View
6
Download
0
Category
Preview:
Citation preview
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
VOMS Admin 2.5(End of Phase I of VOMS/VOMRS convergence)
Andrea Ceccanti
EGEE 09September 2009, Barcelona
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Typical VOMS/VOMRS Setup
2
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VOMS/VOMRS Convergence
• Goal: – extend VOMS Admin functionalities so that all the main VOMRS
features are implemented• Why?
– to have (in the long term) only one VOMS registration service that works well and is easier to deploy/maintain/evolve!
– starting with voms-admin version 2.5, VOMS Admin and VOMRS have a large set of common functionality
– maintaining two separate services that implement (more or less) the same functionality complicates deployment and confuses users/administrators
• When?– work started at the beginning of EGEE III– detailed schedule was presented at CHEP 09– convergence will be complete at the end of EGEE III
3
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
The Convergence Schedule
4
Phase I Implement JSPG requirements Done
Phase II Migrate essential VOMRS features to VOMS AdminDec. 2009
Phase IIIInterface with third party directory services
(CERN HR db)Feb. 2010
Phase IV Validation and certification testsend of
EGEE 3
Phase V Data migration from VOMRS to VOMS Admin ?
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
JSPG Req. for VO registration
• The Joint Security Policy Group (JSPG) defined a set of requirements for VO membership Registration that must be implemented by all applications that manage user registration for WLCG Grid sites
http://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policy
• VOMS Admin, starting from version 2.5, supports JSPG requirements
5
http://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policyhttp://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policy
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VOMS Admin 2.5
• Main new features– Support for multiple user certificates– Support for versioned AUP management– Membership expiration, suspension, renewal– VO members can request group membership/role assignment– VO members can request membership removal– Support for multiple member operations (deletion, suspension)
• Cross Site Request Forgery mitigation– done on the main web application– not done on the web services endpoints, it’s impossible to solve
the issue without breaking compatibility with existing clients:• VOMRS• MkGridmap • any service that use VOMS Admin services
6
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688 7
Multiple Certificate Support
• Multiple certificates can be linked to the same VO membership (other identities/aliases)
• These certificates share the VOMS attributes info– Groups– Roles – Generic Attributes– VO AUP acceptance records
• Users, once registered, can request the addition of other certificates to their membership– This operation needs the VO-Admin authorization
• New user certificate management APIs are provided– Already in use by the EGEE Pseudonimity service and by the
VOMS Admin CLI
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
AUP Management
• AUP acceptance records are linked to each VO membership– to keep track of which version of the AUP was accepted when
• AUPs have a re-acceptance period– Each user’s acceptance record is checked against this period
and if the record has expired the user is requested to sign again the AUP in a configurable amount of time (24 hours is the default)
– If the user fails to sign the AUP in time, he/she is suspended
• VO admin can request AUP re-acceptance from users at any time
8
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
AUP Management tools
9
• Simple AUP version management tools– add/remove AUP versions – set active AUP version– change re-acceptance period for the AUP– trigger re-acceptance of current active AUP
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Membership suspension
• VOMS Membership can now be suspended– user is notified of the suspension reason via email and by voms-
proxy-init– Suspended members will not get VOMS attributes out of voms-
proxy-init
• When a membership is suspended, all the certificates linked to that membership are suspended
• It is also possible to only suspend specific certificates
10
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Membership expiration/renewal
• An expiration date is linked to each membership– Membership lifetime is configurable (default = 12 months)
• When a membership expires– the user is suspended (and informed of the suspension)– An administrator needs to take action to renew the membership– The user can be requested to sign the VO AUP again
11
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
User requests
12
• Users can request group and role membership from their home page– and membership removal as well
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
User requests (...)
• Administrators can approve user requests from their home page
13
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Multiuser one-click operations
• Initial support for one-click operations on multiple users– users suspend, restore and delete operations
14
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
CSRF Mitigation
• VOMS Admin leverages the Struts 2 token interceptor to mitigate CSRF (on the web application)– A random, one-time token is generated by the framework and
checked on each request
15
– This approach is not applicable to web services without breaking compatibility with existing clients
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Next steps
• Phase II (VOMS Admin version 2.6)– Task assignment and delegation among administrators
ie, an administrator can forward a request to another administrator (or group of administrators)
– One click group/role management for multiple users – Better support for sorting information in the web application
– ETA: Dic 2009
• Phase III (VOMS Admin version 2.7)– Support for interfacing with third-party external membership
databases support for the CERN HR database
– ETA: Feb 201016
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Links
• VOMS/VOMRS Convergence Paper– http://www.fnal.gov/docs/products/voprivilege/documents/
VomsVomrsConvergenceCHEP09-final.pdf
• Savannah Patches:– https://savannah.cern.ch/patch/?3224 (VOMS 2.5 patch)
• JRA1 Workplan tasks related to convergence:– https://savannah.cern.ch/task/?9884– https://savannah.cern.ch/task/?9885
• Contacts:– andrea.ceccanti@cnaf.infn.it
17
http://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttps://savannah.cern.ch/patch/?3224https://savannah.cern.ch/patch/?3224https://savannah.cern.ch/task/?9884https://savannah.cern.ch/task/?9884mailto:andrea.ceccanti@cnaf.infn.itmailto:andrea.ceccanti@cnaf.infn.it
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Questions?
?18
Recommended