May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services...
-
Upload
della-hood -
Category
Documents
-
view
220 -
download
2
Transcript of May 11, 20091/17 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services...
May 11, 2009 1/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 2/17
VO Services Project – Stakeholders’ Meeting
Action Items from Past Meeting
• Distribute list of features in vomrs/voms-admin convergence project to interested parties (Mine Burt). Done
• Discuss gLExec move to GlideIn WMS project with Atlas representatives (Torre, Maxim, Jose). Done
• Hold future update meeting on vomrs/voms-admin convergence. See status below
• Discuss AuthZ Interop architecture w.r.t. LIGO and WS-GK v4.2 with Mine. Considered Done ?
Gabriele Garzoglio
May 11, 2009 3/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 4/17
VO Services Project – Stakeholders’ Meeting
Deliverables of Phase III
• OSG / EGEE Authorization Interoperability (*)• Support Storage Groups in Defining Next
Generation Storage Authorization Models• Convergence of VOMS-admin with VOMRS (*)• Investigate Mechanisms to Define and Enforce VO
and Site AuthZ Policies (SVOPME w/ TechX)• Provide a validation tool for AuthZ config. in OSG• Enable VOMS-signed Attribute Certificate
Validation at OSG Resource gateways
Gabriele Garzoglio
Legend: DONE IN-PROGRESS NOT-DONE* see discussion later
May 11, 2009 5/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 6/17
VO Services Project – Stakeholders’ Meeting
Authorization Interoperability Status• Software stack certified in EGEE and OSG.
Currently being deployed.• Middleware Integrated:
– Pre-WS Globus GK & GridFTP (PRIMA)– WS-GK v4.2 for “simple” jobs (Native interface) – gLExec (L&L / PRIMA)– SRM/dCache (gPlazma/privilege.jar) & BeStMan (privilege.jar)– PDP: GUMS (privilege.jar) / SCAS
• Still missing:– WS-GT4.2 for Delegation and RFT (waiting on OSG)– GridFTP / Native interface– WS-GT4.0 : AuthZ Interop integration NOT PLANNED– PDP: SAZ– VOMS PIP incubator project: collab FNAL / ANL / INFN
• Closing after successfully proven production deployment (Est. 06/09)
Gabriele Garzoglio
May 11, 2009 7/17
VO Services Project – Stakeholders’ Meeting
Future of Authorization ?
• Using AuthZ Interop:– Software developed in the US/EU can seamlessly
be deployed in the EU/US– Software groups in EGEE/OSG and Globus can
share and reuse common code• OSG can use EGEE call-out (L&L/SCAS) directly
(requires some development, including for gLExec monitoring)
• Interaction with new EGEE AuthZ Service? – Steven Newhouse wants v1 to be compatible with
AuthZ Interop.
Gabriele Garzoglio
May 11, 2009 8/17
VO Services Project – Stakeholders’ Meeting
PRIMA
Pre-WS GK
GUMSSAML1 XACML2
SCASXACML2
SAZInternal XACML2
GridFTPgLExec WS GK v4.0 SRM/dCache
L&L
SAML1lib
XACML2gLite lib
PRIMAWS
SAML1lib
PRIMA
SAML1lib
XACML2gLite lib
PRIMA
SAML1lib
XACML2gLite lib
gPlazma
SAML1priv. lib
XACML2priv. lib
SAZClnt
SAZClnt
SAZClnt
SAZClnt
Module Dependencies (OSG case)
To SAZ clnts
WNCE
SEGat
eway
Cal
l-o
ut
XA
CM
L l
ibP
DP
Legend: Cmpnt EGEE Comp. used in OSG
May 11, 2009 9/17
VO Services Project – Stakeholders’ Meeting
Pre-WS GK
GUMSSAML1 XACML2
SCASXACML2
SAZInternal XACML2
GridFTPgLExec WS GK v4.2 SRM/dCache
L&L
XACML2gLite lib
GT4.2Security
XACML2gLite lib
gPlazma
XACML2priv. lib
XACML2GT4.2 PEP
Module Dependencies (OSG case in 2010)
L&LGT4.2
Security
WNCE
SE
XACML2GT4.2 PEP
Gat
eway
Cal
l-o
ut
XA
CM
L l
ibP
DP
CmpntLegend: Component or dependencyforeseen by 01/2010
Cmpnt EGEE Comp. used in OSG
May 11, 2009 10/17
VO Services Project – Stakeholders’ Meeting
CmpntLegend: Component or dependencyavailable by 01/2010
Pre-WS GK
GUMSSAML1 XACML2
SCASXACML2
SAZInternal XACML2
GridFTPgLExec SRM/dCache
L&L
XACML2gLite lib
XACML2gLite lib
XACML2gLite lib
gPlazma
XACML2priv. lib
Module Dependencies (EGEE case)
L&LGT4.2
Security
WNCE
SE
XACML2GT4.2 PEP
Gat
eway
Cal
l-o
ut
XA
CM
L l
ibP
DP
L&L
May 11, 2009 11/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 12/17
VO Services Project – Stakeholders’ Meeting
VOMRS / VOMS-admin convergence
• The convergence is organized in 5 phases:
http://indico.cern.ch/getFile.py/access?resId=0&materialId=minutes&confId=42799
• The VOMS-Admin developer has coded the features required for JSPG. No certification yet.
