Virtual%20Organization%20Membership%20Service%20eXtension%20(VOX)

1
Virtual Organization Membership Service eXtension
(VOX)

• Ian Fisk
• Fermilab

2
Authors and contributors

• Richard Baker (BNL)
• Lothar Bauderick (Fermilab)
• Eileen Berman (Fermilab)
• Gabriele Carcassi (BNL)
• Ian Fisk (Fermilab)
• Robert Gardner (University of Chicago)
• Gregory Graham (Fermilab)
• Leigh Grundhoefer (University of Indiana)

• Anne Heavey (Fermilab)
• Joe Kaiser (Fermilab)
• Tanya Levshina (Fermilab)
• Ruth Pordes (Fermilab)
• Vijay Sekhri (Fermilab)
• Dane Skow (Fermilab)
• John Weigand (Fermilab)
• Yujun Wu (Fermilab)

3
Presentation overview

• Introduction
• Stakeholders and collaborators
• VO Management Infrastructure at Fermilab
• VO Membership Registration Service
• Identifying the workflow
• VO Concepts
• VO Roles
• VOMRS Architecture
• WEBUI Screenshots
• Whats next?
• Summary

4
Introduction

• US CMS, SDSS, and iVDGL have sponsored an effort
  at Fermilab,
• the VOX Project (VO Management Service
  eXtension), to
• investigate and implement the requirements, both
  policy-related
• and technical, for admitting collaborators into a
  VO, and facilitating
• and monitoring their authorization to access the
  available grid
• resources.
• This effort has resulted in a study and
  understanding of the
• necessary workflow, and the creation of a
  prototype
• VO Membership Registration Service (VOMRS), which
  is a
• principal component of the VOX project.

5
Stakeholders and Collaborators

• Stakeholders
• US CMS
• Fermilab Computing Facility
• iVDGL
• SDSS
• Collaborators
• BNL VOMRS architecture, registration process,
  common interfaces
• EGEE(EDG)/DataTag VOMS core and admin software
• VDT (U of Wisconsin), Virginia Tech - ongoing
  communication and agreements with Globus on
  gatekeeper and authorization callouts

6
VO Management Infrastructureat Fermilab (I)
VOMS Admin and Core Services
VOMRS
register
voms-proxy-init
synchronize
Fermilab
Grid Cluster
authenticate
Gatekeeper PRIMA module
authorize
GUMS
authorize
SAZ
7
VO Management Infrastructureat Fermilab (II)

• VOX Project
• VOMRS (VO Membership Registration Service)
  provides a registration service that
• allows a single point of registration with a VO
• facilitates, negotiates and monitors the process
  of a members authorization to grid resources
• provides centralized storage of membership
  information and a means to query said information
• SAZ (Site Authorization Service) allows security
  authorities of the local site to control access
  to the sites resources
• VOMS Project
• EGEE (EDG) VOMS Admin service provides
  centralized storage of member dn,ca, groups and
  roles, means to handle this data.
• DataTag VOMS Core service gives out extended
  proxy upon members request.
• Privilege Project automates and facilitates the
  process of managing fine
• grain access to a local grid element
• PRIMA authorization module at the gatekeeper
• elicits information from provided VOMS attributes
  and other sources
• queries a site centralized grid user management
  server
• GUMS (grid user management) server provides
• site-consistent user and group assignment
• interfaces and extensions to the data storage
  systems

8
VOMRS Identifying the workflow

• Understand that VO registration is a multi-level
  process (institution, grid site, country, VO).
• Identify necessary elements of the registration
  procedure and develop a model workflow.
• Identify administrative roles and
  responsibilities.
• Identify various implications of our model on
  sites and site policies.
• Realize that the implementing technology must be
  flexible to accommodate the different levels of
  policies and requirements and to anticipate
  ongoing changes.

9
VO Concepts

• Grid, VO, Certificate (DN,CA,..), Grid resource,
  Grid job
• Experiment
• represents research activities that are specific
  to a particular VO.
• Group and group roles
• an experiment contains groups. Group may have
  sub-groups. Group and group roles are included
  as
• attributes in a proxy certificate
• Institution
• is an organization whose members participate in
  experiments within a
• particular VO.
• Grid site
• is an institution that provides grid resources.
  Each site has policies
• that require specific personal information.
• Personal information
• private and public data about an individual that
  is collected by
• the VO.
• Notification Event
• an action taken by the registration software that
  notifies
• interested members of a change within the VO and
  describes
• any required responses if any.

10
Roles (I)

• Applicant
• An experimenter who belongs to one of the VO
  institutions and possesses a certificate from one
  of the VO-approved Certificate Authorities. An
  applicant has submitted a VO registration form
  but has not yet been approved.
• Member
• An applicant who has been approved. A member can
  submit jobs to the Grid. By default a member is
  assigned to an experiment wide group.
• VO administrator
• A designated VO member who is in charge of
  registration and has access to all information
  collected by the VO. He is responsible for
  assigning administrative roles.

11
Roles (II)

• Institutional VO representative
• Vouches for the identity of an applicant.
• Upon registration a member can select a
  representative from the list of known
  representatives. The selected representative does
  not necessarily belong to the members
  institution.
• Grid site administrator
• Assigns/revokes the role of System Administrator
  or Local Resource Provider to/from the VO members
  affiliated with the site
• Administers authorization of VO member to the
  site. The details are site specific and depends
  on regulations and policies of each particular
  site.
• Local resource provider
• Administers authorization a member to use the
  grid resource (this could include addition of
  this member to the gridmapfile, mapping member to
  local account, etc)

12
Registration Flow
13
VOMRS Architecture
14
VOMRS WEBUI (Home page, Group page)
15
VOMRS WEBUI(registration)
16
VOMRS WEBUI(member search)
17
VOMRS WEBUI (subscribe to event)
Notification Event Example
Date Tue, 21 Sep 2004 134320 -0600 From
USCMS-admin_at_hotdog62.fnal.gov Subject AUTOMATIC
NOTIFICATION FROM VOMRS USCMS To
undisclosed-recipients Dear Administrator, We
have received a request from a person with
Distinguished Name /DCorg/DCdoegrids/OUPeople/C
NAnne Heavey 995073 issued by Certificate
Authority /DCorg/DCDOEGrids/OUCertificate
Authorities/CNDOEGrids CA 1 to join VO USCMS.
You can check member's personal information. You
can approve or deny member's request. VO
Administrator
18
Whats Next?

• Continue collaboration with, BNL, SDSS, ivDGL,
  LCG User Registration Task Force etc
• Implement multiple new features requested by
  collaborators
• VO membership expiration and renewal processes
• Email verification
• Interface to organizational human resource
  database (LCG requirement)
• Continue support for VOMRS instances installed at
  Fermilab and BNL
• Deploy test installation of VOMRS at CERN

19
Summary

• The VO Membership Registration Service that
  allows grid user to
• become a member of Virtual Organization has
  been developed. It
• provides a flexible mechanism to collect members
  personal data
• as well as manage registration workflow.
• Several instances of VOMRS has been deployed at
  Fermilab and
• BNL.
• We greatly appreciate discussions, support and
  software
• contributions provided by our collaborators.
• There are still a lot of features that need to be
  implemented.
• More info
• http//www.uscms.org/sc/VO
• E-mail
• vo-project_at_fnal.gov