using the virtual organisation management portal to manage policy within globus toolkit, community...
TRANSCRIPT
Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI
resources
Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington
2
Overview
• Using Virtual Organisation Management (VOM) portal
• How VOM portal can be utilised for– Managing Globus Toolkit enabled resources
– Configuring Community Authorisation Service
– Administering ICENI
• Related Work• Conclusions
3
Why do we need VO Management?
• VO’s consists of – dynamic set of distributed resources.– distributed user base.– distributed management infrastructure.
4
Contd…
• VO’s need to provide services for– User authentication and authorisation– Defining and enforcing access control and usage
policies
• Every project is having to develop it’s own customised VO management setup
• Need to replace current manual processes which do not scale well
» policy based automated systems
5
Virtual Organisation Management (VOM) portal
• Portal for remote VO management. • Grid service to download and upload information
into the VOM database. • Client tools to interact with the service through Grid
Security Infrastructure (GSI) authenticated network connections.
• VOM Portal facilitates– User registration into VO using grid certificates. – Resource Access Control – Resource Usage Accounting and Reporting.
6
VOM Roles
• Ordinary users belonging to a VO/community & wanting to use grid resources.
• Resource managers wanting to make their grid enabled machines accessible to a VO/community.
• Administrators of a VO managing access control & monitoring usage of constituent users & resources.
7
VOM Usage: User
• Precondition: should have a certificate issued by CA accepted by VO.
• Registers with VO– Request propagated to VO Admin & on approval
to respective resource managers for account creation.
• Views his usage log on web.• Does not need to chase each site/resource in
VO & sign separate usage policy forms.
8
VOM Usage: Resource Manager
• Precondition: – Should have a certificate issued by CA accepted
by VO.– Manages/owns a grid-enabled resource
• Setup access control and logging capability by deploying client on his grid-enabled resource.
• Approve/Reject/Disable user access.
• Can view own usage stats/graphs.
9
VOM Usage: VO Administrator
• Precondition: – should have a certificate issued by CA accepted
by VO.
• Approve user enrolment requests through web page.
• Manage constituent resources.• Monitor usage of various users/resources or
whole VO.• View stats/graphs of historical VO usage.
10
User Interface Workflow
11
VOM Implementation
• Server– Java servlets hosted in Tomcat container– GT3 based web service– Apache with mod_jk Tomcat support
• Client– Java based– Connects to web service using secure (GSI)
connection
12
Managing Globus Toolkit enabled resources
• Resource access control – through automated grid-map file management
• Resource Usage Logging and Reporting– through instrumented job-managers provided
• Resource owner needs to setup respective clients, which connect to the VOM server over a secure connection
13
Resource Access Control
•
14
Resource Usage Service
•
15
Configuring Community Authorisation Service
• Allows resource providers to specify fine-grained access control for the community rather than individual users
Community manages itself
• grid-proxy-init –––––> cas-proxy-init
16
Configuring CAS
• CAS lacks a web interface for configuring VO’s trust relationships
• VOM provides a source of authenticated & authorised users
• The VO admin uses CAS to setup the VO's trust relationships (e.g. adding new users and objects) and to grant them fine-grained access control to the VO's resources.
17
Administering ICENI
• Each resource running ICENI has a– Domain Manager: implements fine-grained
access control policies relating to the resources in the private administrative domain
– Policy Manager: used to define access control policy at role, group, organisation or individual user level
– Identity Manager: used to authenticate users accessing resources, and authorise them against the access policy defined by the resource
18
ICENI ArchitectureICENI Architecture
Resource Manager
Policy Manager
CR
SR
Identity Manager
Domain Manager
CR
SR
Gateway between private and public regions
Public
Resource Browser
Public Computational Community
SR CR
Public Computational Community
SR
Private
Administrative
Domain
SR
CR
Resource Broker
Application Design Tools
Component Design Tools
Application Mapper
Web ServicesGateway
Application
Portal
Private
Computational Resource
SoftwareResources
NetworkResources
StorageResources
JavaCoG
Globus
19
Contd…
• ICENI Role Management GUI
• VOM Admin can also switch roles/groups a user belongs to within ICENI.– Needs a ICENI plugin installed on VOM server.
20
Related Work
• VOMS
• CAS
• GUMS
• PERMIS
• Akenti
21
Virtual Organisation Membership Service (VOMS)
• Developed for DataTAG by INFN and for DataGrid by CERN
• Database of user roles and capabilities– Administrative tools– Client interface
• voms-proxy-init– Uses client interface to produce an
attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server
– Works with non-VOMS services, but gives more info to VOMS-aware services
• Allows VOs to centrally manage user roles and capabilities
22
VOMS Shortcomings
– Lacks web interface for user/resource registration
– Only maintains certificate DN & their assoc. groups info• Lacks any other info e.g. personal info, usage logs
• Does not collect any resource specific, site specific data
– Additional attributes in certificates do not conform to any standard => only VOMS enabled software can use it.
