VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab

VO Membership RegistrationWorkflow, Policies and VOMRS software

(VOX Project)

Tanya Levshina

Fermilab

12/15/2003 User Registration/VO management/AuthZ workshop at CERN

2

Presentation overview

• Introduction• Stakeholders, team and collaborators• VOX components• VO Membership Registration Service• Identifying the workflow• VO Concepts• Roles• VOMRS Architecture• Association with EDG VOMS• WEBUI Screenshots• What’s next?• Summary


3

Introduction

US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab,

the VOX Project (VO Management Service eXtension), to

investigate and implement the requirements, both policy-related

and technical, for admitting collaborators into a VO, and facilitating

and monitoring their authorization to access the available grid

resources.

This effort has resulted in a study and understanding of the

necessary workflow, and the creation of a prototype

VO Membership Registration Service (VOMRS), which is a

principal component of the VOX project.


4

Stakeholders, Team and Collaborators

• Stakeholders:– US CMS (L. Bauerdick)– Fermilab Computing Facility (D. Skow)– iVDGL (R. Gardner)– SDSS (J. Annis)

• Team:– T. Levshina – Fermilab– L. Grundhoefer – iVDGL – A. Heavey (technical writer) – Fermilab– V. Sekhri – SDSS/iVDGL, Fermilab– J. Weigand – Fermilab– Y. Wu – Fermilbab

• Collaborators– BNL(R. Baker, D. Yu) – VOMRS architecture, registration process, common

interfaces – EDG/Data Tag (V. Ciaschini, A. Frohner) – VOMS core and admin software– VDT (U of Wisconsin), Virginia Tech (Markus Lorch) - ongoing communication and

agreements with Globus on gatekeeper and authorization callouts


5

VOX ProjectVOX Goals:

– to understand and model the registration workflow– to provide VO registration mechanism– to negotiate and monitor member authorization to grid resources– End Goal:To facilitate the remote participation of physicists in effective and

timely analysis of data from the LHC experiments during DC04.

VOMS EDG

SAZ

LRAS

VOMRS

FermilabGrid Cluster

Gatekeeper &callouts

Local CenterRegistrationService


6

VOX Components• VOMRS (VO Membership Registration Service) provides a registration

service that– allows a single point of registration with a VO– facilitates, negotiates and monitors the process of a member’s authorization to grid

resources– provides centralized storage of membership information and a means to query said

information

• LRAS (Local Resource Authorization Service) automates and facilitates the process of managing fine grain access to a local grid element

– stores a subset of VO membership information and maps a VO member to a local account

• Gatekeeper authorization callouts (in agreement with standard adopted by Globus, EDG, FNAL, and Virginia Tech).

• SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources

• VOMS EDG Admin service provides centralized storage of member dn,ca, groups and roles, means to handle this data. VOMS EDG Core service gives out extended proxy upon member’s request.


7

VOMRS: Identifying the workflow

• Understand that VO registration is a multi-level process (institution, grid site, country, VO).

• Identify necessary elements of the registration procedure and develop a model workflow.

• Identify administrative roles and responsibilities.• Identify various implications of our model on sites

and site policies.• Realize that the implementing technology must be

flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.


8

VO Concepts (I)• Grid, VO, Certificate (DN,CA,..), Grid resource, Grid

job …• Experiment:

represents research activities that are specific to a particular VO.

• Group:an experiment contains groups. Group may have sub-groups.

• Institution:is an organization whose members participate in experiments within aparticular VO.

• Grid site:is an institution that provides grid resources. Each site has policies that require specific personal information.

• Grid job submission rights:distinguishes between members who can submit grid jobs and those who can only perform administrative tasks.


9

VO Concepts (II)• Personal information:

private and public data about an individual that is collected by

the VO.

• Notification Event:an action taken by the registration software that notifies

interested members of a change within the VO and describes

any required responses if any.

