authorization in l&b
DESCRIPTION
Authorization in L&B. Daniel Kouřil, CESNE T MWSG meeting , Zurich, 31/3/2009. Logging and Bookkeeping. Monitoring system to track jobs in production for many years designed to be able to process 1M jobs per day hundreds of LB events per second Currently for jobs passing via WMS - PowerPoint PPT PresentationTRANSCRIPT
EGEE-III INFSO-RI-222667
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered trademarks
Authorization in L&B
Daniel Kouřil, CESNET
MWSG meeting, Zurich, 31/3/2009
To change: View -> Header and Footer 2
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
Logging and Bookkeeping
• Monitoring system to track jobs– in production for many years– designed to be able to process 1M jobs per day
hundreds of LB events per second
• Currently for jobs passing via WMS– ongoing discussions with CREAM– recently adapted to monitor PBS and Condor jobs, too
• Two basic L&B components– LB messaging infrastructure– LB server storing and processing job related data
• Query interface– complex queries on jobs and their status
• Notifications– sent by LB server on changes
To change: View -> Header and Footer 3
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
Gathering L&B data
• LB collects events from individual Grid components– information about a important point in the job‘s lifetime
transfer between components, start runnning, done, ... Instrumentation of components
– events sent as messages to the LB server– own messaging infrastructure
secure (protection, authN) and reliable (fault-tolerancy) notifications use this messaging infrastructure too
– events are tied with job (using the jobid) job registration
• Push model– events are sent by the components (mostly WMS) upon changes– instrumented components or reading log files– no useless polling
To change: View -> Header and Footer 4
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
L&B Infrastructure
To change: View -> Header and Footer 5
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
L&B Architecture
To change: View -> Header and Footer 6
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
Authorizing consumers
• Users can only access their jobs by default• ACL can be specified by users
– Specifying subject names or VOMS attributes– Simple UI to manipalate the ACLs, output in GACL
• Super-users– Specified by L&B server administrators– Subject names or VOMS attributes (LB 2.0)
Simple policy language used
• Generalized „super-users“– Work in progress– Broader access to job information
RTM monitoring
– Policy language not set yet
To change: View -> Header and Footer 7
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
Authorizing producers
• No explicit authZ in L&B v1.x– LCAS-based authZ introduced in L&B 2.0– Custom L&B LCAS module specifying events and clients– Enables to define trusted networks of loggers
• Simple policy langauge:RegJob = {
*}* = {
/DC=cz/DC=cesnet-ca/O=University of West Bohemia/CN=scientific.civ.zcu.cz
}...
– language may change before release
To change: View -> Header and Footer 8
Enabling Grids for E-sciencE
EGEE-III INFSO-RI-222667
Trusted loggers
• Loggers specified using subject names– VOMS support would be more convenient– Currently no support for VOMS attributes for services
Loggers always act as client for L&B server
• Especially important when L&B used in incident resolution– L&B contain many interesting details about users‘ activities– Work in OSCT to trace users based on L&B data– L&B information must be reliable enough
originated from trusted components