Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | abigail-boyle |
View: | 218 times |
Download: | 0 times |
VO Support and directions in OMII-UK
Steven Newhouse, Director
©2
Our Mission…
OMII-UK aims to provide software and support to enable a sustained future for
the UK e-Science community and its international collaborators
•Promote the use of good-quality open-source software•Reduce the risk of moving to new e-infrastructure world•Recognise distinct user communities: by domain and function
©3
Primary Concerns Standards driven Need to interoperate Recognise distinct requirements
End-user Developer Service Provider
Need to federate across multiple containers Provide infrastructures that are usable
©4
OMII-UK Job Authorisation OMII 1.x: Application execution from GRIA
Defined model enforced by PBAC PBAC: Process Based Application Control User registration & account (quota) creation Resource allocation for compute and data Data in Application execution Data out. Application needs to be installed on the machine
©6
OMII-UK Job Authorisation OMII 2.x: GridSAM
GridSAM: Job Submission and Job Monitoring Uses JSDL to define the ‘job’ Various back end environments ‘DRMConnector’ Service specific Authorisation
gridmap like Connector specific Authorisation
©7
Within OMII 3.x Within a web service hosting environment
Tomcat, Axis, WSS4J (WS-Security) Primarily Authentication through WS-Security
Digital Signature on a signed message Signature MUST be signed by a certificate
from a known CA Authentication data available to the service Outgoing message signed
©8
Need to do better… An Authorisation policy that can be applied across
consistently across all services Within a hosting environment A network of hosting environments (e.g. VO)
A solution that can be reused: Apply policy for portlet access Service specific policies:
Data tables within a database Queues or processor/memory limits within a job
Standards driven
©9
Current Prototype
PERMIS: Generate Attribute Certs & Policy Authz Service: SAML 1.1 Assertion port type
WSRequest/Response
WS Container
AX
IS
Handlers
TestService
OMIIAuthz
OpenS
AM
L
LDAP
PERMISPERMIS
ManagementGUIs
PEP
PEP PEP = Policy Enforcement Point
Due April 07 - OMII 3.4.0
©10
But what is a VO? About roles, responsibilities and relationships
Binding: Contractual Non-Binding: Best-effort
End-users: Dynamic & flexible policy around their needs
Resource Providers: Focus on users or VOs or real organisations?
Usability: Critical need for tooling and integration into software
©11
OMII-UK Users
AppliedResearchDomain
Casual User(Novice
or Infrequent)
Intensive User(Expert
or Focused)
Technologists
Assemblersof domain
Components/Services/Tools
Buildersof domain
Components/Services/Tools
Assemblers of generic
Components/Services/Tools
Builders of generic
Components/Services/Tools
Providers
VO Managers
ResourceOwners
Helpdesk &Training
SystemAdministrators
Applied e-Researchers Technology Specialists e-Infrastructure Providers
Users
Applied Technology Specialists e-Infrastructuree-Researchers (domain & generic) Providers
©12
Emerging Need:Dynamic Service Authorisation On job creation create a job specific policy
Steven’s job – he can manipulate & delete it But, the administrator can also delete it.
But Steven may also want to allow June to be able to manipulate the job Provide an interface to manipulate policies Fine grained dynamic delegation
©13
Other gaps in AAA… The third ‘A’ – Accounting
Looking at RUS & UR options Account (quota) solution from GRIA Applying for an account (e.g. GAMA, PURSe)
The silent ‘A’ – Audit Attribute Management
VOMS Standards?
©14
Summary Mange authorisation policies across services Accounting (use against quota) is important Pick up on existing standards & tools
Authorisation infrastructure User registration & account generation Think about the stakeholders in the system
OMII-UK currently a non-GSI world But out-of bound use through MyProxy
Emerging need for dynamic policies & VOs
©15
Where next… For further information, project lists, etc:
Web: www.omii.ac.uk Downloads: OMII 3.2.0 released last week. Calls: Portlets & GridAPIs
For further questions, support issues, etc: Mail: [email protected]
For me: Mail: [email protected]