Docstoc

VOX for BNL

Document Sample
VOX for BNL Powered By Docstoc
					VOX Project



Tanya Levshina
                 Presentation overview


      •      Introduction
      •      VOX Project
      •      VOMRS Concepts
      •      Roles
      •      Registration flow
      •      EDG VOMS
      •      Open Issues
      •      VOMRS Status
      •      Web Gui Examples


05/17/2004                       VOX Project   2
                            Introduction

      VOX Goals:
             – to understand and model the registration workflow
             – to provide VO registration mechanism
             – to negotiate and monitor member authorization to grid
               resources

      End Goal:
      To facilitate the remote participation of physicists in effective and
      timely analysis of data from the LHC experiments during DC04.




05/17/2004                         VOX Project                                3
                               VOX Project
                                                     VOMRS                 VOMS EDG
             BNL                                     (ATLAS)                (ATLAS)


                        Local Center                  VOMRS                 VOMS EDG
                        Registration                  (SDSS)                 (SDSS)
                        Service
         Gatekeeper &
           callouts     GUMS                           VOMRS               VOMS EDG
    Grid Cluster
                                                      (USCMS)               (USCMS)


                                                                Fermilab

                                                                             LRAS
                                                       Local Center
                                                       Registration
                                                       Service
                                                                                    Gatekeeper &
                                                                                      callouts
                                                                             Grid Cluster
                                                               SAZ
         VO Members



05/17/2004                             VOX Project                                          4
     VOMRS: Identifying the workflow
      • Understand that VO registration is a multi-level
        process (institution, grid site, country, VO).
      • Identify necessary elements of the registration
        procedure and develop a model workflow.
      • Identify administrative roles and responsibilities.
      • Identify various implications of our model on sites
        and site policies.
      • Realize that the implementing technology must be
        flexible to accommodate the different levels of
        policies and requirements and to anticipate ongoing
        changes.


05/17/2004                  VOX Project                   5
                     VOMRS Concepts (I)
      • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid
        job …
      • Experiment:
             represents research activities that are specific to a particular VO.
      • Group:
             an experiment contains groups. Group may have sub-groups.
      • Institution:
             is an organization whose members participate in experiments within a
             particular VO.
      • Grid site:
             is an institution that provides grid resources. Each site has policies
             that require specific personal information.
      • Grid job submission rights:
             distinguishes between members who can submit grid jobs and those
             who can only perform administrative tasks.


05/17/2004                             VOX Project                                    6
                     VOMRS Concepts (2)
      • Personal information:
             private and public data about an individual that is collected by
             the VO.
      • Notification Event:
             an action taken by the registration software that notifies
             interested members of a change within the VO and describes
             any required responses if any.
      • Role:
             defines actions that a VO Member can perform within the VO.A
             VO member can have one or more roles.




05/17/2004                             VOX Project                              7
                                  Roles (I)
      • Visitor:
             – A person who posses a valid certificate from the Certificate
               Authority approved by VO.
      • Applicant:
             – An experimenter who belongs to one of the VO institutions
               and possesses a certificate from one of the VO-approved
               Certificate Authorities. An applicant has submitted a VO
               registration form but has not yet been approved.
      • Member:
             – An applicant who has been approved. A member can submit
               jobs to the Grid. By default a member is assigned to an
               experiment wide group.
      • VO administrator:
             – A designated VO member who is in charge of registration and
               has access to all information collected by the VO. He is
               responsible for assigning administrative roles.

05/17/2004                            VOX Project                             8
                                 Roles (II)
      • Institutional VO representative:
             – Vouches for the identity of an applicant.
             – Upon registration a member can select a representative from the
               list of known representatives. The selected representative does not
               necessarily belong to the member’s institution.
      • Grid site administrator:
             – Assigns/revokes the role of System Administrator or Local
               Resource Provider to/from the VO members affiliated with the site
             – Administers authorization of VO member to the site. The details are
               site specific and depends on regulations and policies of each
               particular site.
      • Local resource provider:
             – Administers authorization a member to use the grid resource (this
               could include addition of this member to the gridmapfile, mapping
               member to local account, etc)


05/17/2004                            VOX Project                              9
                               Roles (III)
      • Group owner:
             – Creates groups and subgroups within the experiment.
             – Assigns/revokes group manager/owner role to a member of
               the VO.
             – A Group owner is a Group manager as well.
             – A Group owner owns the group if he owns any of ancestor
               group.
      • Group managers:
             – Assigns/removes members to/from the group he manages




