Multi-Site VOs and Multi-VO Sites in Open Science Grid
description
Transcript of Multi-Site VOs and Multi-VO Sites in Open Science Grid
![Page 1: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/1.jpg)
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VOs and Multi-VO Sites in Open Science Grid
Abhishek Singh RanaUC San Diego
Frank WuerthweinUC San [email protected]
GridWorld/GGF15October 3-6, 2005Boston, MA, USA
Community Activity: Leveraging Site Infrastructute for Multi-Site Grids
![Page 2: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/2.jpg)
2
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Collaborative Effort
Open Science GridRBAC, Security and Policy Frameworks
Privilege Project
PPDG Common
USATLAS
USCMSFermi National Lab
Brookhaven National Lab
U California San Diego
Virginia Tech
Technical Lead:Ian Fisk, FNAL
Technical Coordinator:Dane Skow, FNAL
![Page 3: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/3.jpg)
3
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Outline
• Concepts & Goals.
• Examples – Compute Element.– Storage Element.– User work space at a compute node.
![Page 4: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/4.jpg)
4
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach: Concepts
• Global specification of privilege requirements per Role.
• Site central mapping of Role to implementation of privilege requirements.
• Local enforcement of privilege requirements.
![Page 5: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/5.jpg)
5
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VO
CESE
Site
CE
SE
Site CESE
Site
CESE
Site
CESE
Site
![Page 6: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/6.jpg)
6
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-VO Site
CE
SE
Site
![Page 7: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/7.jpg)
7
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
A Multi-VO Multi-Site Grid
CESE
Site
CE
SE
SiteCE
SE
Site
CESE
Site
CESE
Site
CE
SE
Site
CESE
Site
CESE
Site
![Page 8: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/8.jpg)
8
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach
• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus.
– E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus.
• Site maps VO scope identities to local scope identities.– Site wide management of mapping.– Service level granularity of mapping.
• Site enforces VO privilege policies within local scope identities.
• Authorization = !(Site-vetoed) && (VO-allowed)
![Page 9: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/9.jpg)
9
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
![Page 10: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/10.jpg)
10
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
PDPPEP
PEP
PDP
![Page 11: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/11.jpg)
11
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Compute Element
![Page 12: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/12.jpg)
12
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
CE: Globus and Condor
• PRIMA and GUMS provide CE authz in OSG approach.
PRIMA authenticates.GUMS translates {DN, Membership, Role} to Username.System translates Username to site-wide {UID}.
![Page 13: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/13.jpg)
13
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
PRIMAC SAMLlibraries
CE
Globus Gatekeeper PRIMAcallout
Deployed at many sites/campuses with static UIDs as well as UID pools.
![Page 14: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/14.jpg)
14
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Storage Element
![Page 15: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/15.jpg)
15
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• Different doors for different authz methods.
• Same underlying local authz mechanism.
• Can be mapped to site’s UID/GID domain.
• Or be restricted to SRM-dCache only.
• Examples:– USCMS-VO at FNAL: Site UID domain.– CDF-VO at FNAL: Site Kerberos domain.
![Page 16: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/16.jpg)
16
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach.
gPLAZMA authenticates.Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service.GUMS translates {DN, Membership, Role} to Username.System optionally translates Username to site-wide {UID, GID}.gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role} .
![Page 17: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/17.jpg)
17
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
![Page 18: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/18.jpg)
18
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
OGSAAuthZ
interface
gPLAZMALiteAuthorizationServices suite
![Page 19: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/19.jpg)
19
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAA System for
Privilege Management and Authorization in Grids
gPLAZMAgrid-aware Pluggable
AuthorizationManagement System
GUMSGrid User Management
System
SAZSite Authorization Service
VOMSVirtual Organization Membership Service
gPLAZMALiteAuthorizationServices suite
![Page 20: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/20.jpg)
20
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAMarkus Lorch, VT
gPLAZMAAbhishek Singh Rana, UCSD
Timur Perelmutov, FNAL
GUMSGabriele Carcassi, BNL
SAZVijay Sekhri, FNAL
John Weigand, FNAL
SRM-dCacheDESY/FNAL teams
VOMSINFN teams, Italy
gPLAZMALiteAuthorizationServices suite
![Page 21: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/21.jpg)
21
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
• VO control of ACLs.– All files are owned by VO.– Simple solutions.– VO PDP, separated from Resource.
• Site control of ACLs.– All files are owned by {DN, Membership, Role} of a User.– Site SE enforces global (VO) and local (site) policies.– Global & local policies are used together to aid in isolation of
privileges, grant privacy to user, and perform fine-grained security.
– Demands sophisticated solutions.– Site PDP, closer to Resource.
SE ACLs: VO versus Site Control
![Page 22: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/22.jpg)
22
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: User work space
![Page 23: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/23.jpg)
23
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Consider a simple goal…
If a user credential gets compromised, the miscreant must be restricted to exploiting stolen credentials to only run the user’s application.
• What would this require?– Slicing of a Resource, on demand.– PEP closer to such finer slices of a Resource.– Customized (possibly transient) slices.– Isolation of environment of such a slice.
• A resource slice and applications make a work space.
![Page 24: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/24.jpg)
24
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User work space
• Concepts– TID (Transactional Identity) = {DN, Membership
Profile, Set of Roles}– Thus, TID is VO & “application type” specific.– TID functions as a tag for work space characteristics.– Site central mapping service translates TID into work
space characteristics.– Compute node local service provisions work space
according to characteristics.
![Page 25: Multi-Site VOs and Multi-VO Sites in Open Science Grid](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681586e550346895dc5ce5a/html5/thumbnails/25.jpg)
25
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Summary of OSG Approach
• Global specification of privilege requirements per role.– Means to do so are lacking today!
• Site central mapping of role to implementation of privilege requirements.– Simple solutions in production usage.
• Local enforcement of privilege requirements.– Simple solutions in production usage.– Moving forward to designing more advanced
solutions.