• Role:defines actions that a VO Member can perform within the VO.A

VO member can have one or more roles.


10

Roles (I)• Applicant:

– An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved.

• Member:– An applicant who has been approved. A member can submit

jobs to the Grid. By default a member is assigned to an experiment wide group.

• VO administrator: – A designated VO member who is in charge of registration and

has access to all information collected by the VO. He is responsible for assigning administrative roles.


11

Roles (II)• Institutional VO representative:

– Vouches for the identity of an applicant.

– Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution.

• Grid site administrator:– Assigns/revokes the role of System Administrator or Local

Resource Provider to/from the VO members affiliated with the site

– Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site.

• Local resource provider:– Administers authorization of a member to use the grid resource

(this could include addition of this member to the gridmapfile, mapping member to local account, etc)


12

Roles (III)• Group owner:

– Creates groups and subgroups within the experiment.

– Assigns/revokes group manager/owner role to a member of the VO.

– A Group owner is a Group manager as well.

– A Group owner owns the group if he owns any of ancestor group.

• Group managers: – Assigns/removes members to/from the group he manages


13

Institution

Representative

Registration Flow

Grid Site

Site Admin

LRPS

Site Admin

LRPS

Grid Site

VOMRS EDG VOMS Proxy Server

VO Central Node

synchronize

Applicantregister

notifyapprove

Memberquery

notify approve notify

approve

notify approve

notify approve


14

VOMRS Architecture

ClientIF

Registrar

EventManager

Server

Synchronizer

EDG VOMS ADMIN API

VOMRS DBWeb

Services/Servlets

Web Services/Servlets

CLI

Member

WEBCLIENT

EDG VOMS DB

EDG Trust Manager

GSI


15

Association with EDG VOMS• EDG VOMS is used currently as a significant part of VOX project:

– Extended Proxy generation– Gridmapfile generation for local grid resource– Query to get members, groups, roles by authorization services on local grid

clusters

• VOMS & VOMRS have some overlap in functionalities and stored data, but

– VOMRS is a registration service that is accessed infrequently by people (not hosts)

– VOMS is a service that provides member with extended proxy and should sustain heavy load. It allows access by registered hosts.

– VOMRS keeps a lot of information about members and VO entities (institutions, sites, etc). Member information is persistent.

– VOMS keeps minimum information related to member (dn,ca, group, role). Member has to be deleted in order to deny him access to the Grid.

• VOMRS Synchronizer is responsible for updating VOMS database


16

VOMRS WEBUI (Registration of a new user)


17

VOMRS WEBUI(registration)


18

VOMRS WEBUI(member search)


19

VOMRS WEBUI (subscribe to event)

Date: Fri, 05 Dec 2003 13:43:20 -0600From: [email protected]: AUTOMATIC NOTIFICATION FROM VOMRS USCMSTo: [email protected]

Dear Administrator,We have received a request from a person with Distinguished Name/DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073issued by Certificate Authority/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1to join VO USCMS.You may approve or deny user access.

VO Administrator


20

What’s Next?

• Now that we have a model, we need to work with others to get input to take it to next step and to create a workflow that everyone can use

• Standardize the terminology, especially for administrative roles and responsibilities

• Improvement of VOMRS– Database (move to Oracle)– Documentation– Packaging

• VOMS/VOMRS – Need to define stable interfaces between VOMRS & VOMS– Solve issues with VOMS installation/upgrade (takes too much time

and effort – very possibly due to lack understanding on our part)


21

Summary

We greatly appreciate discussions, support and software

contributions provided by our collaborators.

We all have spent substantial time and effort understanding the

issues involved, modeling the workflow and developing a system

to implement it. There are a lot of issues that remain.

We believe that all will benefit from collaboration on this

project.• More info:

http://www.uscms.org/s&c/VO

• E-mail:[email protected]



Documents

VO Membership Registration Workflow, Policies and VOMRS software (VOX Project) Tanya Levshina Fermilab