toward svopme a scalable virtual organization
play

Toward SVOPME: A Scalable Virtual Organization Privileges Management - PowerPoint PPT Presentation

Jul 05, 2023 •630 likes •861 views

Toward SVOPME: A Scalable Virtual Organization Privileges Management Environment Nanbor Wang <nanbor@txcorp.com> Gabriele Garzoglio <garzoglio@fnal.gov> Balamurali Ananthan <bala@txcorp.com> Steven Timm <timm@fnal.gov> Tanya

  1. Toward SVOPME: A Scalable Virtual Organization Privileges Management Environment Nanbor Wang <nanbor@txcorp.com> Gabriele Garzoglio <garzoglio@fnal.gov> Balamurali Ananthan <bala@txcorp.com> Steven Timm <timm@fnal.gov> Tanya Levshina <levshin@fnal.gov> Tech-X Corporation Fermi National Accelerator Laboratory ISGC 2010, Taipei, Taiwan March 11, 2010 Funded by US DOE OASCR Grant #DE-FG02-07ER84733

  2. Outlines • Project overview – What SVOPME tries to address • Architecture and implementations • Outlook and planning ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 2/23

  3. What are VO Privileges? Grid Sites: Virtual Organizations: VOs use resources • Grid sites provide resources • • VOs wish to define usage policies Grid sites may want to provide • for various resources for different different services to different VOs users within the VOs – Example 3: site X has a special – Example 1: Production team agreement with VO Y; therefore, members submit jobs with higher jobs from VO Y might have priority higher priority than others – Example 2: Software team • Grid sites help VOs to enforce members can write to disk area for software installations their usage policies by managing VOs define user privileges at • user privileges different resources to comply with • Grid sites don’t define VOs’ the expressed usage policies usage policies However, VOs do not manage/ • configure all Grid sites Site and VO Challenge: Enforcing heterogeneous VO privileges on multiple Grid sites to provide uniform VO Policies across the Grid (ad hoc solution: verbal communication) ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 3/23

  4. Motivations of SVOPME Address scalability • With the growth in Grid usage, both the numbers of VOs and USATLAS CMS STAR … Grid-sites increase • Serious scalability problems in propagating VO privilege CompBioGrid Fermilab policies • SVOPME: LIGO SDSS iVDGL – Provide the tools and infrastructure to help • VOs express their policies • Sites support a VO – Reuse proven administrative solutions – we adopt FERMIGRID CMS-T2 ASGC common system configuration patterns GPFARM STAR-BNL currently in use in major grid sites UC-ATLAS LIGO-MIT UCSDT2 ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 4/23

  5. Modern User Privilege Management • Moving away from the use of gridmap files to VOMS/GUMS role-based privilege management – Eliminate the need for multiple user certificates – Similar trend can be observed in EGEE (LCAS/LCMAPS + SCAS and VOMS) • Managing requests priority for both SE The OSG Authorization Infrastructure and CE ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 5/23

  6. SVOPME Helps VO’s Propagate Privilege Policies to Grid Sites • SVOPME aims to replace Site Privilege the verbal interaction Policies Propagate VO Privilege between VO and site Policies Verify Site admin’s with automated Configurations workflows • VO’s intended privilege SVOPME policies are clearly defined Concept – Using eXtensible Access Diagram Configuration Control Markup Language Recommendations (XACML) • Site’s actual policies can be – No ambiguity verified – Allow programmatic • SVOPME provides verification of policies – XACML is also used by recommendations to site AuthZ Interoperability configurations for better VO project supports ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 6/23

  7. Survey of Resources and Policies Managed on the Grid • Resources • Policies expressed by the VO – OS protection (account types: – Account type group or pool) – Intra-VO relative priority in batch – Batch system system – File system – Job pre-emption (Consecutive – External storage (SRM/dCache) execution period) – Network access (inbound/ – Directory access (group privacy) outbound) permissions – Edge services • Policies expressed by the Site – Two roles to share the same GID – Timed availability (execution – Suspension/resumption of jobs time slots for certain VO users) – User file privacy – Repeat execution (Allowing restart • Policies expressed by both or not in batch system) ? – Disk quota – File retention period – Network (inbound/outbound) Highlighted policies are supported access control ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 7/23

  8. SVOPME Architecture SVOPME VO Privilege Creates/Edits Application Policy Editor XACML XACML VO XACML VO Document Privilege Policies Requests Uses VO Text VO Administrator Document Grid Site Uses Policy XACML Effective Uses Synthesizes Grid Probe Comparer Site Access Policies Policy Crawls Advisor Generates Computing Compliance Suggested Storage Elements Report Site Administrator Changes Elements Applies ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 8/23

  9. SVOPME VO Tools VOMS Server VOMS Uses Retrieves VO Groups/Roles Client VO Privilege Creates/Edits Policy Editor XACML VO XACML VO Privilege Policies Requests Uses VO Administrator Reads Comparer Request Creates Uses Time-stamped Client Archiver Latest Zip Archieves VO Published via Invokes VO HTTP Grid site comparer service Server ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 9/23

  10. XACML VO Policy Editor (Domain Specific) • XACML is – An XML-based language for specifying access control policies – Suitable for machine processing (deciding permissions on actions) – Way too generic to reason an arbitrary policy • SVOPME – Takes a domain specific approach – Defines a set of “profiles” of meta-policies – Each meta-policy defines a type of policy VO can define – For example: Account Mapping Policy - Group X should run with pool account • The VOMS client obtains information about all the Group/Role and the number of users from the VOMS server on VO editor’s behave. • Support for new policy types can be added as “Policy Template” plug-in’s • VO Administrator can create and edit a set of policies • Reject redundant and contradicting policies – (will leverage Model checking Grid Policies by Mine and JeeHyun) ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 10/23

