Embed Size (px)
Citation preview
Scaling Account Creation and Management through the TeraGrid User Portal
Contact: Eric Roberts ([email protected])
Motivation
A* workshop August 30-31, 2006– Clear that the process of acquiring and managing a TeraGrid account
needs to be restructured– Time and resources it takes to get a new user many different
resource accounts has exceeded scalability limits.
It has become clear that extending the User Portal to provide account management functionality is of paramount importance in order to effectively scale access to TeraGrid resources. Policy document being written by User Portal group that describes the plan for – reducing the number of accounts per user– eliminating paper snail-mail– utilizing the TeraGrid User Portal as a centralized tool for performing
TeraGrid-wide account management.
Current Account Creation and Management
For a PI to request a new TeraGrid project and get access to TeraGrid resources they must do the following:
1. PI requests allocation through POPS 2. Allocation gets approved, user(s) vetted3. New project and accounts are created
1. AMIE packets are sent to the TGCDB and RP sites2. NCSA creates a portal account for the user immediately3. An NCSA DN is automatically generated for the user and put into mapfile of
TeraGrid MyProxy service as well as propagated to all RP resources for entry in those grid mapfiles.
4. RP’s create local accounts asynchronously (~5 days)
4. Once all accounts are created, the PI is mailed all the user logins1. The mail packet lists the default usernames and passwords for password
enabled systems2. The PI is responsible for distributing paperwork to co-Pis3. For systems that require public SSH keys users are instructed to send their
public SSH keys to [email protected]
Proposal
Changes proposed are a significant shift from current account management model so we have documented a 3-phase work plan to ensure a smooth, gradual transition
Document and timeline are available on wiki: http://www.teragridforum.org/mediawiki/index.php?title=Scaling_TeraGrid_Access_Through_the_User_Portal
Phase 1 - single signon access using myproxy and gsisshPhase 2 - Migrate all account management to TeraGrid User PortalPhase 3 - Introduce finer grained access through User Portal and eliminate snail mail
Phase 1Single Sign-on Access to TG Resources
Goal– Introduce Single Sign-on Method for accessing TG resources
Description– This phase primarily involves writing/updating the documentation on the
website/User Portal to provide instructions for users to use myproxy and gsissh for single sign-on ssh access across TG resources
User is able to login to any TG resource but only provides username/password once:– User logs into TG system– Execute myproxy-logon to retrieve short lived credential from MyProxy
Credential Service•This is where the user provides their user portal username and password
– Execute gsissh to authenticate to any TG resource where user has an account and an NCSA DN** mapped to that account
**NCSA is not a requirement but will be provided to all users by default
This process is completely independent from the User Portal!!!
Phase 2All Account Management Through User Portal
Goals– Migrate All Account Management to TeraGrid User Portal– Make portal password resetting easier (more automated)
Description– This phase pertains mostly to adding account management capability
to the TeraGrid User Portal such that users can handle any and all RP resource account management tasks through a single web interface. •changing RP system password•propagate an SSH public key•propagate a DN to all resources
Changes in new account creation process– User receives packet through snail mail immediately (2-3 days after
approval) containing only user portal username/password– User receives and manages RP system accounts through User Portal
Phase 3Eliminate “Snail-Mailing” of Account Information
Goal– Introduce trusted and un-trusted User Portal accounts and eliminate
snail mail
Description– Potential users create untrusted portal account, which has limited
access to requesting allocations through POPS– Once allocations approved/user vetted, system account creation
process begins and portal account is now trusted– User has full access to User Portal including the account management
features introduced in Phase 2– Add user process modifications
•Potential user creates untrusted portal account•User logs into portal and requests their account be added to a particular project
•PI/co-PI/allocation manager approves/denies request•If approved, portal account becomes trusted and RP account creations begin
For More Details…
Please send questions and comments to [email protected]
Policy document still in draft form available on wiki: http://www.teragridforum.org/mediawiki/index.php?title=Scaling_TeraGrid_Access_Through_the_User_Portal
