svopme – a scalable virtual organization privileges management environment phase i project review...
TRANSCRIPT
SVOPME – A Scalable Virtual Organization Privileges Management Environment
Phase I Project Reviewand
Phase II Project Kickoff
Oct 28, 2008 @ FNAL, Batavia, IL
Funded by DOE OASCR SBIR Grant #DE-FG02-07ER84733
Nanbor Wang
Tech-X Corporation
Gabriele Garzoglio
Fermi National Accelerator Laboratory
SVOPME Phase II Kickoff
Outlines
• Project overview– What SVOPME tries to address
• Phase I results– Design and capability of the prototype tools
• Phase II outlook and planning– Our current plan– We need your feedback and wishes
• Verify our focus areas and prioritize tasks• Particular features that’s needed
Remember that we have tried one possible solution that works
We are ready to adopt a better approach or address other more pressing issues related to various VO policies
SVOPME Phase II Kickoff
What are VO Privileges?
• VOs use resources• VOs wish to define usage policies
for various resources for different users within the VOs– Production team members submit
jobs with higher priority– Software team members can
write to disk area for software installations
• VOs grant users privileges for using different resources to enforce the usage policies
• However, VOs do not manage/configure grid sites
• Grid sites provide resources• Grid sites may want to provide
different services to different VOs– As an example, some site might
decide to offer DOE-sponsored VOs higher priority to local resources
• Grid sites help VOs to enforce their useage policies by managing user privileges
• Grid sites don’t define VOs’ usage policies
Challenge: Enforcing VO privileges on multiple grid sites
(ah hoc solution: verbal communication)
SVOPME Phase II Kickoff
Motivations of SVOPME
• With the growth in Grid usage, both the numbers of VOs and grid-sites increase
• Serious scalability problems in propagating VO privilege policies
• SVOPME: – Provide the tools and
infrastructure to help automate enforcing VO privilege policies
– Reuse proven administrative solutions – we adopt common system configuration patterns currently in use in major grid sites
…CMSUSATLAS
CompBioGrid
STAR
LIGO
FermiGrid
SDSS iVDGL
FERMIGRID CMS-T2
LIGO-MIT
GPFARM
UCSDT2UC-ATLAS
ASGC
STAR-BNL
Address scalability
SVOPME Phase II Kickoff
Modern User Privilege Management
• Moving away from the use of gridmap files to VOMS/GUMS role-based privilege mangement– Eliminate the need
for multiple user certificates
• Similar trend in EGEE (LCAS & LCMAPS and VOMS)
• Job priority management for both SE and CE
SVOPME Phase II Kickoff
Phase I Objective and Tasks
• Objective: validate the approach
• Design suitable XML schemas for describing policies– We have adopted XACML– Allow aggregation of
policies– Also used by AuthZ
Interoperability project
• Determine the information needed in VOs and site policies– Come up with a list of
resources and policies
• Implement a prototype environment for synthesizing administrative directives and verifying VO policies
VO PrivilegePolicies
Site PrivilegePolicies
Site Configurations
ConfigurationRecommendations
Propagate
Verify
Synth
esize
SVOPMEConceptDiagram
SVOPME Phase II Kickoff
Task 2: Survey Resources and Policies Needed
• Resources– OS protection (account types:
group or pool)– Batch system– File system– External storage
(SRM/dCache)– Network access
(inbound/outbound)– Edge services
• Site policies– Timed availability (execution
time slots for certain VO users)
• VO policies– Relative priority in batch system– Directory access permissions– Consecutive execution period– Suspension/resumption of jobs– Repeat execution (More like
allowing restart or not in batch system)
– User file privacy– Two roles to share the same GID
• VO or site policies– Disk quota– File retention period– Account type– Network (inbound/outbound)
access control
We have implemented the highlighted policies in the Phase I prototype tools
SVOPME Phase II KickoffTech-X Corporation 8
Task 3: SVOPME Prototype Architecture
VO
Grid Site
XACML VO Policy Editor
Grid Probe
Policy Comparer
Storage Element
Actual Site Policies
Site Instructions
A report on which VO policies are implemented by Grid Site
Grid Admin uses these instructions and configures CE and SE accordingly
Tool 3 probes site resources
Outputs site policies
Forms test queries for every policy such that the response is always a permit.
Policy Advisor
ComparesProduces
If response is permit, this VO policy is honored. Otherwise not.
