info, usage
  logs
• Does not collect any resource specific, site
  specific data
• Additional attributes in certificates do not
  conform to any standard gt only VOMS enabled
  software can use it.
• Extensions planned _at_
• EU Data Grid / LCG
• Local Centre Authorisation Service (LCAS)
• Local Credential MAPping Service (LCMAPS)
• Java based Trust Manager
• FermiLab as part of US CMS, SDSS, and iVDGL
  projects
• VOM Registration Server(VOM RS)
• VOMS eXtension (VOX) e.g. Site AuthoriZation
  (SAZ) and Local Resource Authorization Service
  (LRAS)

23
VOM comparison with VOMS

• VOM provides additional capability of secure web
  based user registration, resource usage logging
  and holds detailed info about users, resources
  etc.
• Both provide grid-map file management capability
  through slightly different ways
• VOM does not provide attribute certificate
  generation capability

24
Community Authorisation Service (CAS)

• v1.0 released with Globus Toolkit version 3.2
• Allows resource providers to specify fine-grained
  access control for the community rather than
  individual users
• Community manages itself
• grid-proxy-init gt cas-proxy-init

25
CAS Shortcomings

• Functional
• Lacks web front-end for user registration
• Does not contain any info apart from DN, access
  rights
• Resource logging account mapping gets
  complicated
• due to use of totally new DN by CAS
• Non-Functional
• Takes ultimate control away from site/resource
  owners, which is not practical in real world
  scenarios
• Built on top of Grid Security Infrastructure
  (GSI) hence dependency on Globus.
• royalty-free license from RSA needed to use it in
  other projects
• Currently only a customised version of grid-ftp
  (supplied with CAS distribution) supports CAS
  credentials
• Hard to install configure and more a prototype
  than a production ready system as claimed

26
VOM comparison with CAS

• VOM provides additional capability of secure web
  based user registration, resource usage logging
  and holds detailed info about users, resources
  etc.
• Both provide resource access control management
  mechanisms
• VOM through grid-map file management
• CAS by abstracting the grid identities (i.e. user
  certificates) and using the community identities
  at resources as access control mechanisms
• VOM does not provide new proxy certificate
  generation capability like CAS.

27
Grid User Management System (GUMS)

• US Atlas Grid
• Provides user registration facility.
• Shortcomings
• Lacks a web interface for user/resource
  registration, currently through email.

Pull
Site
cron job
28
PrivilEge and Role Management Infrastructure
Standards Validation(PERMIS)

• Privilege Management Infrastructure (PMI) which
  uses attribute certificates conforming to the
  X.509 standard
• Policy driven engine accessible through a java
  API uses LDAP to store policies and attribute
  certificates
• Policies are written in XML

AEF(application Dependent) Access control
Enforcement Function
Access Request
Present Access Request
Target
Decision Request e.g. DNAccess Request
Decision e.g. Grant/Deny
PERMIS API Implementation
ADF (application independent) Access control
Decision Function
Retrieve Policy and Role ACs
LDAP Directories
29
PERMIS Shortcomings

• It just provides an authorisation framework using
  attribute certificates gt policy driven
  authorisation
• Does not store any other data about users e.g.
  personal, usage etc.
• Does not store any data about resources, sites
  etc.
• Not intended to provide overall VO management
  capability e.g. authentication of users or
  accounting of user/resource usages

30
Akenti Policy Language

• Provides a policy language based on XML
• Can be used for certificate based authorisation
• Shortcomings
• Needs customised front end
• No notion of VO
• Conceptually similar to PERMIS

31
VOM comparison with PERMIS Akenti

• VOM provides additional capability of secure web
  based user registration, resource usage logging
  and holds detailed info about users, resources
  etc.
• Both PERMIS Akenti provide rich policy
  authorisation engine. VOM does not provide policy
  authorisation language, API or engine.
• gt complimentary

32
Open Issues - VO Deployment issues
V E R T I C A L
V E R T I C A L
Horizontal (National Grid Service)
NGS
London 2
Cambridge 2
Manchester
Oxford
Edinburgh
London 1
Cambridge 1
33
Future Work

• Explicit RBAC using proposed NIST standard
• Explicit policy management
• Separate Contract/SLA for VO, Resource, User
  joining VO
• Resource specifies minimum/average/maximum
  service offered
• Users specifies average maximum service
  expectation
• Explore use of GLUE information Schema for
  import/export of user/resource info
• Explore pure web services implementation

34
Conclusions

• VOM provides a centralised management interface
  for managing a VO
• Can be used for resource access control and usage
  accounting for the Globus Toolkit
• Can be used as a secure web interface for
  configuring CAS
• Can also be used for role-based identity
  management in ICENI

35
Acknowledgments

• Testing and evaluation of software done with the
  help from members of the UK Grid Engineering Task
  Force.
• Deployed across the Level 2 UK e-Science Grid to
  provide user management and accounting capability
  (http//www.grid-support.ac.uk/l2g/).
• Work done as part of OSCAR-G project funded by
  DTI, Compusys Intel (THBB/C/008/00028)
• CAS evaluation funded by JISC AAA programme

36
Acknowledgements

• Director Professor John Darlington
• Research Staff
• Nathalie Furmento, Stephen McGough, William Lee
• Jeremy Cohen, Marko Krznaric, Murtaza Gulamali
• Laurie Young, Jeffrey Hau
• David McBride, Ali Afzal
• Support Staff
• Oliver Jevons, Sue Brookes, Glynn Cunin, Keith
  Sephton
• Alumni
• Steven Newhouse, Yong Xie, Gary Kong
• James Stanton, Anthony Mayer, Angela OBrien
• Contact
• http//www.lesc.ic.ac.uk/ ? e-mail
  lesc_at_ic.ac.uk