PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
a voms overview

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS - PowerPoint PPT Presentation

Aug 31, 2023 •226 likes •489 views

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

  1. Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks

  2. Outline Enabling Grids for E-sciencE • AAI in Grids • What’s VOMS? • What’s VOMS-Admin? EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 2

  3. AAI in Grids Enabling Grids for E-sciencE Security infrastructure based on X.509 certificates (PKI) Authentication – Needs “trusted third parties”, i.e. Certificate authorities (CAs) – Users identified with “identity” certificates signed by CAs – Delegation & single sign-on via proxy certificates Authorization – Several entities involved  resource providers (e.g., computer centers, storage providers, ...)  Virtual organizations (e.g., LHC experiments collaborations) – Authorization cannot be decided only on local site basis  but must reflect the service level agreements settled between VOs and resource providers – VOs administer user membership (groups, roles, ...) – RPs evaluate attributes granted by VOs to their users and map them to local credentials used to access resources EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 3

  4. VO Membership Service Enabling Grids for E-sciencE • Virtual Organization Membership Service – an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO) – A VO management service – A VO registration service – A source of trust for authorization • Extends the X509 AAI with attributes related to VO structure – so that access to resources can be authorized accordingly! EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 4

  5. VOMS Attributes Enabling Grids for E-sciencE • Reflect the structure of a VO – Group membership  A VO member may be part of several VO groups  Example: • /atlas/production, /atlas/analysis – Role assignment  A VO member may be assigned roles  Example: • /atlas/production/Role=SoftwareManager – Generic attributes  (Name,Value) pairs that can be associated with a VO membership  Example: • cern_afs_account = ceccanti EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 5

  6. Obtaining VOMS attributes Enabling Grids for E-sciencE How does a user get his VOMS attributes? • Preconditions: – The user must have an x509 certificate signed by a trusted CA – The user must be registered in a VOMS server as a member of a VO • The User contacts the VOMS server for his VO using a command line client (voms-proxy-init) or VOMS APIs • A proxy certificate is created containing the user VO membership information – In particular, VOMS creates a signed Attribute Certificate (AC) containing this info that is then packed into a proxy certificate • The proxy certificate is used to authenticate and authorize the User at remote services EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 6

  7. VOMS Interaction Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 7

  8. VOMS ACs Enabling Grids for E-sciencE • AC as defined by RFC 3281 – VOMS OID: 1.3.6.1.4.1.8005.100.100 – To prevent the stealing of VOMS ACs and other sec. measures:  DN of Attribute Holder linked into the ACs  Serial Number of User Certificate linked into the ACs  ACs have their own Validity period – ACs are signed by the private key of the VOMS Server Host certificate • VOMS Attributes are listed as FQANs in the AC – FQAN: Fully Qualified Attribute Name – Example: /cms/Higgs/Role=cmsprod EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 8

  9. FQAN: Group membership Enabling Grids for E-sciencE • Group structuring is expressed using this syntax – /<root group>/<subgroup>/…/<subgroup> • <root group> MUST be the name of the Virtual Organization • Group membership is compulsory and cannot be denied • A member of a subgroup MUST be a member of the parent (sub)group /example_vo/group /example_vo/group/subgroup /example_vo/group/subgroup/subsubgroup EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 9

  10. FQAN: Role assignment Enabling Grids for E-sciencE • Roles are optional – a User request which Roles he wants in his AC at voms-proxy- init time • Ownership of a role is always associated to membership in a group – i.e., the User that gets the Role MUST be also a member of the group in which the Role is assigned • FQAN syntax: – <group name>/Role=<role name> /infngrid/Role=VO-Admin /infngrid/TEST/Role=SoftwareManager EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 10

  11. Generic attributes Enabling Grids for E-sciencE • These are (Name, Value) pairs that can be embedded into the AC • Useful to attach other kind of trusted information to a VO membership – e.g., embed shibboleth attributes inside VOMS ACs EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 11

  12. Verifying VOMS ACs Enabling Grids for E-sciencE • In order to verify ACs, the certificate that was used to sign them (usually the VOMS server host certificate) must be available where verification takes place • VOMS currently implements a transparent certificate distribution mechanism – AA certificate is embeeded in the AC, so that clients can use it to verify the AC itself. • Historically (i.e., in current production grid :)) VOMS server certificates were distributed as RPMs (like CA RPMs) – Difficoulties in the management of timely renewal/redistribution of new server certificates EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 12

  13. VOMS SAML interface Enabling Grids for E-sciencE • Currently VOMS is being extended to encode VOMS attributes using SAML Attribute Assertions – Better interoperability with the Web Services world • This is complementary to the “traditional” VOMS service – i.e., the same VOMS server will be able to issue X509 ACs AND SAML assertions describing the same VO membership EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 13

  14. VOMS Architecture Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 14

  15. Enabling Grids for E-sciencE VOMS Management and Registration services (Voms Admin) EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 15

  16. What’s Voms-Admin Enabling Grids for E-sciencE • A J2EE Web application that – manages the contents of the VOMS database – provides registration services • Used by VO Administrators mainly to – add/remove users to the VO, – put them in VOMS groups, – assign VOMS roles to them – manage generic attributes • Provides a WSDL interface to its functions • Implements a flexible AuthZ framework – on top of HTTPS EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 16

  17. VO Registration service Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 17

  18. Manage subscriptions Enabling Grids for E-sciencE • VO-Admins get notified via mail of user’s registrations requests and can then approve (or reject) them EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 18

