EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
A VO-Oriented AuthN/AuthZ ApproachVincenzo Ciaschini
EGEE 2nd User Forum
Manchester, 9-11 May, 2007
2nd EGEE User Forum (9-11/5/07) 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Problem Statement
User AuthN/AuthZ management on the grid is rapidly changing and evolving
–VOs define/use/modify groups and roles.–VOs require different execution priorities for different users.–VOs require dedicated resources for specific users in delicate
periods (see Data Challenges, etc.)– funding agencies can force constraints affecting resource
allocations.–sites may want to enforce site-specific policies.
2nd EGEE User Forum (9-11/5/07) 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
An AuthN/AuthZ infrastructure
WMS/CE/SEWMS/CE/SE
PDP
AA
GROUP WHERE HOW WHEN
/atlas/production Tier1s HIGH
PRIORITY
May 2007
/atlas Tier1s and Tier2s
MID
PRIORITY
ANY
/atlas/students Tier2s LOW
PRIORITY
ANY
USER GROUP
O=INFN/CN=John Smith /atlas/production
... ...
Hi AA!
Can you give me all my groups/roles membership?
Hi PDP!
Can you give me all policies concerning group/roles of the
user?
groups/roles
policies
2nd EGEE User Forum (9-11/5/07) 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VOMS(AA) / G-PBox (PDP)
G-PBox
CEG-PBox LCAS PLUGIN
WMSG-PBox PLUGIN
VO
VOMS
VOG-PBoxUSER
G-PBox
SITEG-PBox
SITE CEG-PBox LCAS PLUGIN
CEG-PBox LCAS PLUGIN
2nd EGEE User Forum (9-11/5/07) 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Policy classification
• Site policies (originated by sites)– Ban-list– …
• VO policies (originated by VOs)– Intra-VO priorities– …
2nd EGEE User Forum (9-11/5/07) 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Site policies: Ban lists
• Banning users:– The site admin writes a policy
banning a user or a group.– The ban policy gets
communicated back to the VO G-PBox.
– Whenever a job is sent to WMS, policy evaluation happens and resources where the user is banned do not receive the job.
VO G-PBox
Site G-PBox
WMSJob
2nd EGEE User Forum (9-11/5/07) 7
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VO policies: Intra-VO priorities (1/2)
• Step 1:– Define a set of shares on CEs which implement the required
priorities.– Publish into the IS the shares that are supported (without
publishing details, i.e: policies, about how they are used).– This has already been solved and implemented!
• Step 2:– Send a Job to a CE which implements the correct share.– Let the CE map the job on the correct share.
2nd EGEE User Forum (9-11/5/07) 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
VO policies: Intra-VO priorities (2/2)
• Mapping jobs to shares: a G-PBox solution.– The VO writes policies
mapping VO groups into share names.
– The sites write policies mapping share names into actual batch system shares.
– The VO sends their mapping policies to the site. The two get combined.
– Whenever a job is sent to a CE, evaluation happens and the job is mapped to the right account.
VO G-PBox
Site G-PBox
CEJob
2nd EGEE User Forum (9-11/5/07) 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
G-PBox and CE
/atlas/analisys
?
LSFQUEUE
Atlas Policies (dynamic)
Atlas group ACBR
/atlas/production production
/atlas/analisys analisys
/atlas/students students
Site Policies (almost static)
ACBR Unix ID
production atlas_high
analisys atlas_mid
students atlas_low
CEAtlas_mid
Atlas_m
id
2nd EGEE User Forum (9-11/5/07) 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
ATLAS CE
VO G-PBox
G-PBox and WMS
LayerATLAS WMS
G-PBox Plugin
Atlas Policies (dynamic)
Atlas group ACBR
/atlas/production production
/atlas/analysis analysis
/atlas/students students
/atlas/analysis
?
ACBR: analysis
ACBR: analisys
ATLAS CE
ACBR: analisys
ATLAS CE
ACBR: students
ATLAS CE
ACBR: analisys
ATLAS CE
ACBR: students
2nd EGEE User Forum (9-11/5/07) 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Advantages
• VO policies management– If VO admins want to change relative priorities of different
groups, all they need to do is change their policy in their VO, everything else is done by the system
• Site independence and privacy– Sites do not need to publish (ex BDII) the details of their internal
setup– Sites are free to change their site-specific policies according to
local constraints and rules
2nd EGEE User Forum (9-11/5/07) 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Screenshots
2nd EGEE User Forum (9-11/5/07) 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Screenshots
2nd EGEE User Forum (9-11/5/07) 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Screenshots
2nd EGEE User Forum (9-11/5/07) 15
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
The Team
• Vincenzo Ciaschini• Andrea Ferraro• Alberto Forti• Antonia Ghiselli• Alessandro Italiano• Davide Salomoni