• VOX Project
• VOMRS Concepts
• Registration flow
• EDG VOMS
• Open Issues
• VOMRS Status
• Web Gui Examples
05/17/2004 VOX Project 2
– to understand and model the registration workflow
– to provide VO registration mechanism
– to negotiate and monitor member authorization to grid
To facilitate the remote participation of physicists in effective and
timely analysis of data from the LHC experiments during DC04.
05/17/2004 VOX Project 3
VOMRS VOMS EDG
BNL (ATLAS) (ATLAS)
Local Center VOMRS VOMS EDG
Registration (SDSS) (SDSS)
callouts GUMS VOMRS VOMS EDG
05/17/2004 VOX Project 4
VOMRS: Identifying the workflow
• Understand that VO registration is a multi-level
process (institution, grid site, country, VO).
• Identify necessary elements of the registration
procedure and develop a model workflow.
• Identify administrative roles and responsibilities.
• Identify various implications of our model on sites
and site policies.
• Realize that the implementing technology must be
flexible to accommodate the different levels of
policies and requirements and to anticipate ongoing
05/17/2004 VOX Project 5
VOMRS Concepts (I)
• Grid, VO, Certificate (DN,CA,..), Grid resource, Grid
represents research activities that are specific to a particular VO.
an experiment contains groups. Group may have sub-groups.
is an organization whose members participate in experiments within a
• Grid site:
is an institution that provides grid resources. Each site has policies
that require specific personal information.
• Grid job submission rights:
distinguishes between members who can submit grid jobs and those
who can only perform administrative tasks.
05/17/2004 VOX Project 6
VOMRS Concepts (2)
• Personal information:
private and public data about an individual that is collected by
• Notification Event:
an action taken by the registration software that notifies
interested members of a change within the VO and describes
any required responses if any.
defines actions that a VO Member can perform within the VO.A
VO member can have one or more roles.
05/17/2004 VOX Project 7
– A person who posses a valid certificate from the Certificate
Authority approved by VO.
– An experimenter who belongs to one of the VO institutions
and possesses a certificate from one of the VO-approved
Certificate Authorities. An applicant has submitted a VO
registration form but has not yet been approved.
– An applicant who has been approved. A member can submit
jobs to the Grid. By default a member is assigned to an
experiment wide group.
• VO administrator:
– A designated VO member who is in charge of registration and
has access to all information collected by the VO. He is
responsible for assigning administrative roles.
05/17/2004 VOX Project 8
• Institutional VO representative:
– Vouches for the identity of an applicant.
– Upon registration a member can select a representative from the
list of known representatives. The selected representative does not
necessarily belong to the member’s institution.
• Grid site administrator:
– Assigns/revokes the role of System Administrator or Local
Resource Provider to/from the VO members affiliated with the site
– Administers authorization of VO member to the site. The details are
site specific and depends on regulations and policies of each
• Local resource provider:
– Administers authorization a member to use the grid resource (this
could include addition of this member to the gridmapfile, mapping
member to local account, etc)
05/17/2004 VOX Project 9
• Group owner:
– Creates groups and subgroups within the experiment.
– Assigns/revokes group manager/owner role to a member of
– A Group owner is a Group manager as well.
– A Group owner owns the group if he owns any of ancestor
• Group managers:
– Assigns/removes members to/from the group he manages
05/17/2004 VOX Project 10
notify VO Central Node
VOMRS EDG VOMS
Member Proxy Server
Grid Site notify Grid Site
Site Admin Site Admin
05/17/2004 VOX Project 11
Association with EDG VOMS
• EDG VOMS is used currently as a significant part of VOX project:
– Extended Proxy generation
– Gridmapfile generation for local grid resource
– Query to get members, groups, roles by authorization services on local grid
• VOMS & VOMRS have some overlap in functionalities and stored data,
– VOMRS is a registration service that is accessed infrequently by people (not
– VOMS is a service that provides member with extended proxy and should
sustain heavy load. It allows access by registered hosts.
– VOMRS keeps a lot of information about members and VO entities
(institutions, sites, etc). Member information is persistent.
– VOMS keeps minimum information related to member (dn,ca, group, role).
Member has to be deleted in order to deny him access to the Grid.
• VOMRS Synchronizer is responsible for updating VOMS database
05/17/2004 VOX Project 12
• More complicated logic needs to be implemented to handle
deletion of Institution, Certificate Authorities
• Membership suspension mechanism should be more
sophisticated (reason for suspension should be provided and
stored for auditing)
• Membership expiration mechanism should be defined and
• Suspension of a specific DN & CA that has been compromised
• Responsibilities of Sites are not really finalized
– Should VO have up to date list of banned users per each site
– Should it be mandatory to notify VO about approved/denied
member’s authorization status during the registration process with a
• Database issues:
– Transition to ORACLE
– Report Generation
05/17/2004 VOX Project 13
• Version 1.0.3 has been released. It consists of:
– Server that is handling event notifications and synchronization with VOMS
– WEB UI and Web Services that provide means for member registration, role and group
assignments, and various administrative tasks
– VOMRS database, scripts to facilitate its initial creation and population
– Scripts to start/stop server and client
– Configuration files that control behavior of the server, WEB UI and database setting
• RPMs & pacman cache (for server and client) are available on:
• User Documentation is available on:
• Test installation is running on (valid certificate is required to login):
• Bugs report:
• More info:
05/17/2004 VOX Project 14
Fill in and submit the
Registration form to apply The following VOMRS
for membership in the
USCMS VO. entities are controlled
You will need to enter the
Required Personal Info by configuration:
(see link under menu).
a. VO Name
Popup help b. Usage Rules
d. Host location
e. Location of VOMS
Displayed menu items
depends on your role
within the VO synchronization
05/17/2004 VOX Project 15
Required personal information
is dynamically configured by a
VO Administrator and can be
specific to a particular VO.
05/17/2004 VOX Project 16
05/17/2004 VOX Project 17
05/17/2004 VOX Project 18