a voms overview
play

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS - PowerPoint PPT Presentation

Aug 31, 2023 •226 likes •488 views

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

  1. Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks

  2. Outline Enabling Grids for E-sciencE • AAI in Grids • What’s VOMS? • What’s VOMS-Admin? EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 2

  3. AAI in Grids Enabling Grids for E-sciencE Security infrastructure based on X.509 certificates (PKI) Authentication – Needs “trusted third parties”, i.e. Certificate authorities (CAs) – Users identified with “identity” certificates signed by CAs – Delegation & single sign-on via proxy certificates Authorization – Several entities involved  resource providers (e.g., computer centers, storage providers, ...)  Virtual organizations (e.g., LHC experiments collaborations) – Authorization cannot be decided only on local site basis  but must reflect the service level agreements settled between VOs and resource providers – VOs administer user membership (groups, roles, ...) – RPs evaluate attributes granted by VOs to their users and map them to local credentials used to access resources EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 3

  4. VO Membership Service Enabling Grids for E-sciencE • Virtual Organization Membership Service – an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO) – A VO management service – A VO registration service – A source of trust for authorization • Extends the X509 AAI with attributes related to VO structure – so that access to resources can be authorized accordingly! EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 4

  5. VOMS Attributes Enabling Grids for E-sciencE • Reflect the structure of a VO – Group membership  A VO member may be part of several VO groups  Example: • /atlas/production, /atlas/analysis – Role assignment  A VO member may be assigned roles  Example: • /atlas/production/Role=SoftwareManager – Generic attributes  (Name,Value) pairs that can be associated with a VO membership  Example: • cern_afs_account = ceccanti EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 5

  6. Obtaining VOMS attributes Enabling Grids for E-sciencE How does a user get his VOMS attributes? • Preconditions: – The user must have an x509 certificate signed by a trusted CA – The user must be registered in a VOMS server as a member of a VO • The User contacts the VOMS server for his VO using a command line client (voms-proxy-init) or VOMS APIs • A proxy certificate is created containing the user VO membership information – In particular, VOMS creates a signed Attribute Certificate (AC) containing this info that is then packed into a proxy certificate • The proxy certificate is used to authenticate and authorize the User at remote services EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 6

  7. VOMS Interaction Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 7

  8. VOMS ACs Enabling Grids for E-sciencE • AC as defined by RFC 3281 – VOMS OID: 1.3.6.1.4.1.8005.100.100 – To prevent the stealing of VOMS ACs and other sec. measures:  DN of Attribute Holder linked into the ACs  Serial Number of User Certificate linked into the ACs  ACs have their own Validity period – ACs are signed by the private key of the VOMS Server Host certificate • VOMS Attributes are listed as FQANs in the AC – FQAN: Fully Qualified Attribute Name – Example: /cms/Higgs/Role=cmsprod EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 8

  9. FQAN: Group membership Enabling Grids for E-sciencE • Group structuring is expressed using this syntax – /<root group>/<subgroup>/…/<subgroup> • <root group> MUST be the name of the Virtual Organization • Group membership is compulsory and cannot be denied • A member of a subgroup MUST be a member of the parent (sub)group /example_vo/group /example_vo/group/subgroup /example_vo/group/subgroup/subsubgroup EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 9

  10. FQAN: Role assignment Enabling Grids for E-sciencE • Roles are optional – a User request which Roles he wants in his AC at voms-proxy- init time • Ownership of a role is always associated to membership in a group – i.e., the User that gets the Role MUST be also a member of the group in which the Role is assigned • FQAN syntax: – <group name>/Role=<role name> /infngrid/Role=VO-Admin /infngrid/TEST/Role=SoftwareManager EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 10

  11. Generic attributes Enabling Grids for E-sciencE • These are (Name, Value) pairs that can be embedded into the AC • Useful to attach other kind of trusted information to a VO membership – e.g., embed shibboleth attributes inside VOMS ACs EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 11

  12. Verifying VOMS ACs Enabling Grids for E-sciencE • In order to verify ACs, the certificate that was used to sign them (usually the VOMS server host certificate) must be available where verification takes place • VOMS currently implements a transparent certificate distribution mechanism – AA certificate is embeeded in the AC, so that clients can use it to verify the AC itself. • Historically (i.e., in current production grid :)) VOMS server certificates were distributed as RPMs (like CA RPMs) – Difficoulties in the management of timely renewal/redistribution of new server certificates EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 12

  13. VOMS SAML interface Enabling Grids for E-sciencE • Currently VOMS is being extended to encode VOMS attributes using SAML Attribute Assertions – Better interoperability with the Web Services world • This is complementary to the “traditional” VOMS service – i.e., the same VOMS server will be able to issue X509 ACs AND SAML assertions describing the same VO membership EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 13

