Grid User Management System Gabriele Carcassi CHEP 04

Grid User Management System Gabriele Carcassi CHEP 04 29 September 2004

Outline • • What GUMS is How it is used at BNL What the current functionalities are Roadmap and future

GUMS … • … is a site tool CMS ATLAS VOMS VO Brookhaven National Lab site CMS CERN BNL CERN GUMS site

GUMS … • … translates a Grid identity to a local identity (certificate -> local user) /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi Resource Auth. Z Service – Grid Identity Mapping Simpler case show, equivalent to grid-mapfile

GUMS … • … is centralized: one server per site Grid resource BNL GUMS Grid resource Allows to control identity mapping from a single place Keeps the site consistent

GUMS … • … allows a site policy Grid 3 production servers Allow: Members of Grid 3 VO mapped with accounts taked from a pool Members on a special list from a database mapped to ‘special’ Test servers for USATLAS Allow: All LCG test VO mapped to ‘lcgt’ All USATLAS group mapped to ‘usatlast’ Allow: Members of … mapped to … All groups and mappings definitions are specified in a single XML file Other machines

Use at BNL since May 2004 … PHENIX STAR ATLAS VO VO Grid resource 1. GUMS Grid resource 3. server 2. GUMS DB 1. GUMS contacts VO servers and update local database with members mapfile cache 3. The gatekeepers contact the database to retireve their mapping 2. GUMS generates the maps according to the policy and stores it in a special DB table

Use at BNL GUMS Policy example <gums> <persistance. Factories> <persistence. Factory name='mysql' class. Name='gov. bnl. gums. My. SQLPersistance. Factory' /> </persistance. Factories> <group. Mapping name='usatlas. Pool'> <user. Group class. Name='gov. bnl. gums. LDAPGroup' server='grid-vo. nikhef. nl' query='ou=usatlas, o=atlas, dc=eu-datagrid, dc=org‘ persistance. Factory='mysql' name='usatlas' /> <composite. Account. Mapping> <account. Mapping class. Name='gov. bnl. gums. Manual. Account. Mapper' persistance. Factory='mysql' name='bnl. Mapping' /> <account. Mapping class. Name='gov. bnl. gums. Account. Pool. Mapper' persistance. Factory='mysql' name='bnl. Pool' /> <account. Mapping class. Name='gov. bnl. gums. Group. Account. Mapper' group. Name='usatlas 1' /> </composite. Account. Mapping> </group. Mapping> <group. Mapping name='star'> <user. Group class. Name='gov. bnl. gums. VOMSGroup' url='https: //vo. racf. bnl. gov: 8443/edg-voms-admin/star/services/VOMSAdmin‘ persistance. Factory='mysql' name='star' ssl. Certfile='/etc/grid-security/hostcert. pem' ssl. Key='/etc/grid-security/hostkey. pem'/> <composite. Account. Mapping> <account. Mapping class. Name='gov. bnl. gums. Manual. Account. Mapper' persistance. Factory='mysql' name='bnl. Mapping' /> <account. Mapping class. Name='gov. bnl. gums. NISAccount. Mapper' jndi. Nis. Url='nis: //nis 2. somewhere. com/rhic. bnl. gov' /> </composite. Account. Mapping> </group. Mapping> … </group. Mappings> <host. Group class. Name="gov. bnl. gums. Wildcard. Host. Group" wildcard='star*. somewhere. gov' groups='star' /> <host. Group class. Name="gov. bnl. gums. Wildcard. Host. Group" wildcard='gums. somewhere. gov' groups='star, phenix, usatlas. Pool' /> … </host. Groups> </gums>

Open architecture • All critical pieces are defined through interfaces and specified in the configuration User. Group persistence impl. Group. Mapper * Host. Group <creates> Account Mapper Persistence Factory persistence impl. Allows integration with site specific services (i. e. HR databases, LDAP, information services, …): 1. Implement the interface (only dependency on GUMS) 2. Put jar in the lib folder 3. Modify the policy file

Features implemented • Persistence: – My. SQL • User. Groups: – LDAP VO, VOMS, manual list of users (persistence) • Account. Mappers: – Group account, best effort NIS mapping, account pool, manual mapping (persistance) • All are being used at BNL

Future plans • Version 1. 0 will be ready by OSG-0 release (February 2005) • Target functionalities: – Account pooling • Tested already setup within grid 3 – Web service interface for GUMS – Role based authorization • part of Privilege Project, joint USATLAS and USCMS project

Account Pooling • A generic grid user will be assigned a generic grid account (no recycling) from a pool of pre-created accounts … grid 0009 grid 0010 grid 0011 grid 0012 grid 0013 grid 0014 grid 0015 grid 0016 grid 0017 … /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /DC=org/DC=doegrids/OU=People/CN=Dantong Yu /DC=org/DC=doegrids/OU=People/CN=Razvan Popescu /DC=org/DC=doegrids/OU=People/CN=Dantong Yu Will allow BNL cybersecurity to perform auditing To go in production we need: 1. Assign the group id after the assignment 2. Make sure it doesn’t disrupt accounting and applications

GT 3 GUMS service • Use gatekeeper call-out to contact GUMS directly … PHENIX STAR ATLAS VO VO Grid resource GUMS server GUMS DB Grid resource

Role based authorization • Use of callout and of VOMS extended proxy /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi Grid resource BNL GUMS carcassi /DC=org/DC=doegrids/OU=People/CN=Gabriele Carcassi /VO=ATLAS/Group=USATLAS/Role=production-leader Grid resource BNL GUMS usatlasprod