a vo-oriented authn/authz approach

EGEE-II INFSO-RI-031688

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered trademarks

A VO-Oriented AuthN/AuthZ ApproachVincenzo Ciaschini

EGEE 2nd User Forum

Manchester, 9-11 May, 2007

2nd EGEE User Forum (9-11/5/07) 2

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Problem Statement

User AuthN/AuthZ management on the grid is rapidly changing and evolving

–VOs define/use/modify groups and roles.–VOs require different execution priorities for different users.–VOs require dedicated resources for specific users in delicate

periods (see Data Challenges, etc.)– funding agencies can force constraints affecting resource

allocations.–sites may want to enforce site-specific policies.

2nd EGEE User Forum (9-11/5/07) 3

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

An AuthN/AuthZ infrastructure

WMS/CE/SEWMS/CE/SE

PDP

AA

GROUP WHERE HOW WHEN

/atlas/production Tier1s HIGH

PRIORITY

May 2007

/atlas Tier1s and Tier2s

MID

PRIORITY

ANY

/atlas/students Tier2s LOW

PRIORITY

ANY

USER GROUP

O=INFN/CN=John Smith /atlas/production

... ...

Hi AA!

Can you give me all my groups/roles membership?

Hi PDP!

Can you give me all policies concerning group/roles of the

user?

groups/roles

policies

2nd EGEE User Forum (9-11/5/07) 4

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VOMS(AA) / G-PBox (PDP)

G-PBox

CEG-PBox LCAS PLUGIN

WMSG-PBox PLUGIN

VO

VOMS

VOG-PBoxUSER

G-PBox

SITEG-PBox

SITE CEG-PBox LCAS PLUGIN

CEG-PBox LCAS PLUGIN

2nd EGEE User Forum (9-11/5/07) 5

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Policy classification

• Site policies (originated by sites)– Ban-list– …

• VO policies (originated by VOs)– Intra-VO priorities– …

2nd EGEE User Forum (9-11/5/07) 6

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Site policies: Ban lists

• Banning users:– The site admin writes a policy

banning a user or a group.– The ban policy gets

communicated back to the VO G-PBox.

– Whenever a job is sent to WMS, policy evaluation happens and resources where the user is banned do not receive the job.

VO G-PBox

Site G-PBox

WMSJob

2nd EGEE User Forum (9-11/5/07) 7

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VO policies: Intra-VO priorities (1/2)

• Step 1:– Define a set of shares on CEs which implement the required

priorities.– Publish into the IS the shares that are supported (without

publishing details, i.e: policies, about how they are used).– This has already been solved and implemented!

• Step 2:– Send a Job to a CE which implements the correct share.– Let the CE map the job on the correct share.

2nd EGEE User Forum (9-11/5/07) 8

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VO policies: Intra-VO priorities (2/2)

• Mapping jobs to shares: a G-PBox solution.– The VO writes policies

mapping VO groups into share names.

– The sites write policies mapping share names into actual batch system shares.

– The VO sends their mapping policies to the site. The two get combined.

– Whenever a job is sent to a CE, evaluation happens and the job is mapped to the right account.

VO G-PBox

Site G-PBox

CEJob

2nd EGEE User Forum (9-11/5/07) 9

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

G-PBox and CE

/atlas/analisys

?

LSFQUEUE

Atlas Policies (dynamic)

Atlas group ACBR

/atlas/production production

/atlas/analisys analisys

/atlas/students students

Site Policies (almost static)

ACBR Unix ID

production atlas_high

analisys atlas_mid

students atlas_low

CEAtlas_mid

Atlas_m

id

2nd EGEE User Forum (9-11/5/07) 10

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

ATLAS CE

VO G-PBox

G-PBox and WMS

LayerATLAS WMS

G-PBox Plugin

Atlas Policies (dynamic)

Atlas group ACBR

/atlas/production production

/atlas/analysis analysis

/atlas/students students

/atlas/analysis

?

ACBR: analysis

ACBR: analisys

ATLAS CE

ACBR: analisys

ATLAS CE

ACBR: students

ATLAS CE

ACBR: analisys

ATLAS CE

ACBR: students

2nd EGEE User Forum (9-11/5/07) 11

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Advantages

• VO policies management– If VO admins want to change relative priorities of different

groups, all they need to do is change their policy in their VO, everything else is done by the system

• Site independence and privacy– Sites do not need to publish (ex BDII) the details of their internal

setup– Sites are free to change their site-specific policies according to

local constraints and rules

2nd EGEE User Forum (9-11/5/07) 12

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Screenshots

2nd EGEE User Forum (9-11/5/07) 13

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Screenshots

2nd EGEE User Forum (9-11/5/07) 14

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Screenshots

2nd EGEE User Forum (9-11/5/07) 15

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

The Team

• Vincenzo Ciaschini• Andrea Ferraro• Alberto Forti• Antonia Ghiselli• Alessandro Italiano• Davide Salomoni