05/17/2004                          VOX Project                          10
                            Registration Flow
             Institution


                                        notify                     VO Central Node
                                        approve
                    Representative
                                                                     synchronize
                                                          VOMRS                              EDG VOMS
                            query
                           register
      Applicant
       Member                                                                                Proxy Server
                               notify
                                   approve                                               notify
                                                                                   approve

                  Grid Site                                            notify                      Grid Site
                                                                                   approve
                                      notify
                                               approve


       Site Admin                                                                                        Site Admin




                      LRPS                                                                        LRPS

05/17/2004                                           VOX Project                                            11
             Association with EDG VOMS
    •   EDG VOMS is used currently as a significant part of VOX project:
         – Extended Proxy generation
         – Gridmapfile generation for local grid resource
         – Query to get members, groups, roles by authorization services on local grid
           clusters
    •   VOMS & VOMRS have some overlap in functionalities and stored data,
        but
         – VOMRS is a registration service that is accessed infrequently by people (not
           hosts)
         – VOMS is a service that provides member with extended proxy and should
           sustain heavy load. It allows access by registered hosts.
         – VOMRS keeps a lot of information about members and VO entities
           (institutions, sites, etc). Member information is persistent.
         – VOMS keeps minimum information related to member (dn,ca, group, role).
           Member has to be deleted in order to deny him access to the Grid.

    •   VOMRS Synchronizer is responsible for updating VOMS database




05/17/2004                             VOX Project                                  12
                              Open Issues
      • More complicated logic needs to be implemented to handle
        deletion of Institution, Certificate Authorities
      • Membership suspension mechanism should be more
        sophisticated (reason for suspension should be provided and
        stored for auditing)
      • Membership expiration mechanism should be defined and
        implemented
      • Suspension of a specific DN & CA that has been compromised
      • Responsibilities of Sites are not really finalized
             – Should VO have up to date list of banned users per each site
             – Should it be mandatory to notify VO about approved/denied
               member’s authorization status during the registration process with a
               site
      • Database issues:
             – Transition to ORACLE
             – Replication
             – Report Generation
05/17/2004                            VOX Project                             13
                                VOMRS Status
      •      Version 1.0.3 has been released. It consists of:
              –   Server that is handling event notifications and synchronization with VOMS
              –   WEB UI and Web Services that provide means for member registration, role and group
                  assignments, and various administrative tasks
              –   VOMRS database, scripts to facilitate its initial creation and population
              –   Scripts to start/stop server and client
              –   Configuration files that control behavior of the server, WEB UI and database setting
              –   Documentation
      •      RPMs & pacman cache (for server and client) are available on:
              http://www.uscms.org/s&c/VO/downloads.html
      •      User Documentation is available on:
              http://computing.fnal.gov/docs/products/vomrs
      •      Test installation is running on (valid certificate is required to login):
              https://cmssrv08.fnal.gov:8443/vo-TEST/vomrs
      •      Bugs report:
              http://cmssrv08.fnal.gov:3080/bugzilla
      •      More info:
              http://www.uscms.org/s&c/VO
      •      E-mail:
              vo-project@fnal.gov

05/17/2004                                    VOX Project                                        14
                                  WEB UI
                                (welcome page)
   Fill in and submit the
   Registration form to apply                     The following VOMRS
   for membership in the
   USCMS VO.                                       entities are controlled
   You will need to enter the
   Required Personal Info                         by configuration:
   (see link under menu).
                                                  a. VO Name
        Popup help                                b. Usage Rules
                                                  c. Database
                                                        configuration
                                                  d. Host location
                                                  e. Location of VOMS
Displayed menu items
depends on your role
                                                        service and
within the VO                                           synchronization
                                                        level




  05/17/2004                        VOX Project                       15
                                  WEB UI
                                 (registration)




Required personal information
is dynamically configured by a
VO Administrator and can be
specific to a particular VO.




   05/17/2004                       VOX Project   16
                        WEB UI
                     (administration)




                                                     Search Criteria

VO Administrator’s
menu



                                           Output control




                                        Sortable search
                                        results


  05/17/2004             VOX Project                                   17
                           WEB UI
                 (notification subscription)




Member related
events


                                               VO Admministrator
                                               related events




  05/17/2004                VOX Project                18

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:10/27/2012
language:Latin
pages:18