Gabriele Garzoglio
Phase I Implement JSPG requirements Mar 2009
Phase IIMigrate essential VOMRS features to VOMS Admin Jan 2010
Phase IIIInterface with third party directory services (CERN HR db) Spring 2010
Phase VI Validation and certification tests N/A
Phase V Data migration from VOMRS to VOMS Admin N/A
May 11, 2009 13/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 14/17
VO Services Project – Stakeholders’ Meeting
Component Maintenance
• GUMS: BNL (John H. / Jay P.)– AuthZ RSV Validation Probes (STG / BNL)
• Prima (Dave D.)– Collab w/ EGEE-Nikhef / Globus for AuthZ Interop libs
• gPlamza: dCache (Ted H.)– Includes privilege.jar (Collab w/ Jay P.)– Collab w/ EGEE-SWITCH for AuthZ Interop libs
• gLExec: GlideIn WMS (Burt H. / Dave D.)– Includes Gratia probe
• VO Policy / SVOPME (Gabriele G.)• VOM(R)S convergence (Tanya L.)
Gabriele Garzoglio
May 11, 2009 15/17
VO Services Project – Stakeholders’ Meeting
Risks
• Oversubscription of the STG in managing the end-to-end delivery of authorization-related features. Mitigation ?
• Missed convergence of VOMRS / VOMS-admin. Mitigation: managed as an independent project w/ EGEE
• Deviation from agreed interoperability standards as the structure of the forum becomes more relaxed. Mitigation ?
Gabriele Garzoglio
May 11, 2009 16/17
VO Services Project – Stakeholders’ Meeting
Gabriele Garzoglio
VO Services ProjectStakeholders’ Meeting
May 11, 2009Gabriele Garzoglio
Computing Division, Fermilab
Overview1.Action Items from previous meetings2.Deliverables of Phase III3.Focus
• The AuthZ Interop project is closing down• Status of the VOMRS / VOMS-admin convergence.
4.Closing activities• Maintenance plan and potential risks
5.Stakeholders' input
May 11, 2009 17/17
VO Services Project – Stakeholders’ Meeting
Conclusions
• VO Service umbrella project is closing down (est. Jun 09)
• Major deliverables are mostly either complete or within a project structure to follow up with them (with different degree of risks)– Exceptions: AC gateway validation
• Passing the baton for AuthZ in OSG to Mine. Gabriele will act as point of contact for triaging authorization questions. Future work on AuthZ will be handled as independent projects.
Gabriele Garzoglio
May 11, 2009 18/17
VO Services Project – Stakeholders’ Meeting
GridSite
GUMS
Site Services
SAZ
CEGatekeeper
Prima
Is Au
th?
Ye
s / No
SESRM
gPlazmaID
Ma
pp
ing
?Y
es / N
o +
Use
rNa
me
VO Services
VOMRS VOMSsynch
reg
iste
r
get voms-proxy
Submit request with voms-proxy
synch
1
4
5
672 3
WNgLExec
Prima
StorageBatch
System
Su
bm
itP
ilot O
R Jo
b
(UID
/GID
)
Acce
ssD
ata
(UID
/GID
)
8 8
Sch
ed
ule
Pilo
t OR
Job
9
Pilot SUJob
(UID/GID)
10
VO
Dave Dykstra
PDPA Common Protocolfor OSG and EGEE
integrated with the GT
PEPs
AuthZ Components
Legend
Not OfficiallyIn OSG
VO Management Services
Authorization Infrastructure (the OSG case)