Using the Virtual Organisation Management portal to manage policy within Globus Toolkit, Community Authorisation Service and ICENI

resources

Asif Saleem, Marko Krznaric, Jeremy Cohen, Steven Newhouse, John Darlington

2

Overview

• Using Virtual Organisation Management (VOM) portal

• How VOM portal can be utilised for– Managing Globus Toolkit enabled resources

– Configuring Community Authorisation Service

– Administering ICENI

• Related Work• Conclusions

3

Why do we need VO Management?

• VO’s consists of – dynamic set of distributed resources.– distributed user base.– distributed management infrastructure.

4

Contd…

• VO’s need to provide services for– User authentication and authorisation– Defining and enforcing access control and usage

policies

• Every project is having to develop it’s own customised VO management setup

• Need to replace current manual processes which do not scale well

» policy based automated systems

5

Virtual Organisation Management (VOM) portal

• Portal for remote VO management. • Grid service to download and upload information

into the VOM database. • Client tools to interact with the service through Grid

Security Infrastructure (GSI) authenticated network connections.

• VOM Portal facilitates– User registration into VO using grid certificates. – Resource Access Control – Resource Usage Accounting and Reporting.

6

VOM Roles

• Ordinary users belonging to a VO/community & wanting to use grid resources.

• Resource managers wanting to make their grid enabled machines accessible to a VO/community.

• Administrators of a VO managing access control & monitoring usage of constituent users & resources.

7

VOM Usage: User

• Precondition: should have a certificate issued by CA accepted by VO.

• Registers with VO– Request propagated to VO Admin & on approval

to respective resource managers for account creation.

• Views his usage log on web.• Does not need to chase each site/resource in

VO & sign separate usage policy forms.

8

VOM Usage: Resource Manager

• Precondition: – Should have a certificate issued by CA accepted

by VO.– Manages/owns a grid-enabled resource

• Setup access control and logging capability by deploying client on his grid-enabled resource.

• Approve/Reject/Disable user access.

• Can view own usage stats/graphs.

9

VOM Usage: VO Administrator

• Precondition: – should have a certificate issued by CA accepted

by VO.

• Approve user enrolment requests through web page.

• Manage constituent resources.• Monitor usage of various users/resources or

whole VO.• View stats/graphs of historical VO usage.

10

User Interface Workflow

11

VOM Implementation

• Server– Java servlets hosted in Tomcat container– GT3 based web service– Apache with mod_jk Tomcat support

• Client– Java based– Connects to web service using secure (GSI)

connection

12

Managing Globus Toolkit enabled resources

• Resource access control – through automated grid-map file management

• Resource Usage Logging and Reporting– through instrumented job-managers provided

• Resource owner needs to setup respective clients, which connect to the VOM server over a secure connection

13

Resource Access Control

•

                                                                                                                                                                                       

                                                         

14

Resource Usage Service

•

                                                                                                                                                                                       

                                                         

15

Configuring Community Authorisation Service

• Allows resource providers to specify fine-grained access control for the community rather than individual users

Community manages itself

• grid-proxy-init –––––> cas-proxy-init

16

Configuring CAS

• CAS lacks a web interface for configuring VO’s trust relationships

• VOM provides a source of authenticated & authorised users

• The VO admin uses CAS to setup the VO's trust relationships (e.g. adding new users and objects) and to grant them fine-grained access control to the VO's resources.

17

Administering ICENI

• Each resource running ICENI has a– Domain Manager: implements fine-grained

access control policies relating to the resources in the private administrative domain

– Policy Manager: used to define access control policy at role, group, organisation or individual user level

– Identity Manager: used to authenticate users accessing resources, and authorise them against the access policy defined by the resource

18

ICENI ArchitectureICENI Architecture

Resource Manager

Policy Manager

CR

SR

Identity Manager

Domain Manager

CR

SR

Gateway between private and public regions

Public

Resource Browser

Public Computational Community

SR CR

Public Computational Community

SR

Private

Administrative

Domain

SR

CR

Resource Broker

Application Design Tools

Component Design Tools

Application Mapper

Web ServicesGateway

Application

Portal

Private

Computational Resource

SoftwareResources

NetworkResources

StorageResources

JavaCoG

Globus

19

Contd…

• ICENI Role Management GUI

• VOM Admin can also switch roles/groups a user belongs to within ICENI.– Needs a ICENI plugin installed on VOM server.

20

Related Work

• VOMS

• CAS

• GUMS

• PERMIS

• Akenti

21

Virtual Organisation Membership Service (VOMS)

• Developed for DataTAG by INFN and for DataGrid by CERN

• Database of user roles and capabilities– Administrative tools– Client interface

• voms-proxy-init– Uses client interface to produce an

attribute certificate (instead of proxy) that includes roles & capabilities signed by VOMS server

– Works with non-VOMS services, but gives more info to VOMS-aware services

• Allows VOs to centrally manage user roles and capabilities

22

VOMS Shortcomings

– Lacks web interface for user/resource registration

– Only maintains certificate DN & their assoc. groups info• Lacks any other info e.g. personal info, usage logs

• Does not collect any resource specific, site specific data

– Additional attributes in certificates do not conform to any standard => only VOMS enabled software can use it.

