Title: Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community A
1Using the Virtual Organisation Management portal
to manage policy within Globus Toolkit, Community
Authorisation Service and ICENI resources
- Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven
Newhouse, John Darlington
2Overview
- Using Virtual Organisation Management (VOM)
portal - How VOM portal can be utilised for
- Managing Globus Toolkit enabled resources
- Configuring Community Authorisation Service
- Administering ICENI
- Related Work
- Conclusions
3Why do we need VO Management?
- VOs consists of
- dynamic set of distributed resources.
- distributed user base.
- distributed management infrastructure.
4Contd
- VOs need to provide services for
- User authentication and authorisation
- Defining and enforcing access control and usage
policies - Every project is having to develop its own
customised VO management setup - Need to replace current manual processes which do
not scale well - policy based automated systems
5Virtual Organisation Management (VOM) portal
- Portal for remote VO management.
- Grid service to download and upload information
into the VOM database. - Client tools to interact with the service through
Grid Security Infrastructure (GSI) authenticated
network connections. - VOM Portal facilitates
- User registration into VO using grid
certificates. - Resource Access Control
- Resource Usage Accounting and Reporting.
6VOM Roles
- Ordinary users belonging to a VO/community
wanting to use grid resources. - Resource managers wanting to make their grid
enabled machines accessible to a VO/community. - Administrators of a VO managing access control
monitoring usage of constituent users resources.
7VOM Usage User
- Precondition should have a certificate issued by
CA accepted by VO. - Registers with VO
- Request propagated to VO Admin on approval to
respective resource managers for account
creation. - Views his usage log on web.
- Does not need to chase each site/resource in VO
sign separate usage policy forms.
8VOM Usage Resource Manager
- Precondition
- Should have a certificate issued by CA accepted
by VO. - Manages/owns a grid-enabled resource
- Setup access control and logging capability by
deploying client on his grid-enabled resource. - Approve/Reject/Disable user access.
- Can view own usage stats/graphs.
9VOM Usage VO Administrator
- Precondition
- should have a certificate issued by CA accepted
by VO. - Approve user enrolment requests through web page.
- Manage constituent resources.
- Monitor usage of various users/resources or whole
VO. - View stats/graphs of historical VO usage.
10User Interface Workflow
11VOM Implementation
- Server
- Java servlets hosted in Tomcat container
- GT3 based web service
- Apache with mod_jk Tomcat support
- Client
- Java based
- Connects to web service using secure (GSI)
connection
12Managing Globus Toolkit enabled resources
- Resource access control
- through automated grid-map file management
- Resource Usage Logging and Reporting
- through instrumented job-managers provided
- Resource owner needs to setup respective clients,
which connect to the VOM server over a secure
connection
13Resource Access Control
14Resource Usage Service
15Configuring Community Authorisation Service
- Allows resource providers to specify fine-grained
access control for the community rather than
individual users - Community manages itself
- grid-proxy-init gt cas-proxy-init
16Configuring CAS
- CAS lacks a web interface for configuring VOs
trust relationships - VOM provides a source of authenticated
authorised users - The VO admin uses CAS to setup the VO's trust
relationships (e.g. adding new users and objects)
and to grant them fine-grained access control to
the VO's resources.
17Administering ICENI
- Each resource running ICENI has a
- Domain Manager implements fine-grained access
control policies relating to the resources in the
private administrative domain - Policy Manager used to define access control
policy at role, group, organisation or individual
user level - Identity Manager used to authenticate users
accessing resources, and authorise them against
the access policy defined by the resource
18ICENI Architecture
ICENI Architecture
19Contd
- VOM Admin can also switch roles/groups a user
belongs to within ICENI. - Needs a ICENI plugin installed on VOM server.
- ICENI Role Management GUI
20Related Work
- VOMS
- CAS
- GUMS
- PERMIS
- Akenti
21Virtual Organisation Membership Service (VOMS)
- Developed for DataTAG by INFN and for DataGrid by
CERN - Database of user roles and capabilities
- Administrative tools
- Client interface
- voms-proxy-init
- Uses client interface to produce an attribute
certificate (instead of proxy) that includes
roles capabilities signed by VOMS server - Works with non-VOMS services, but gives more info
to VOMS-aware services - Allows VOs to centrally manage user roles and
capabilities
22VOMS Shortcomings
- Lacks web interface for user/resource
registration - Only maintains certificate DN their assoc.