  14. VOMS Architecture Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 14

  15. Enabling Grids for E-sciencE VOMS Management and Registration services (Voms Admin) EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 15

  16. What’s Voms-Admin Enabling Grids for E-sciencE • A J2EE Web application that – manages the contents of the VOMS database – provides registration services • Used by VO Administrators mainly to – add/remove users to the VO, – put them in VOMS groups, – assign VOMS roles to them – manage generic attributes • Provides a WSDL interface to its functions • Implements a flexible AuthZ framework – on top of HTTPS EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 16

  17. VO Registration service Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 17

  18. Manage subscriptions Enabling Grids for E-sciencE • VO-Admins get notified via mail of user’s registrations requests and can then approve (or reject) them EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 18

  19. VOMS-Admin WEB UI Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 19

  20. Manage user membership Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 20

  21. VOMS-Admin AuthZ framework Enabling Grids for E-sciencE • All Operations on the VOMS Admin are authorized via ACLs • ACLs are (Context, Principal, Permission) triples – The Context is a FQAN – The Principal is either  a (DN, CA) couple (i.e., an X509 certificate)  a FQAN  ANY_AUTHENTICATED_USER – The Permission states what the principal can do in the Context  List/Add members to a Group/Role  Create subgroups  Manage attributes  Manage requests/subscriptions pertaining groups/roles EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 21

  22. VOMS-Admin ACLs Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 22

  23. Web UI and ACLs Enabling Grids for E-sciencE • The web interface is ACL aware – only authorized actions are shown and can be executed EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 23

  24. Conclusions Enabling Grids for E-sciencE • Virtual Organization Membership Service is – an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO) – A VO management service – A VO registration service – A source of trust for authorization – A robust and widely deployed solution for attribute-based authz in Grid middlewares EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 24

  25. Questions? Enabling Grids for E-sciencE ? EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef)

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef)

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef) 2013-04-09 LCMAPS (and VOMS) integration for Globus services This is a demonstration of the installation of Globus services with VOMS based

203 views • 19 slides
Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS

384 views • 21 slides
The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM

The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM

The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM University of Warsow Outline Outline Virtual Organisations revisited classification Current state of 'art' VOMS/gLite UNICORE

689 views • 39 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.3k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

567 views • 25 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

LGE UNICAMP The m i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW The m i c r o g u a r d ETHANOL s OVERVIEW The m i c Ideal conditions r o g Costs-benefits u a r d

1.39k views • 59 slides
Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95# Commissioner --BRYC Firefighter II, EMT-B, HTR &amp; HZMT Tech City of Alexandria Fire and EMS Overview Overview Hyperthermia (Heat Related Injuries)

2.61k views • 31 slides
1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure Industry Business Model Hotels Overview Disclaimer This presentation does not constitute, or form any part of any offer for sale or subscription

808 views • 32 slides
HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview Project Overview Analysis Active Experimentation Question &amp; Answer Team Overview Our Logo Our Tagline Our Mission Statement

1.09k views • 15 slides
Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four Dedicated Outbound Carriers MPF Meijer Private Fleet 111 stores serviced in Michigan, northern Ohio, and Indiana. NTB Nationwide Truck

865 views • 15 slides
HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team Overview Project Overview Analysis Active Experimentation Question &amp; Answer Team Overview Our Logo Our Tagline Our

934 views • 15 slides
An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese Agriculture Agriculture Agriculture characteristics S mall holdings L imited resources and L and Fragmentation. 2 Maltese agriculture in figures

1.04k views • 15 slides
Library Conversations: Talking with Users University of Rochester Overview Overview Used

Library Conversations: Talking with Users University of Rochester Overview Overview Used

Rebecca Bichel December 7, 2007 Library Conversations: Talking with Users University of Rochester Overview Overview Used anthropological &amp; ethnographic Overview Overview methods Guiding research question: What do students

941 views • 44 slides
.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries development and execution model Examine simple C# program 2 .NET Overview .NET is a sweeping marketing term for a family of products

388 views • 23 slides
1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce supply analysis Regional demand for workers i l d d f k Balancing supply and demand Reviewing key cluster trends Key challenges

533 views • 39 slides
Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key Infrastructure Pairing Keys with Identity or Authority Major Challenges Management Distribution Revocation Renewal Lets

391 views • 10 slides
Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

1.05k views • 61 slides
IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE Agenda Slide Title 3 Trust and PKI 9 Web Security - PKI example 26

450 views • 41 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz CS6204, Spring 2005 Intro to IEEE 802.16 Standard for Wireless Metropolitan Area Networks (WMANs) Flavors: IEEE 802.16-2001, 802.16a, 802.16c,

844 views • 14 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides
What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

Resource Certification What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ? Resource Certification is is a security framework for verifying the association between resource holders and their

569 views • 20 slides
Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis Final talk Karthik Mathiazhagan

735 views • 18 slides

More recommend