Title: Virtual%20Organization%20Membership%20Service%20eXtension%20(VOX)
1Virtual Organization Membership Service eXtension
(VOX)
2Authors and contributors
- Richard Baker (BNL)
- Lothar Bauderick (Fermilab)
- Eileen Berman (Fermilab)
- Gabriele Carcassi (BNL)
- Ian Fisk (Fermilab)
- Robert Gardner (University of Chicago)
- Gregory Graham (Fermilab)
- Leigh Grundhoefer (University of Indiana)
- Anne Heavey (Fermilab)
- Joe Kaiser (Fermilab)
- Tanya Levshina (Fermilab)
- Ruth Pordes (Fermilab)
- Vijay Sekhri (Fermilab)
- Dane Skow (Fermilab)
- John Weigand (Fermilab)
- Yujun Wu (Fermilab)
3Presentation overview
- Introduction
- Stakeholders and collaborators
- VO Management Infrastructure at Fermilab
- VO Membership Registration Service
- Identifying the workflow
- VO Concepts
- VO Roles
- VOMRS Architecture
- WEBUI Screenshots
- Whats next?
- Summary
4Introduction
- US CMS, SDSS, and iVDGL have sponsored an effort
at Fermilab, - the VOX Project (VO Management Service
eXtension), to - investigate and implement the requirements, both
policy-related - and technical, for admitting collaborators into a
VO, and facilitating - and monitoring their authorization to access the
available grid - resources.
- This effort has resulted in a study and
understanding of the - necessary workflow, and the creation of a
prototype - VO Membership Registration Service (VOMRS), which
is a - principal component of the VOX project.
5Stakeholders and Collaborators
- Stakeholders
- US CMS
- Fermilab Computing Facility
- iVDGL
- SDSS
- Collaborators
- BNL VOMRS architecture, registration process,
common interfaces - EGEE(EDG)/DataTag VOMS core and admin software
- VDT (U of Wisconsin), Virginia Tech - ongoing
communication and agreements with Globus on
gatekeeper and authorization callouts
6VO Management Infrastructureat Fermilab (I)
VOMS Admin and Core Services
VOMRS
register
voms-proxy-init
synchronize
Fermilab
Grid Cluster
authenticate
Gatekeeper PRIMA module
authorize
GUMS
authorize
SAZ
7VO Management Infrastructureat Fermilab (II)
- VOX Project
- VOMRS (VO Membership Registration Service)
provides a registration service that - allows a single point of registration with a VO
- facilitates, negotiates and monitors the process
of a members authorization to grid resources - provides centralized storage of membership
information and a means to query said information - SAZ (Site Authorization Service) allows security
authorities of the local site to control access
to the sites resources - VOMS Project
- EGEE (EDG) VOMS Admin service provides
centralized storage of member dn,ca, groups and
roles, means to handle this data. - DataTag VOMS Core service gives out extended
proxy upon members request. - Privilege Project automates and facilitates the
process of managing fine - grain access to a local grid element
- PRIMA authorization module at the gatekeeper
- elicits information from provided VOMS attributes
and other sources - queries a site centralized grid user management
server - GUMS (grid user management) server provides
- site-consistent user and group assignment
- interfaces and extensions to the data storage
systems
8VOMRS Identifying the workflow
- Understand that VO registration is a multi-level
process (institution, grid site, country, VO). - Identify necessary elements of the registration
procedure and develop a model workflow. - Identify administrative roles and
responsibilities. - Identify various implications of our model on
sites and site policies. - Realize that the implementing technology must be
flexible to accommodate the different levels of
policies and requirements and to anticipate
ongoing changes.
9VO Concepts
- Grid, VO, Certificate (DN,CA,..), Grid resource,
Grid job - Experiment
- represents research activities that are specific
to a particular VO. - Group and group roles
- an experiment contains groups. Group may have
sub-groups. Group and group roles are included
as - attributes in a proxy certificate
- Institution
- is an organization whose members participate in
experiments within a - particular VO.
- Grid site
- is an institution that provides grid resources.
Each site has policies - that require specific personal information.
- Personal information
- private and public data about an individual that
is collected by - the VO.
- Notification Event
- an action taken by the registration software that
notifies - interested members of a change within the VO and
describes - any required responses if any.
10Roles (I)
- Applicant
- An experimenter who belongs to one of the VO
institutions and possesses a certificate from one
of the VO-approved Certificate Authorities. An
applicant has submitted a VO registration form
but has not yet been approved. - Member
- An applicant who has been approved. A member can
submit jobs to the Grid. By default a member is
assigned to an experiment wide group. - VO administrator
- A designated VO member who is in charge of
registration and has access to all information
collected by the VO. He is responsible for
assigning administrative roles.
11Roles (II)
- Institutional VO representative
- Vouches for the identity of an applicant.
- Upon registration a member can select a
representative from the list of known
representatives. The selected representative does
not necessarily belong to the members
institution. - Grid site administrator
- Assigns/revokes the role of System Administrator
or Local Resource Provider to/from the VO members
affiliated with the site - Administers authorization of VO member to the
site. The details are site specific and depends
on regulations and policies of each particular
site. - Local resource provider
- Administers authorization a member to use the
grid resource (this could include addition of
this member to the gridmapfile, mapping member to
local account, etc)
12Registration Flow
13VOMRS Architecture
14VOMRS WEBUI (Home page, Group page)
15VOMRS WEBUI(registration)
16VOMRS WEBUI(member search)
17VOMRS WEBUI (subscribe to event)
Notification Event Example
Date Tue, 21 Sep 2004 134320 -0600 From
USCMS-admin_at_hotdog62.fnal.gov Subject AUTOMATIC
NOTIFICATION FROM VOMRS USCMS To
undisclosed-recipients Dear Administrator, We
have received a request from a person with
Distinguished Name /DCorg/DCdoegrids/OUPeople/C
NAnne Heavey 995073 issued by Certificate
Authority /DCorg/DCDOEGrids/OUCertificate
Authorities/CNDOEGrids CA 1 to join VO USCMS.
You can check member's personal information. You
can approve or deny member's request. VO
Administrator
18Whats Next?
- Continue collaboration with, BNL, SDSS, ivDGL,
LCG User Registration Task Force etc - Implement multiple new features requested by
collaborators - VO membership expiration and renewal processes
- Email verification
- Interface to organizational human resource
database (LCG requirement) - Continue support for VOMRS instances installed at
Fermilab and BNL - Deploy test installation of VOMRS at CERN
19Summary
- The VO Membership Registration Service that
allows grid user to - become a member of Virtual Organization has
been developed. It - provides a flexible mechanism to collect members
personal data - as well as manage registration workflow.
- Several instances of VOMRS has been deployed at
Fermilab and - BNL.
- We greatly appreciate discussions, support and
software - contributions provided by our collaborators.
- There are still a lot of features that need to be
implemented. - More info
- http//www.uscms.org/sc/VO
- E-mail
- vo-project_at_fnal.gov