OSG Update Bob Cowles bob cowlesslac stanford edu

OSG Update Bob Cowles bob. cowles@slac. stanford. edu Many of the pictures courtesy of Abhishek Rana EGEE Middle. Ware Security Group Meeting 7 – Amsterdam – 14 -15 December 2005 15 Dec 2005 MWSG 7

OSG use of VOMS • A VO service (one per VO) that provides extended proxies with signed group and role membership • Vincenzo Ciaschini, INFN - Karoly Lorentey, et al 15 Dec 2005 MWSG 7 2

Use case • A VO compiles a list of users that can use data production resources • When acting as data production coordinator, the user gets a “token” from the VO, that states he is authorized to act in that role • The user presents that token to the site when submitting a job or initiating a file transfer • The services maps the user to a different account based on the role • The different account allows access to restricted resources or a different class of service (i. e. file access, higher queue priorities, special pool of machines, …) 15 Dec 2005 MWSG 7 3

An example VOMS voms-proxy-init User Submission site VOs Execution site GUMS Server PRIMA Gatekeeper grid 3 -user…txt gums-host 15 Dec 2005 MWSG 7 4

VOMRS • VO service that manages the registration process, and feeds the list of currently approved members to VOMS • VOMRS 1. 2. 0 has been released on October 4 th, 2005 (new features, bug fixes, oracle support) • VOMRS 1. 2. 1 _GLITE (glite 1. 4 package + g. Lite patches) has been released on November 15 th , 2005 • VOMRS is installed at: – – – Fermilab (10 installations) BNL (2 installations) CERN (8 installations) Texas Tech University (2 installations) University of Melbourne (1 installation) 15 Dec 2005 MWSG 7 5

VOMRS/VOMS fits … 15 Dec 2005 MWSG 7 6

VOMRS/VOMS within the scope of GRID Services Common Middleware & Services GRID Middleware & Interfaces Authentication & Authorization Virtual Organization Administration Security Infrastructure PRIMA GUMS VOMRS Security Infrastructure VOMS Security Infrastructure SAZ 15 Dec 2005 MWSG 7 7

VOMRS (Scope and Services) Scope: investigate and implement both policy-related and technical requirements for admitting collaborators into a VO, and facilitating and monitoring their authorization to access the available grid resources. • implements a registration workflow that requires – email verification of identity – VO usage policy acceptance – membership approval by designated VO representatives/administrators • • management of multiple grid certificates per user selection of groups and roles by user and management of groups and group role assignments by various VO administrators. maintains a VO membership status and a certificate level status for each member, with VO-level control of a member's privileges and membership. send email notifications when selected changes are made about a member's VO membership status and/or when required by members or administrators. provides for VO control over its trusted set of Certificate Authorities (CA). interface (optional) to local systems with personnel information (e. g. , the CERN Human Resource Database, SAM DB), and pulling or pushing relevant member information from/to them. VOMRS membership data can be configured to synchronize with the VOMS system (developed jointly for Data. TAG by INFN and for Data. Grid by CERN) with all approved members' certificates and privileges. 15 Dec 2005 MWSG 7 8

VOMRS & Grid VO Management (ex) 15 Dec 2005 MWSG 7 9

Plans for 2006 Development: • Working on new release v 1. 2. 2 – VOMRS/SAM Registration support – Bug fixes Maintenance and Support: • Fermi Grid support • On going work with LCG Task Force: – Migration from LDAP VO to VOMRS – Performance issues CERN Human Resource DB – Oracle issues • Working on integration with VDT 15 Dec 2005 MWSG 7 10

PRIMA & GUMS • PRIMA: The gatekeeper callout module that is able to contact a site Authorization service to retrieve the mapping • GUMS: A site Authorization service that manages site-wide mapping 15 Dec 2005 MWSG 7 11

Privilege Fits … Facilitates Job Priority And Storage Access Privilege Infrastructure Naturally fits Here. Could help Facilitate 15 Dec 2005 MWSG 7 12

Scope & Services • The primary goal of this phase of the project was to deliver the execution call-out for finer-grained authorization of processing resources – Generate an extended proxy based on role information stored in VOMS – Module to parse extended attribute certificates – Communicate the information to a identity mapping service in a secure manner – Return the information to the Globus gatekeeper – Map the user to a specified UID 15 Dec 2005 MWSG 7 13

Status • Privilege has delivered an infrastructure that has been deployed on OSG – The authorization system has been deployed on all CMS-T 2 centers, the T 1 at FNAL, Fermi. Grid, BNL, etc. – CMS and ATLAS have defined roles that can be implemented within VOMS • VOMS extended proxy is parsed by the PRIMA callout and given to GUMS for authentication • User is either assigned to a specified account or a pool of accounts. – Pool mapping is maintained persistently between sessions • Release for pre-web service globus-gatekeeper callout is stable – Relatively light operations support – A couple of tickets a month, so far rapidly solved • The infrastructure does the basic elements from the initial proposal for the processing gatekeeper. – Room for performance and functionality improvements, but fast enough for now 15 Dec 2005 MWSG 7 14

Privilege Plans There are 3 significant pieces of work facing the Privilege Developers • Implementation of the callout for storage – This is work that we expected to have completed already. Slowed due to communication and available effort issues. – The g. Plasma Architecture designed by Ahbishek Rana at UCSD with help from CCF should allow the same consistent mapping received by the Globus-Gatekeeper to be available to the SRM interface • Expected for scale deployment at FNAL by the end of the year • The desire to deploy the GT 4 Web services requires a callout for privilege – Gabriele C. and G. , and Vikram have made good progress – Currently waiting on a patch from Globus • Progress is somewhat dependent on others – Hopefully a production release by early January • The final piece of work is a detailed survey of deployment experiences and an understanding of the level of adoption on OSG sites – Documentation Project 15 Dec 2005 MWSG 7 15

GUMS References • http: //grid. racf. bnl. gov/GUMS/ • Open. SAML renaming http: //grid. racf. bnl. gov/GUMS/components/privilege/opensaml. html • VOMS version problem http: //grid. racf. bnl. gov/GUMS/troubleshooting. Faq. html#VOMS 1 x 15 Dec 2005 MWSG 7 16

OSG and EGEE/LCG • VOMS – Smooth transitions between versions are extremely important – Integral part of future development – Key to interoperability with EGEE • LCAS – Need to highlight (resolve? ) compatibility issues with PRIMA/GUMS 15 Dec 2005 MWSG 7 17

OSG – Other Issues • Interest in GLexec w/GUMS & PRIMA • Great interest in user traceability – http: //grid. racf. bnl. gov/GUMS/troubleshooting. Faq. html#logs – Bridging portals and inter-grid – Only service cert presented at boundary – What are the high-level and low-level req’ts? • Need to participate in vulnerability work • EGEE policy web pages – Uniformat / template? – Mix human / machine readable? 15 Dec 2005 MWSG 7 18