Embed Size (px)
DESCRIPTION
Multi-Site VOs and Multi-VO Sites in Open Science Grid. GridWorld/GGF15 October 3-6, 2005 Boston, MA, USA Community Activity: Leveraging Site Infrastructute for Multi-Site Grids. Abhishek Singh Rana UC San Diego [email protected]. Frank Wuerthwein UC San Diego [email protected]. - PowerPoint PPT Presentation
Citation preview
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VOs and Multi-VO Sites in Open Science Grid
Abhishek Singh RanaUC San Diego
Frank WuerthweinUC San [email protected]
GridWorld/GGF15October 3-6, 2005Boston, MA, USA
Community Activity: Leveraging Site Infrastructute for Multi-Site Grids
2
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Collaborative Effort
Open Science GridRBAC, Security and Policy Frameworks
Privilege Project
PPDG Common
USATLAS
USCMSFermi National Lab
Brookhaven National Lab
U California San Diego
Virginia Tech
Technical Lead:Ian Fisk, FNAL
Technical Coordinator:Dane Skow, FNAL
3
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Outline
• Concepts & Goals.
• Examples – Compute Element.– Storage Element.– User work space at a compute node.
4
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach: Concepts
• Global specification of privilege requirements per Role.
• Site central mapping of Role to implementation of privilege requirements.
• Local enforcement of privilege requirements.
5
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VO
CESE
Site
CE
SE
Site CESE
Site
CESE
Site
CESE
Site
6
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-VO Site
CE
SE
Site
7
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
A Multi-VO Multi-Site Grid
CESE
Site
CE
SE
SiteCE
SE
Site
CESE
Site
CESE
Site
CE
SE
Site
CESE
Site
CESE
Site
8
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach
• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus.
– E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus.
• Site maps VO scope identities to local scope identities.– Site wide management of mapping.– Service level granularity of mapping.
• Site enforces VO privilege policies within local scope identities.
• Authorization = !(Site-vetoed) && (VO-allowed)
9
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
10
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
PDPPEP
PEP
PDP
11
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Compute Element
12
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
CE: Globus and Condor
• PRIMA and GUMS provide CE authz in OSG approach.
PRIMA authenticates.GUMS translates {DN, Membership, Role} to Username.System translates Username to site-wide {UID}.
13
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
PRIMAC SAMLlibraries
CE
Globus Gatekeeper PRIMAcallout
Deployed at many sites/campuses with static UIDs as well as UID pools.
14
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Storage Element
15
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• Different doors for different authz methods.
• Same underlying local authz mechanism.
• Can be mapped to site’s UID/GID domain.
• Or be restricted to SRM-dCache only.
• Examples:– USCMS-VO at FNAL: Site UID domain.– CDF-VO at FNAL: Site Kerberos domain.
16
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach.
gPLAZMA authenticates.Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service.GUMS translates {DN, Membership, Role} to Username.System optionally translates Username to site-wide {UID, GID}.gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role} .
17
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
18
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
OGSAAuthZ
interface
gPLAZMALiteAuthorizationServices suite
19
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAA System for
Privilege Management and Authorization in Grids
gPLAZMAgrid-aware Pluggable
AuthorizationManagement System
GUMSGrid User Management
System
SAZSite Authorization Service
VOMSVirtual Organization Membership Service
gPLAZMALiteAuthorizationServices suite
20
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAMarkus Lorch, VT
gPLAZMAAbhishek Singh Rana, UCSD
Timur Perelmutov, FNAL
GUMSGabriele Carcassi, BNL
SAZVijay Sekhri, FNAL
John Weigand, FNAL
SRM-dCacheDESY/FNAL teams
VOMSINFN teams, Italy
gPLAZMALiteAuthorizationServices suite
21
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
• VO control of ACLs.– All files are owned by VO.– Simple solutions.– VO PDP, separated from Resource.
• Site control of ACLs.– All files are owned by {DN, Membership, Role} of a User.– Site SE enforces global (VO) and local (site) policies.– Global & local policies are used together to aid in isolation of
privileges, grant privacy to user, and perform fine-grained security.
– Demands sophisticated solutions.– Site PDP, closer to Resource.
SE ACLs: VO versus Site Control
22
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: User work space
23
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Consider a simple goal…
If a user credential gets compromised, the miscreant must be restricted to exploiting stolen credentials to only run the user’s application.
• What would this require?– Slicing of a Resource, on demand.– PEP closer to such finer slices of a Resource.– Customized (possibly transient) slices.– Isolation of environment of such a slice.
• A resource slice and applications make a work space.
24
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User work space
• Concepts– TID (Transactional Identity) = {DN, Membership
Profile, Set of Roles}– Thus, TID is VO & “application type” specific.– TID functions as a tag for work space characteristics.– Site central mapping service translates TID into work
space characteristics.– Compute node local service provisions work space
according to characteristics.
25
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Summary of OSG Approach
• Global specification of privilege requirements per role.– Means to do so are lacking today!
• Site central mapping of role to implementation of privilege requirements.– Simple solutions in production usage.
• Local enforcement of privilege requirements.– Simple solutions in production usage.– Moving forward to designing more advanced
solutions.
![Digital CSICdigital.csic.es/bitstream/10261/22884/5/Idolatro_en_unos_ojos.pdf[Tenor] mo mo mo mo vos, vos, vos, vos, vi vi la - jos, jos, jos, jos, ria ria ria ria gra - gra gra -](https://img.pdfslide.us/doc/110x75/6101fc263f4ab80ca032e210/digital-tenor-mo-mo-mo-mo-vos-vos-vos-vos-vi-vi-la-jos-jos-jos-jos-ria.jpg)