– Extensions planned @ • EU Data Grid / LCG

– Local Centre Authorisation Service (LCAS)

– Local Credential MAPping Service (LCMAPS)

– Java based Trust Manager

• FermiLab as part of US CMS, SDSS, and iVDGL projects– VOM Registration Server(VOM RS)

– VOMS eXtension (VOX) e.g. Site AuthoriZation (SAZ) and Local Resource Authorization Service (LRAS)

23

VOM comparison with VOMS

• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.

• Both provide grid-map file management capability through slightly different ways

• VOM does not provide attribute certificate generation capability

24

Community Authorisation Service (CAS)

• v1.0 released with Globus Toolkit version 3.2

• Allows resource providers to specify fine-grained access control for the community rather than individual users

Community manages itself

• grid-proxy-init => cas-proxy-init

25

CAS Shortcomings

• Functional– Lacks web front-end for user registration– Does not contain any info apart from DN, access rights– Resource logging & account mapping gets complicated

• due to use of totally new DN by CAS

• Non-Functional– Takes ultimate control away from site/resource owners, which is not

practical in real world scenarios– Built on top of Grid Security Infrastructure (GSI) hence dependency on

Globus.– royalty-free license from RSA needed to use it in other projects– Currently only a customised version of grid-ftp (supplied with CAS

distribution) supports CAS credentials– Hard to install & configure and more a prototype than a production ready

system as claimed

26

VOM comparison with CAS

• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.

• Both provide resource access control management mechanisms– VOM through grid-map file management

– CAS by abstracting the grid identities (i.e. user certificates) and using the community identities at resources as access control mechanisms

• VOM does not provide new proxy certificate generation capability like CAS.

27

VO #3 …

Grid User Management System (GUMS)

• US Atlas Grid

• Provides user registration facility.

• Shortcomings– Lacks a web interface

for user/resource registration, currently through email.

VO User Registry

Database VO #2

Database

Site User Info

Database

grid-mapfile

Site

Pull

cron job

28

PrivilEge and Role Management Infrastructure Standards Validation(PERMIS)

• Privilege Management Infrastructure (PMI) which uses attribute certificates conforming to the X.509 standard

• Policy driven engine accessible through a java API uses LDAP to store policies and attribute certificates

• Policies are written in XML

PERMIS API Implementation

AEF=(application Dependent) Access control Enforcement

Function

ADF= (application independent)Access control Decision Function

TargetPresentAccessRequest

Decision Requeste.g. DN+Access

Request

Decision e.g.Grant/Deny

AccessRequest

LDAPDirectories

Retrieve Policy and Role ACs

Role Action Target

Admin approveUserrightspage

29

PERMIS Shortcomings

• It just provides an authorisation framework using attribute certificates => policy driven authorisation– Does not store any other data about users e.g.

personal, usage etc.– Does not store any data about resources, sites etc.– Not intended to provide overall VO management

capability e.g. authentication of users or accounting of user/resource usages

30

Akenti Policy Language

• Provides a policy language based on XML

• Can be used for certificate based authorisation

• Shortcomings– Needs customised front end– No notion of VO

• Conceptually similar to PERMIS

31

VOM comparison with PERMIS & Akenti

• VOM provides additional capability of secure web based user registration, resource usage logging and holds detailed info about users, resources etc.

• Both PERMIS & Akenti provide rich policy authorisation engine. VOM does not provide policy authorisation language, API or engine. => complimentary

32

Open Issues - VO Deployment issues

Manchester Oxford Edinburgh

NGS

London 1

Horizontal (National Grid Service)

VERTICAL

VERTICAL

Cambridge 1

London 2 Cambridge 2

33

Future Work

• Explicit RBAC using proposed NIST standard• Explicit policy management

– Separate Contract/SLA for VO, Resource, User joining VO

• Resource specifies minimum/average/maximum service offered

• Users specifies average & maximum service expectation

• Explore use of GLUE information Schema for import/export of user/resource info

• Explore pure web services implementation

34

Conclusions

• VOM provides a centralised management interface for managing a VO

• Can be used for resource access control and usage accounting for the Globus Toolkit

• Can be used as a secure web interface for configuring CAS

• Can also be used for role-based identity management in ICENI

35

Acknowledgments

• Testing and evaluation of software done with the help from members of the UK Grid Engineering Task Force.

• Deployed across the Level 2 UK e-Science Grid to provide user management and accounting capability (http://www.grid-support.ac.uk/l2g/).

• Work done as part of OSCAR-G project funded by DTI, Compusys & Intel (THBB/C/008/00028)

• CAS evaluation funded by JISC AAA programme

36

Acknowledgements

• Director: Professor John Darlington• Research Staff:

– Nathalie Furmento, Stephen McGough, William Lee– Jeremy Cohen, Marko Krznaric, Murtaza Gulamali– Laurie Young, Jeffrey Hau– David McBride, Ali Afzal

• Support Staff:– Oliver Jevons, Sue Brookes, Glynn Cunin, Keith Sephton

• Alumni:– Steven Newhouse, Yong Xie, Gary Kong– James Stanton, Anthony Mayer, Angela O’Brien

• Contact:– http://www.lesc.ic.ac.uk/ e-mail: lesc@ic.ac.uk