groups info - Lacks any other info e.g. personal info, usage
logs - Does not collect any resource specific, site
specific data - Additional attributes in certificates do not
conform to any standard gt only VOMS enabled
software can use it. - Extensions planned _at_
- EU Data Grid / LCG
- Local Centre Authorisation Service (LCAS)
- Local Credential MAPping Service (LCMAPS)
- Java based Trust Manager
- FermiLab as part of US CMS, SDSS, and iVDGL
projects - VOM Registration Server(VOM RS)
- VOMS eXtension (VOX) e.g. Site AuthoriZation
(SAZ) and Local Resource Authorization Service
(LRAS)
23VOM comparison with VOMS
- VOM provides additional capability of secure web
based user registration, resource usage logging
and holds detailed info about users, resources
etc. - Both provide grid-map file management capability
through slightly different ways - VOM does not provide attribute certificate
generation capability
24Community Authorisation Service (CAS)
- v1.0 released with Globus Toolkit version 3.2
- Allows resource providers to specify fine-grained
access control for the community rather than
individual users - Community manages itself
- grid-proxy-init gt cas-proxy-init
25CAS Shortcomings
- Functional
- Lacks web front-end for user registration
- Does not contain any info apart from DN, access
rights - Resource logging account mapping gets
complicated - due to use of totally new DN by CAS
- Non-Functional
- Takes ultimate control away from site/resource
owners, which is not practical in real world
scenarios - Built on top of Grid Security Infrastructure
(GSI) hence dependency on Globus. - royalty-free license from RSA needed to use it in
other projects - Currently only a customised version of grid-ftp
(supplied with CAS distribution) supports CAS
credentials - Hard to install configure and more a prototype
than a production ready system as claimed
26VOM comparison with CAS
- VOM provides additional capability of secure web
based user registration, resource usage logging
and holds detailed info about users, resources
etc. - Both provide resource access control management
mechanisms - VOM through grid-map file management
- CAS by abstracting the grid identities (i.e. user
certificates) and using the community identities
at resources as access control mechanisms - VOM does not provide new proxy certificate
generation capability like CAS.
27Grid User Management System (GUMS)
- US Atlas Grid
- Provides user registration facility.
- Shortcomings
- Lacks a web interface for user/resource
registration, currently through email.
Pull
Site
cron job
28PrivilEge and Role Management Infrastructure
Standards Validation(PERMIS)
- Privilege Management Infrastructure (PMI) which
uses attribute certificates conforming to the
X.509 standard - Policy driven engine accessible through a java
API uses LDAP to store policies and attribute
certificates - Policies are written in XML
AEF(application Dependent) Access control
Enforcement Function
Access Request
Present Access Request
Target
Decision Request e.g. DNAccess Request
Decision e.g. Grant/Deny
PERMIS API Implementation
ADF (application independent) Access control
Decision Function
Retrieve Policy and Role ACs
LDAP Directories
29PERMIS Shortcomings
- It just provides an authorisation framework using
attribute certificates gt policy driven
authorisation - Does not store any other data about users e.g.
personal, usage etc. - Does not store any data about resources, sites
etc. - Not intended to provide overall VO management
capability e.g. authentication of users or
accounting of user/resource usages
30Akenti Policy Language
- Provides a policy language based on XML
- Can be used for certificate based authorisation
- Shortcomings
- Needs customised front end
- No notion of VO
- Conceptually similar to PERMIS
31VOM comparison with PERMIS Akenti
- VOM provides additional capability of secure web
based user registration, resource usage logging
and holds detailed info about users, resources
etc. - Both PERMIS Akenti provide rich policy
authorisation engine. VOM does not provide policy
authorisation language, API or engine. - gt complimentary
32Open Issues - VO Deployment issues
V E R T I C A L
V E R T I C A L
Horizontal (National Grid Service)
NGS
London 2
Cambridge 2
Manchester
Oxford
Edinburgh
London 1
Cambridge 1
33Future Work
- Explicit RBAC using proposed NIST standard
- Explicit policy management
- Separate Contract/SLA for VO, Resource, User
joining VO - Resource specifies minimum/average/maximum
service offered - Users specifies average maximum service
expectation - Explore use of GLUE information Schema for
import/export of user/resource info - Explore pure web services implementation
34Conclusions
- VOM provides a centralised management interface
for managing a VO - Can be used for resource access control and usage
accounting for the Globus Toolkit - Can be used as a secure web interface for
configuring CAS - Can also be used for role-based identity
management in ICENI
35Acknowledgments
- Testing and evaluation of software done with the
help from members of the UK Grid Engineering Task
Force. - Deployed across the Level 2 UK e-Science Grid to
provide user management and accounting capability
(http//www.grid-support.ac.uk/l2g/). - Work done as part of OSCAR-G project funded by
DTI, Compusys Intel (THBB/C/008/00028) - CAS evaluation funded by JISC AAA programme
36Acknowledgements
- Director Professor John Darlington
- Research Staff
- Nathalie Furmento, Stephen McGough, William Lee
- Jeremy Cohen, Marko Krznaric, Murtaza Gulamali
- Laurie Young, Jeffrey Hau
- David McBride, Ali Afzal
- Support Staff
- Oliver Jevons, Sue Brookes, Glynn Cunin, Keith
Sephton - Alumni
- Steven Newhouse, Yong Xie, Gary Kong
- James Stanton, Anthony Mayer, Angela OBrien
- Contact
- http//www.lesc.ic.ac.uk/ ? e-mail
lesc_at_ic.ac.uk