  19. VOMS-Admin WEB UI Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 19

  20. Manage user membership Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 20

  21. VOMS-Admin AuthZ framework Enabling Grids for E-sciencE • All Operations on the VOMS Admin are authorized via ACLs • ACLs are (Context, Principal, Permission) triples – The Context is a FQAN – The Principal is either  a (DN, CA) couple (i.e., an X509 certificate)  a FQAN  ANY_AUTHENTICATED_USER – The Permission states what the principal can do in the Context  List/Add members to a Group/Role  Create subgroups  Manage attributes  Manage requests/subscriptions pertaining groups/roles EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 21

  22. VOMS-Admin ACLs Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 22

  23. Web UI and ACLs Enabling Grids for E-sciencE • The web interface is ACL aware – only authorized actions are shown and can be executed EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 23

  24. Conclusions Enabling Grids for E-sciencE • Virtual Organization Membership Service is – an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO) – A VO management service – A VO registration service – A source of trust for authorization – A robust and widely deployed solution for attribute-based authz in Grid middlewares EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 24

  25. Questions? Enabling Grids for E-sciencE ? EGEE-II INFSO-RI-031688 To change: View -> Header and Footer 25

Recommend

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef)

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef)

LCMAPS (and VOMS) integration for Globus services D. H. van Dok (Nikhef) and M. Sall (Nikhef) 2013-04-09 LCMAPS (and VOMS) integration for Globus services This is a demonstration of the installation of Globus services with VOMS based

203 views • 19 slides
Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS

384 views • 21 slides
The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM

The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM

The next generation of Virtual Organisations in UNICORE Krzysztof Benedyczak, Piotr Baa ICM University of Warsow Outline Outline Virtual Organisations revisited classification Current state of 'art' VOMS/gLite UNICORE

689 views • 39 slides
01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 |

01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 |

01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01 | KPF Overview 01

930 views • 72 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.31k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

568 views • 25 slides
INVESTOR PRESENTATION FEBRUARY 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW

INVESTOR PRESENTATION FEBRUARY 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW

SVP Global Ventures Ltd. INVESTOR PRESENTATION FEBRUARY 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW INDUSTRY OVERVIEW FINANCIAL OVERVIEW 2 CHAPTER EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW INDUSTRY OVERVIEW

599 views • 33 slides
INVESTOR PRESENTATION MAY 2019 Index Executive Summary Company Overview Business Overview

INVESTOR PRESENTATION MAY 2019 Index Executive Summary Company Overview Business Overview

INVESTOR PRESENTATION MAY 2019 Index Executive Summary Company Overview Business Overview Industry Overview Strategic Overview Financial Overview 2 Executive Summary 3 Executive Summary OVERVIEW Apcotex Industries Ltd (Apcotex) is a

507 views • 24 slides
INVESTOR PRESENTATION MARCH 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW

INVESTOR PRESENTATION MARCH 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW

SVP Global Ventures Ltd. INVESTOR PRESENTATION MARCH 2016 INDEX EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW INDUSTRY OVERVIEW FINANCIAL OVERVIEW 2 CHAPTER EXECUTIVE SUMMARY COMPANY OVERVIEW BUSINESS OVERVIEW INDUSTRY

310 views • 30 slides
1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce supply analysis Regional demand for workers i l d d f k Balancing supply and demand Reviewing key cluster trends Key challenges

533 views • 39 slides
Covid-19 and Business Interruption: Maximizing Insurance Coverage and Federal Grants Counsel

Covid-19 and Business Interruption: Maximizing Insurance Coverage and Federal Grants Counsel

Covid-19 and Business Interruption: Maximizing Insurance Coverage and Federal Grants Counsel wmclaw.com Overview Overview Overview Overview Catastrophic Losses Overview Overview Overview Overview 95% of Americans Subject to

437 views • 30 slides
OVERVIEW OVERVIEW OVERVIEW OVERVIEW The qualifications are aimed at primary school

OVERVIEW OVERVIEW OVERVIEW OVERVIEW The qualifications are aimed at primary school

OVERVIEW OVERVIEW OVERVIEW OVERVIEW The qualifications are aimed at primary school teachers. They are bespoke primary school physical education qualifications for primary school teachers developed by the Association for Physical

287 views • 14 slides
An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese Agriculture Agriculture Agriculture characteristics S mall holdings L imited resources and L and Fragmentation. 2 Maltese agriculture in figures

1.04k views • 15 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

687 views • 41 slides
Butterball Employees Butterball Employees Butterball Employees Benefits Overview Ruan Benefits

Butterball Employees Butterball Employees Butterball Employees Benefits Overview Ruan Benefits

Ruan Benefits Overview Precision Strip Employees Butterball Employees Butterball Employees Butterball Employees Benefits Overview Ruan Benefits Overview Ruan Benefits Overview Ruan Benefits Overview 2013 Plan Year Ruan Benefits Overview +

412 views • 25 slides
Program-for-Results Financing Overview Overview Overview of World Bank Instruments

Program-for-Results Financing Overview Overview Overview of World Bank Instruments

Program-for-Results Financing Overview Overview Overview of World Bank Instruments PforR: What does it Involve? Program-for-Results Financing Overview 2 Three Complementary Financing Instruments Implementation Mechanism Investment

540 views • 30 slides
Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key Infrastructure Pairing Keys with Identity or Authority Major Challenges Management Distribution Revocation Renewal Lets

391 views • 10 slides
Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

1.05k views • 61 slides
IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE Agenda Slide Title 3 Trust and PKI 9 Web Security - PKI example 26

451 views • 41 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides
Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston &amp; Jesse Walker Presented By: Anil Bazaz CS6204, Spring 2005 Intro to IEEE 802.16 Standard for Wireless Metropolitan Area Networks (WMANs) Flavors: IEEE 802.16-2001, 802.16a, 802.16c,

844 views • 14 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides
What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

Resource Certification What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ? Resource Certification is is a security framework for verifying the association between resource holders and their

570 views • 20 slides
Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis Final talk Karthik Mathiazhagan

737 views • 18 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.