
b28d92f4add42e4ac8d6751396cb71e8.ppt
- Количество слайдов: 26
The VOMS and the SE in Tier 2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009
What is VOMS • VOMS is… – An Attribute Authority. – A VO Management System. – A source of trust for authorization. • VOMS is not… – A policy system. – An Auth. N/Auth. Z framework.
VOMS: The problem • In a grid environment, VOs tend to be extremely large and change frequently. – Hundreds or even thousands of users. • Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. • It is not scalable to manage them by hand
VOMS: The solution • Organize users into groups and grant them roles. – Allows for full Role Based Access Control authorization. • Also, adds other general-purpose attributes.
VOMS Architecture Secure VOMS-ADMIN DB
Who uses VOMS? voms. gridpp. ac. uk 19 VOs, – 301 users – 2 servers
DPM, d. Cache, SRM what are they • Storage Element: DPM and d. Cache – disk caching front end – End user interface to write and read cached files • Storage Resource Manager – Provides a consistent interface to underlying storage systems.
Tier 2 SE • Combine hundreds of commodity disk servers to get a huge terabyte scale data store • Storage site gains increased fault tolerance • Allows several copies of a single file for distributed data access • Internal load balancing using cost metrics and transfers between the site's pools • Automatic file replication on high load (d. Cache)
Manchester Tier 2 SE • Combines about 160 TB of disk space on 900 nodes • Maintained and monitored around the clock • Upgrading and tuning annually
This year plans • New storage hardware installation • Migration from d. Cache to DPM • Improving and tuning of the DPM/d. Cache performance via configuration • Monitoring and automation of the cluster maintenance including SE's, Computer Elements VOMS etc.
Thank you
VOMS data format • Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate. – The exact profile is described here: • https: //forge. gridforum. org/sf/go/doc 13797? nav=1 – ACs are the natural choice in a X. 509 world. • The grid is a X. 509 world. • The provided clients insert the AC in a non-critical extension of the user proxy. – Immediate compatibility with non-VOMS aware software.
What is a proxy? • A proxy is a short-lived certificate that has as issuer a user certificate. – Standardized in RFC 3820. – Commonly used throughout the grid for authentication and authorization purposes.
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Proxy’s Subject === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Proxy’s issuer === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Certificate’s subject === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Type of proxy === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Proxy’s key strength === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Proxy’s Location === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 Proxy’s validity === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 timeleft : 11: 59: 58 VO Name === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 Owner’s Data timeleft : 11: 59: 58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 Owner’s Group membership timeleft : 11: 59: 58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 General-Purpose attributes timeleft : 11: 59: 58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58
Example of data: [marotta@datatag 6 marotta]$ /data/marotta/installs/17 series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x 509 up_u 502 AC validity timeleft : 11: 59: 58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag 6. cnaf. infn. it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attribute. One = 111 (valerio) attribute : attribute. Two = 222 (valerio) timeleft : 11: 59: 58