VO Management: Solution for DGI and AstroGrid


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

VO Management: Solution for DGI and AstroGrid

  1. 1. VO Management: Solution for DGI and AGD
  2. 2. Overview <ul><ul><li>Introduction and list of services used </li></ul></ul><ul><ul><li>Current VO management architecture </li></ul></ul><ul><ul><li>Implementation steps </li></ul></ul><ul><ul><li>Coordination with DGI </li></ul></ul><ul><ul><li>Problems & Future aspects </li></ul></ul>Astrogrid-D Meeting 11.06.2007 / TU München Iliya Nickelt
  3. 3. I: Introduction <ul><ul><li>VOrgs (“VO”) are a method for a collaborative sharing of resources in a Grid </li></ul></ul><ul><ul><li>Often discussed and demandend feature of Grids </li></ul></ul><ul><ul><li>Especially for astrophysics, where diverse collaborations are standard </li></ul></ul><ul><ul><li>But: essentially no procedure for VOrgs management in GT4 </li></ul></ul>GT4 Technical background <ul><ul><li>/etc/grid-security/grid-mapfile contains the list of locally accepted users and how they are mapped to unix users (by the globus task) </li></ul></ul><ul><ul><li>Any VOrg procedure must control this list </li></ul></ul><ul><ul><li>Details (access rights, quotas) must be implemented elsewhere </li></ul></ul>
  4. 4. VOrg Solutions <ul><ul><li>VOMS (EGEE) </li></ul></ul><ul><ul><li>Advantages: Works </li></ul></ul><ul><ul><li>Disadvantages: Needs gLite, no individual user mapping </li></ul></ul><ul><ul><li>GridShip </li></ul></ul><ul><ul><li>Advantages: No central user management necessary (any authorised entity can sign certificates) </li></ul></ul><ul><ul><li>Disadvantages: Not ready; “Light weight security” </li></ul></ul><ul><ul><li>VOMRS (Vox Project) </li></ul></ul><ul><ul><li>Advantages: Works, more detailed user management than VOMS </li></ul></ul><ul><ul><li>Disadvantages: Central user management necessary ( Single point of failure - update GridKA cert now !) , standard procedure assumes gLite (GUMS) </li></ul></ul>
  5. 5. VOMRS <ul><li>Result of the VOX project (Fermilab / Cern / INFN) </li></ul><ul><li>Central database to collect User Certificates and additional data </li></ul><ul><li>Secure (signed certificate necessary) </li></ul><ul><li>Simple administration </li></ul><ul><li>Supports VOMS (gLite) authentication mechanism </li></ul>
  6. 6. AGD‘s VOMRS extensions for GT4 <ul><li>(Authors: Harry Enke, Michael Braun, Iliya Nickelt) </li></ul><ul><li>„ VOrg Member Number “ Mapping Extension to VOMRS database </li></ul><ul><li>VOlist </li></ul><ul><li>A simple Java applet that lists the database contents </li></ul><ul><li>Can create a grid-mapfile or supply more detailed data </li></ul><ul><li>ManageLocalGriduser.pl </li></ul><ul><li>Uses VOlist to retrieve the data of one VOMRS databases </li></ul><ul><li>Maps member number to local user name (eg. 22  agd022) </li></ul><ul><li>Allows filtering and blacklists </li></ul><ul><li>Can manage several VOMRS databases and map different communities accordingly </li></ul>
  7. 7. DGI solution <ul><ul><li>Result of the Integrationsprojekt “VO Management” </li></ul></ul><ul><ul><li>GridShib favorable, but VOMRS provided a stable solution faster </li></ul></ul><ul><ul><li>Thus we convinced them of the AGD-VOMRS – Solution and then they took it over. </li></ul></ul><ul><ul><li>FZ-Jülich offers VORMS – Servers for all CGs and DGI ressources </li></ul></ul><ul><ul><li>Astrogrid: Special agreement, DGI-Server will be a copy of the AstroGrid-D VOMRS (under construction) </li></ul></ul><ul><ul><li>https://dispatch.fz-juelich.de:8814/D-Grid-VO-Member (a little hard to find) </li></ul></ul>
  8. 8. Installation procedure <ul><li>Copy program files into default /root/VOMRS/ </li></ul><ul><li>contains „manage_local_griduser.pl, config and default .rc files (for new users) </li></ul><ul><li>Add VOlist address of the VOMRS server(s) </li></ul><ul><li>run as cron job (eg. 01 02 * * *) </li></ul><ul><li>All changes to gridmap files are logged (and recoverable…) </li></ul><ul><li>NFS for clusters supported </li></ul><ul><li>merge-gridmap still works </li></ul>
  9. 9. AGD‘s Mapping feature <ul><li>Each unique certificate is mapped to a VOrg member number. </li></ul><ul><li>VOrg member numbers are not certificate specific and can be re-assigned </li></ul><ul><li>VOrg member number determines which unix user account the member is mapped to </li></ul><ul><li>Limits number of accounts on the resources, avoids „zombie“ accounts </li></ul><ul><li>Allows to „take over“ old accounts, eg. in case of certificate change, etc. </li></ul><ul><li>Potential problem with „inheriting“ old account data (cleanup procedure when leaving the grid?) </li></ul>
  10. 10. Problems of the VOrg server concept <ul><li>No UI solution (yet) for certain mapping demands (eg. when certificate is running out) </li></ul><ul><li>When the same identity (DN) is member of several VOrgs that are imported, which VOrg shall be dominant? Two solutions for conflict resolution: 1. Choose different user name dependend only on certificate 2. Establish root VOrg server to settle conflicts </li></ul><ul><li>Systematic registration procedures necessary (tree) or exchange concept (peer) between VOrg servers that mutually accept each other </li></ul>
  11. 11. Coordination of VO servers VO Root-server VOMRS AstroGrid-D VOlist Ressource 1 Ressource 2 Ressource 3… VOMRS DGI DGItool Konflikt
  12. 12. Future tasks <ul><li>Collaboration/Integration of VOlist mechanism into VOMRS (VOX). Alternatively: Research VOX solutions for user mapping etc. </li></ul><ul><li>Attempt to integrate the diverse number of international VOrgs in EGEE-III / via AGENA </li></ul><ul><li> Set up a astronomical Root-VO to coordinate grid projects in Astrophysics? (Or even all grid projects?) </li></ul>
  13. 13. More future tasks <ul><li>How to handle quotas, data sharing, accounting and billing? </li></ul><ul><li>Ultimatively: Extension of the Grid-Mapfile (in GT5?) to allow more detailed user management: The grid-mapfile can become Globus‘ passwd (and more) </li></ul><ul><li>Automatic config file download, to import complete VOrgs and Sub-VOrgs from a root-server Example: accept aip.astrogrid-d unlimited accept *.astrogrid-d account_astrogrid accept testers_dgi account_dgi </li></ul><ul><li>Define a default setting for certificate import that is valid for all ressources of a VOrg and imported from the VOrg Server as well (individual deviations are possible, of course) </li></ul>