VO Support and directions in OMII-UK

Steven Newhouse, Director

©2

Our Mission…

OMII-UK aims to provide software and support to enable a sustained future for

the UK e-Science community and its international collaborators

•Promote the use of good-quality open-source software•Reduce the risk of moving to new e-infrastructure world•Recognise distinct user communities: by domain and function

©3

Primary Concerns Standards driven Need to interoperate Recognise distinct requirements

End-user Developer Service Provider

Need to federate across multiple containers Provide infrastructures that are usable

©4

OMII-UK Job Authorisation OMII 1.x: Application execution from GRIA

Defined model enforced by PBAC PBAC: Process Based Application Control User registration & account (quota) creation Resource allocation for compute and data Data in Application execution Data out. Application needs to be installed on the machine

©6

OMII-UK Job Authorisation OMII 2.x: GridSAM

GridSAM: Job Submission and Job Monitoring Uses JSDL to define the ‘job’ Various back end environments ‘DRMConnector’ Service specific Authorisation

gridmap like Connector specific Authorisation

©7

Within OMII 3.x Within a web service hosting environment

Tomcat, Axis, WSS4J (WS-Security) Primarily Authentication through WS-Security

Digital Signature on a signed message Signature MUST be signed by a certificate

from a known CA Authentication data available to the service Outgoing message signed

©8

Need to do better… An Authorisation policy that can be applied across

consistently across all services Within a hosting environment A network of hosting environments (e.g. VO)

A solution that can be reused: Apply policy for portlet access Service specific policies:

Data tables within a database Queues or processor/memory limits within a job

Standards driven

©9

Current Prototype

PERMIS: Generate Attribute Certs & Policy Authz Service: SAML 1.1 Assertion port type

WSRequest/Response

WS Container

AX

IS

Handlers

TestService

OMIIAuthz

OpenS

AM

L

LDAP

PERMISPERMIS

ManagementGUIs

PEP

PEP PEP = Policy Enforcement Point

Due April 07 - OMII 3.4.0

©10

But what is a VO? About roles, responsibilities and relationships

Binding: Contractual Non-Binding: Best-effort

End-users: Dynamic & flexible policy around their needs

Resource Providers: Focus on users or VOs or real organisations?

Usability: Critical need for tooling and integration into software

©11

OMII-UK Users

AppliedResearchDomain

Casual User(Novice

or Infrequent)

Intensive User(Expert

or Focused)

Technologists

Assemblersof domain

Components/Services/Tools

Buildersof domain

Components/Services/Tools

Assemblers of generic

Components/Services/Tools

Builders of generic

Components/Services/Tools

Providers

VO Managers

ResourceOwners

Helpdesk &Training

SystemAdministrators

Applied e-Researchers Technology Specialists e-Infrastructure Providers

Users

Applied Technology Specialists e-Infrastructuree-Researchers (domain & generic) Providers

©12

Emerging Need:Dynamic Service Authorisation On job creation create a job specific policy

Steven’s job – he can manipulate & delete it But, the administrator can also delete it.

But Steven may also want to allow June to be able to manipulate the job Provide an interface to manipulate policies Fine grained dynamic delegation

©13

Other gaps in AAA… The third ‘A’ – Accounting

Looking at RUS & UR options Account (quota) solution from GRIA Applying for an account (e.g. GAMA, PURSe)

The silent ‘A’ – Audit Attribute Management

VOMS Standards?

©14

Summary Mange authorisation policies across services Accounting (use against quota) is important Pick up on existing standards & tools

Authorisation infrastructure User registration & account generation Think about the stakeholders in the system

OMII-UK currently a non-GSI world But out-of bound use through MyProxy

Emerging need for dynamic policies & VOs

©15

Where next… For further information, project lists, etc:

Web: www.omii.ac.uk Downloads: OMII 3.2.0 released last week. Calls: Portlets & GridAPIs

For further questions, support issues, etc: Mail: support@omii.ac.uk

For me: Mail: director@omii.ac.uk