May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project –...

Gabriele GarzoglioMay 8, 2007 1/15

VO Services Project – Status Report


Overview and PlansMay 8, 2007

Computing Division, Fermilab

Gabriele Garzoglio



Overview

• Status

• Effort

• Closing Phase II – Phase I closed as VO Privilege Project on

transition from Ian Fisk a year ago

• Phase III ?



Project Definition

From Project Database:

“The VO Services project provides user registration services and fine-graned access management to computing and storage resources on the Grid.”



synchronizes

VO Services Architecture



WBS Update since last status Nov 2006

• Support ongoing for all of the above.

• Integration with ML not needed - ML deprecated on OSG

• GUMS monitor in place at GOC.

• Still want to improve validation framework

• Scalability measur. by end of Phase II



• Memory leak fix released to all of OSG.

• GUMS release V1.2 developed and in test addresses many but not all requests

• GPlazma deployed.• gLExec deployed (see Igor’s talk)



• VOMRS developments done (see slides from Tanya)• Work on longer term roadmap proceeding and now defined as VO

Services / Grid Security Services Phase III.



Deployment on OSG

• The authorization system GUMS has been deployed at O(10) sites– US CMS T2 centers and T1 at FNAL– US ATLAS T2 centers and T1 at BNL– FermiGrid (includes SAZ) et al.

• US CMS, US ATLAS, DZero, et al. have defined roles that are implemented within VOMS.

• Sites configure GUMS (PDP) to implement local identity mapping



Effort

VO Services Effort

0

0.5

1

1.5

2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Months since J an 2006

FTE

s

Management

Support

Devel./Int. (CMS)

Devel./Int.

Disclaimer: effort from John Weigand NOT reported (~20%)

Change of Project LeadershipStart Phase II

New Reporting Activities



Closing Project Phase II

Deliverable of Phase II are due in the time scale of OSG V0.8.0 release (Aug 07):

• GUMS v1.2 implementing most of WBS items above.• LIGO Authentication Requirements (see Igor’s Talk)• gLExec deployment for CDF/CMS (see Igor’s Talk).

– Will be in VDT.

• gPlazma– Deployment underway. Further development and maintenance

part of dCache.– Storage role/access requirements part of Phase III

• VOMRS 1.3. Part of VDT release 1.6.1 in May 2006.– CERN (01/07), Fermilab (04/07), APAC (11/06)



New Request from OSG

• Document current use of credential attributes precisely and completely. – Document how attributes are used by VOs and Sites.– Due for OSG Blueprint meeting Jun 7.– Identify inconsistencies. – Record typical sites configurations.

• Use as a basis in OSG and at Fermilab to discuss future directions.



Options for Phase III?• Phase II of the project is minimally operations and maintenance for

the stakeholders. Will require ~0.5 FTE. – May be new requirements to meet interoperability with EGEE once Job

Prioritization really in use. – May be new requirements to meet security requirements of Fermilab

and other sites.

• Could include completing current requests for GUMS (V2.0) (~6 FTE months. Request for BNL to continue OSG support for GUMS development is under discussion). Improve:– configuration management (hot swapping configs)– usability (access historical mapping information, full role-mapping to

pool accounts)– debugging capabilities– redundant service configurations (with FermiGrid)



Goals for Phase III ?• Interface/integrate/migrate OSG AuthZ components more into emerging

standards.

• Set path for less effort in the future

• Prepare for use of new AuthN mechanisms (ie Shiboleth).• VOMRS

– Interface to Shib; Use more standard workflow engine, persistency, UI technology• Accounting integration : Interface roles GRAM-Auditing and Gratia• Support finer-grain access to Storage

– SRM/dCache does not manage privileges directly via X509 credential attributes. UID, GID, Root Path, … mappings are required.

– Stakeholders are interested in supporting combinations of read / write accesses to files / directories by VO, VO groups, and group roles.

• Improve software stack validation and regression tests across releases.• Ongoing OSG - EGEE AuthZ interoperability. Already started:

– Globus develops the common library (based on XACML2/SAML2): β-version released on schedule (Apr 07).

– Understanding and feeding back OSG and EGEE requirements: implementation of some key features estimated for June

– Holding regular meetings (Oct 06, Feb 07, Mar 07, Apr 07, planned Jun 07)



What about Policy ?

• Currently no mechanism to define VO authorization policies and apply them consistently across sites.– SBIR Phase I grant approved

• More maintainable authentication management by implementing certificate validation service site-centralized.

• Integration with distributed Identity Management Services (Shibboleth)



How do we decide the roadmap?

• Complete Phase II in August.• Review and respond to “Credential Attribute Usage

Paper”.• Establish commitment of EGEE to common protocols:

Visit to EGEE in June. • Establish commitment of Globus to collaboration:

Deliverables in progress.• Update the requirements of stakeholders for Policy

definition and enforcement.

Briefing to CD in July as part of the activity based budget planning?

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project –...

Documents

Transcript of May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project –...