-
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
VOMS Admin 2.5(End of Phase I of VOMS/VOMRS convergence)
Andrea Ceccanti
EGEE 09September 2009, Barcelona
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Typical VOMS/VOMRS Setup
2
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VOMS/VOMRS Convergence
• Goal: – extend VOMS Admin functionalities so that all the main
VOMRS
features are implemented• Why?
– to have (in the long term) only one VOMS registration service
that works well and is easier to deploy/maintain/evolve!
– starting with voms-admin version 2.5, VOMS Admin and VOMRS
have a large set of common functionality
– maintaining two separate services that implement (more or
less) the same functionality complicates deployment and confuses
users/administrators
• When?– work started at the beginning of EGEE III– detailed
schedule was presented at CHEP 09– convergence will be complete at
the end of EGEE III
3
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
The Convergence Schedule
4
Phase I Implement JSPG requirements Done
Phase II Migrate essential VOMRS features to VOMS AdminDec.
2009
Phase IIIInterface with third party directory services
(CERN HR db)Feb. 2010
Phase IV Validation and certification testsend of
EGEE 3
Phase V Data migration from VOMRS to VOMS Admin ?
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
JSPG Req. for VO registration
• The Joint Security Policy Group (JSPG) defined a set of
requirements for VO membership Registration that must be
implemented by all applications that manage user registration for
WLCG Grid sites
http://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policy
• VOMS Admin, starting from version 2.5, supports JSPG
requirements
5
http://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policyhttp://www.jspg.org/wiki/Virtual_Organisation_Membership_Management_Policy
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VOMS Admin 2.5
• Main new features– Support for multiple user certificates–
Support for versioned AUP management– Membership expiration,
suspension, renewal– VO members can request group membership/role
assignment– VO members can request membership removal– Support for
multiple member operations (deletion, suspension)
• Cross Site Request Forgery mitigation– done on the main web
application– not done on the web services endpoints, it’s
impossible to solve
the issue without breaking compatibility with existing clients:•
VOMRS• MkGridmap • any service that use VOMS Admin services
6
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688 7
Multiple Certificate Support
• Multiple certificates can be linked to the same VO membership
(other identities/aliases)
• These certificates share the VOMS attributes info– Groups–
Roles – Generic Attributes– VO AUP acceptance records
• Users, once registered, can request the addition of other
certificates to their membership– This operation needs the VO-Admin
authorization
• New user certificate management APIs are provided– Already in
use by the EGEE Pseudonimity service and by the
VOMS Admin CLI
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
AUP Management
• AUP acceptance records are linked to each VO membership– to
keep track of which version of the AUP was accepted when
• AUPs have a re-acceptance period– Each user’s acceptance
record is checked against this period
and if the record has expired the user is requested to sign
again the AUP in a configurable amount of time (24 hours is the
default)
– If the user fails to sign the AUP in time, he/she is
suspended
• VO admin can request AUP re-acceptance from users at any
time
8
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
AUP Management tools
9
• Simple AUP version management tools– add/remove AUP versions –
set active AUP version– change re-acceptance period for the AUP–
trigger re-acceptance of current active AUP
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Membership suspension
• VOMS Membership can now be suspended– user is notified of the
suspension reason via email and by voms-
proxy-init– Suspended members will not get VOMS attributes out
of voms-
proxy-init
• When a membership is suspended, all the certificates linked to
that membership are suspended
• It is also possible to only suspend specific certificates
10
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Membership expiration/renewal
• An expiration date is linked to each membership– Membership
lifetime is configurable (default = 12 months)
• When a membership expires– the user is suspended (and informed
of the suspension)– An administrator needs to take action to renew
the membership– The user can be requested to sign the VO AUP
again
11
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
User requests
12
• Users can request group and role membership from their home
page– and membership removal as well
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
User requests (...)
• Administrators can approve user requests from their home
page
13
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Multiuser one-click operations
• Initial support for one-click operations on multiple users–
users suspend, restore and delete operations
14
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
CSRF Mitigation
• VOMS Admin leverages the Struts 2 token interceptor to
mitigate CSRF (on the web application)– A random, one-time token is
generated by the framework and
checked on each request
15
– This approach is not applicable to web services without
breaking compatibility with existing clients
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Next steps
• Phase II (VOMS Admin version 2.6)– Task assignment and
delegation among administrators
ie, an administrator can forward a request to another
administrator (or group of administrators)
– One click group/role management for multiple users – Better
support for sorting information in the web application
– ETA: Dic 2009
• Phase III (VOMS Admin version 2.7)– Support for interfacing
with third-party external membership
databases support for the CERN HR database
– ETA: Feb 201016
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Links
• VOMS/VOMRS Convergence Paper–
http://www.fnal.gov/docs/products/voprivilege/documents/
VomsVomrsConvergenceCHEP09-final.pdf
• Savannah Patches:– https://savannah.cern.ch/patch/?3224 (VOMS
2.5 patch)
• JRA1 Workplan tasks related to convergence:–
https://savannah.cern.ch/task/?9884–
https://savannah.cern.ch/task/?9885
• Contacts:– [email protected]
17
http://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttp://www.fnal.gov/docs/products/voprivilege/documents/VomsVomrsConvergenceCHEP09-final.pdfhttps://savannah.cern.ch/patch/?3224https://savannah.cern.ch/patch/?3224https://savannah.cern.ch/task/?9884https://savannah.cern.ch/task/?9884mailto:[email protected]:[email protected]
-
To change: View -> Header and Footer
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Questions?
?18