Compute Element
VOMS Client
VO Policies with supporting attributes/Verification Queries
Provides info from VOMS server
Compares
Edits VO Policies
Same query sent to the Grid Policy
SVOPME Phase II KickoffTech-X Corporation 9
VO Tools – Used by VO-Admin
• Comprises of 2 Tools– VOMS Client– VO Policy Editor
• VOMS Client– Obtains info about all the Group/Role and the no of users from
VOMS server– This information is passed to VO Policy Editor (next slide) to
avoid operator’s errors
SVOPME Phase II Kickoff
Domain-Specific VO Policy Editor
• XACML is a generic XML-based language for specifying access control policies– Not very human readable
– Suitable for machine processing
• The VO Policy Editor therefore allows VO administrators to edit a pre-defined set of VO policies in simple readable forms– For example: Account Mapping Policy
• Group _____ should run with pool/group account
• The Editor, however, stores the policies in XACML format to enable automation– Privilege policies
– Test queries for verifying correct implementation and enforcement of policies on Grid sites
• Support for new policy types can be added as “Policy Templates” plug-in’s
• We also plan to develop a command-line policy editing tools to convert between a text based policy specification and XACML documents
SVOPME Phase II Kickoff
Phase I VO Policy Editor Screen Shot 1
Select Policy Type to Add
Select Policy
VO Policy Description
SVOPME Phase II Kickoff
Phase I VO Policy Editor Screen Shot 2
Edit Policy Attributes
VOMS Client assists in setting attributes
SVOPME Phase II Kickoff
Phase I VO Policy Editor Screen Shot 3
Allow XACML view
SVOPME Phase II KickoffTech-X Corporation 14
Grid Tools
• Comprises of 3 Tools– Grid Probe– VO/Grid Policies Advisor– VO/Grid Policies Comparer
• Grid Probe– Probe the grid site local configurations– For Phase-I we probe the settings of GUMS and
Condor system– GUMS provides info on account mapping from VO
user/role to local UID– Condor provides priorities of accounts
– Generates the equivalent Grid side policies (in XACML) from the probe results
SVOPME Phase II KickoffTech-X Corporation 15
VO/Grid Policies Advisor
Verify that the Grid site configurations support the VO policies by running the verification queries generated by VO Policy Editor for each VO policy
Provide advises for the Grid site administrator on what amendments needs to be done on the Grid; such that the Grid site complies with the VO policies
Example output: VO requested 3 accounts for VISITORS role via VO policies Site-policies derived from GUMS do not match
[java] VO/Grid Grid Accounts Policy Advices [java] ------------------------------------ [java] No matching Grid Accounts Policy was found for /TECHX/VISITORS
on the Grid site. Create a mapping in GUMS config such that /TECHX/VISITORS be mapped to at least 3 account(s)
[java] TECHX/Role=VO-Admin mapped to 1 account(s) (techxVOadmin) on the Grid site, is not suffient enough. Needs to be mapped to atleast 3 accounts.
SVOPME Phase II KickoffTech-X Corporation 16
VO/Grid Policies Comparer
Verify that the Grid site configurations support the VO policies by running the verification queries generated by VO Policy Editor for each VO policy
Produces a report on which VO policies are honored by the Grid site and which are not
Example output:[java] VO/Grid Grid Accounts Policy Comparison [java] --------------------------------------- [java] /TECHX/Role=User is mapped to 1 account(s) on the Grid site. Passed! [java] No Account Mapping Policies for /TECHX/VISITORS were found on the
Grid site. [java] /TECHX/Role=Software-Admin is mapped to 1 account(s) on the Grid
site. Passed! [java] /TECHX/Role=VO-Admin does not have suffient accounts on Grid Site.
Failed! (Needs to be mapped to atleast 3 accounts.) [java] /TECHX is mapped to 1 account(s) on the Grid site. Passed!
SVOPME Phase II Kickoff
Phase II Workplan
• Objective 1: Usability
– Support a more comprehensive set of VO policies• Add support for remaining policies collected in Phase I
– Not sure if we want to incorporate site-specified policies or not
• Collaborate with VOs and key OSG grid sites to gather VO policies needed and how site could support these policies
– Comman-line scripting tools
• Derive a set of policies sentences
• Embed policy sentence in generated XACML
SVOPME Phase II Kickoff
Phase II Tasks (cont)
• Completing Features and Hardening of prototype tools– Overall Feature enhancements
• Change to use PolicySets for VOs and grid sites– Allows us to aggregate policies– Supports the semantics of a whole VO or site
• Modularize components– Support new policies– Support new grid environments and configurations
– VO Policy Editor• Merge VOMS Client with the Editor• Allow opening/editing/saving of existing PolicySet• Support browsing of PolicySet• Support consistency check of overall VO PolicySet• What to do when there’s a mismatch between VO and PolicySet
– Grid Probe• Support probing of more resources configurations
– VO/Grid Policy Comparer/Advisor• Currently, we only check for supported policies but not redundant site
policies• Address security concerns (of site configurations and policy inconsistency,
etc.)
SVOPME Phase II Kickoff
Phase II Workplan (Cont.)
• Objective 2: Flexibility and Robustness
– Modularization of Aspects such as Grid configurations and tool stacks
– Migration toward a common Grid XACML profile (Authorization Interoperability Profile)
– Identify and implement more privilege policies
• Site-specific policies
• Service contracts between sites and VOs?
SVOPME Phase II Kickoff
Phase II Workplan (cont.)
• Objective 3: Demo the Effectiveness
– Integrate with OSG distribution
– Develop recommendation for running/using SVOPME tools
– Deployment, documentation and customer service
SVOPME Phase II Kickoff
We Need Your Opinions• Immediate features we should support• General approach
– Particular policies we are not covering?– Different strategies to verify support of VO privileges?
• VO tools– Features in GUI editor?– Scripting capability?
• Grid site tools– New configurations to probe?– How can we incorporate new configuration patterns
that site administrators often use?