– Extensions planned @ • EU Data Grid / LCG
– Local Centre Authorisation Service (LCAS)
– Local Credential MAPping Service (LCMAPS)
– Java based Trust Manager
• FermiLab as part of US CMS, SDSS, and iVDGL projects– VOM Registration Server(VOM RS)
– VOMS eXtension (VOX) e.g. Site AuthoriZation (SAZ) and Local Resource Authorization Service (LRAS)
23
VOM comparison with VOMS
• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.
• Both provide grid-map file management capability through slightly different ways
• VOM does not provide attribute certificate generation capability
24
Community Authorisation Service (CAS)
• v1.0 released with Globus Toolkit version 3.2
• Allows resource providers to specify fine-grained access control for the community rather than individual users
Community manages itself
• grid-proxy-init => cas-proxy-init
25
CAS Shortcomings
• Functional– Lacks web front-end for user registration– Does not contain any info apart from DN, access rights– Resource logging & account mapping gets complicated
• due to use of totally new DN by CAS
• Non-Functional– Takes ultimate control away from site/resource owners, which is not
practical in real world scenarios– Built on top of Grid Security Infrastructure (GSI) hence dependency on
Globus.– royalty-free license from RSA needed to use it in other projects– Currently only a customised version of grid-ftp (supplied with CAS
distribution) supports CAS credentials– Hard to install & configure and more a prototype than a production ready
system as claimed
26
VOM comparison with CAS
• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.
• Both provide resource access control management mechanisms– VOM through grid-map file management
– CAS by abstracting the grid identities (i.e. user certificates) and using the community identities at resources as access control mechanisms
• VOM does not provide new proxy certificate generation capability like CAS.
27
VO #3 …
Grid User Management System (GUMS)
• US Atlas Grid
• Provides user registration facility.
• Shortcomings– Lacks a web interface
for user/resource registration, currently through email.
VO User Registry
Database VO #2
Database
Site User Info
Database
grid-mapfile
Site
Pull
cron job
28
PrivilEge and Role Management Infrastructure Standards Validation(PERMIS)
• Privilege Management Infrastructure (PMI) which uses attribute certificates conforming to the X.509 standard
• Policy driven engine accessible through a java API uses LDAP to store policies and attribute certificates
• Policies are written in XML
PERMIS API Implementation
AEF=(application Dependent) Access control Enforcement
Function
ADF= (application independent)Access control Decision Function
TargetPresentAccessRequest
Decision Requeste.g. DN+Access
Request
Decision e.g.Grant/Deny
AccessRequest
LDAPDirectories
Retrieve Policy and Role ACs
Role Action Target
Admin approveUserrightspage
29
PERMIS Shortcomings
• It just provides an authorisation framework using attribute certificates => policy driven authorisation– Does not store any other data about users e.g.
personal, usage etc.– Does not store any data about resources, sites etc.– Not intended to provide overall VO management
capability e.g. authentication of users or accounting of user/resource usages
30
Akenti Policy Language
• Provides a policy language based on XML
• Can be used for certificate based authorisation
• Shortcomings– Needs customised front end– No notion of VO
• Conceptually similar to PERMIS
31
VOM comparison with PERMIS & Akenti
• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.
• Both PERMIS & Akenti provide rich policy authorisation engine. VOM does not provide policy authorisation language, API or engine. => complimentary
32
Open Issues - VO Deployment issues
Manchester Oxford Edinburgh
NGS
London 1
Horizontal (National Grid Service)
VERTICAL
VERTICAL
Cambridge 1
London 2 Cambridge 2
33
Future Work
• Explicit RBAC using proposed NIST standard• Explicit policy management
– Separate Contract/SLA for VO, Resource, User joining VO
• Resource specifies minimum/average/maximum service offered
• Users specifies average & maximum service expectation
• Explore use of GLUE information Schema for import/export of user/resource info
• Explore pure web services implementation
34
Conclusions
• VOM provides a centralised management interface for managing a VO
• Can be used for resource access control and usage accounting for the Globus Toolkit
• Can be used as a secure web interface for configuring CAS
• Can also be used for role-based identity management in ICENI
35
Acknowledgments
• Testing and evaluation of software done with the help from members of the UK Grid Engineering Task Force.
• Deployed across the Level 2 UK e-Science Grid to provide user management and accounting capability (http://www.grid-support.ac.uk/l2g/).
• Work done as part of OSCAR-G project funded by DTI, Compusys & Intel (THBB/C/008/00028)
• CAS evaluation funded by JISC AAA programme
36
Acknowledgements
• Director: Professor John Darlington• Research Staff:
– Nathalie Furmento, Stephen McGough, William Lee– Jeremy Cohen, Marko Krznaric, Murtaza Gulamali– Laurie Young, Jeffrey Hau– David McBride, Ali Afzal
• Support Staff:– Oliver Jevons, Sue Brookes, Glynn Cunin, Keith Sephton
• Alumni:– Steven Newhouse, Yong Xie, Gary Kong– James Stanton, Anthony Mayer, Angela O’Brien
• Contact:– http://www.lesc.ic.ac.uk/ e-mail: [email protected]