  11. VO Policy Editor Screenshot ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 11/23

  12. VO Policy Data Management • The Editor stores the policies and verification requests under predefined directories • Request Archiver collects and zips up verification requests into time-stamped zip files – Can be used by sites to examine their compliance – Time-stamped request zip archives are made available to site via a simple web page – Sites can scan the page and determine the latest version • VO admins and users can use Comparer Client to contact and check a site’s support to VO policies ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 12/23

  13. Mechanism for Synthesizing Grid Site Privilege Policies Grid Probe Intermediate XACML Effective Synthesizes Policy Builder Config Info Site Access Policies Disk Quota Probe • “Grid Probe” in a nutshell • Configuration checked – Policy building and configuration – Condor/GUMS config crawling functions are separated – Disk quota/directory permissions – Depending on the target privilege, different info is necessary: there • Policy Builder are multiple crawling executables – Parses the intermediate – Invoked by different cron tasks configuration info with diff privileges – Synthesizes the effective – Dump the info as simple text files privilege policies of a site at a specific directory into XACML policies – Allow site-specific probes ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 13/23

  14. Analyzing Site Configurations • VO Request Retriever VO – Checks if the local VO HTTP verification requests is up-to- Server date Checks – Cache the new verification timestamp requests if needed XACML VO VO Request • Policy Comparer and Verification Requests Retriever Advisor Uses Policy XACML Effective – Test compliance by testing Uses Comparer Site Access Policies the verification requests one- Web Service Policy by-one Advisor – Since all requests and Generates policies are based on our Compliance Suggested XACML profiles, reports and Report Changes advises can be derived ISGC10– SVOPME: A Scalable Virtual Organization Privileges Management Environment 14/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor

Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor

Design and Application of a Scalable Virtual Organization Privileges Management Environment Nanbor Wang &lt;nanbor@txcorp.com&gt; Gabriele Garzoglio &lt;garzoglio@fnal.gov&gt; Balamurali Ananthan &lt;bala@txcorp.com&gt; Steven Timm

460 views • 23 slides
1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million

1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million

1 Everyone Has a Why The Rise of a Virtual Workplace Going Virtual About 30 million Americans work from home. Virtual. Remote. Distributed. This style of organization is becoming more common among many industries including web shops

926 views • 49 slides
ECE232: Hardware Organization and Design Lecture 28: More Virtual Memory Adapted from Computer

ECE232: Hardware Organization and Design Lecture 28: More Virtual Memory Adapted from Computer

ECE232: Hardware Organization and Design Lecture 28: More Virtual Memory Adapted from Computer Organization and Design , Patterson &amp; Hennessy, UCB Overview Virtual memory used to protect applications from each other Portions of

273 views • 13 slides
An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali

An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali

An Adaptive Technique to Model Virtual Machine Behavior for Scalable Cloud Monitoring C. Canali R. Lancellotti University of Modena and Reggio Emilia Department of Engineering Enzo Ferrari ISCC'14, 24-26 Jun. 2014, Madeira 1

714 views • 17 slides
Scalable Virtual Ray Lights Rendering for Participating Media Nicolas Vibert Adrien Gruson

Scalable Virtual Ray Lights Rendering for Participating Media Nicolas Vibert Adrien Gruson

Scalable Virtual Ray Lights Rendering for Participating Media Nicolas Vibert Adrien Gruson Heine Stokholm Troels Mortensen Wojciech Jarosz Toshiya Hachisuka Derek Nowrouzezahrai McGill University Luxion VIA University College

767 views • 48 slides
Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela

Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela

Virtual Embodiment: A Scalable Long-Term Strategy for Artificial Intelligence Research Douwe Kiela 1 , Luana Bulat 2 , Anita L. Vero 2 , Stephen Clark 2 , 3 1 Facebook AI Research 2 University of Cambridge 3 Google DeepMind dkiela@fb.com

425 views • 13 slides
The Threat Of Our Virtual Reality: October 7, 2020 Protecting your organization against the wave

The Threat Of Our Virtual Reality: October 7, 2020 Protecting your organization against the wave

Blake, Cassels &amp; Graydon LLP | blakes.com The Threat Of Our Virtual Reality: October 7, 2020 Protecting your organization against the wave of cyber attacks ACC Ontario Chapter www.acc.com ROBERT TREMBLAY Presenters Legal Counsel,

574 views • 30 slides
DSC 102 Systems for Scalable Analytics Arun Kumar Topic 1: Computer Organization; Operating

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 1: Computer Organization; Operating

DSC 102 Systems for Scalable Analytics Arun Kumar Topic 1: Computer Organization; Operating Systems Ch. 1, 2.1-2.3, 2.12, 4.1, and 5.1-5.5 of CompOrg Book Ch. 2, 4.1-4.2, 6, 7, 13, 14.1, 18.1, 21, 22, 26, 36, 37, 39, and 40.1-40.2 of Comet

1.56k views • 100 slides
France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status

France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status

France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status Yonny CARDENAS Yonny CARDENAS VO-Manager VO-Manager FJPPL Workshop FJPPL Workshop CC-IN2P3, Lyon, March 13, 2012 CC-IN2P3, Lyon, March 13,

407 views • 15 slides
International Virtual Observatory Alliance The Standards Organization for Data Interoperability

International Virtual Observatory Alliance The Standards Organization for Data Interoperability

International Virtual Observatory Alliance The Standards Organization for Data Interoperability in Astronomy G. Fabbiano Senior Astrophysicist, Smithsonian Astrophysical Observatory Head, Data Systems Division, Chandra X-ray Center Chair of

394 views • 25 slides
SCALABLE EARTH OBSERVATION ANALYTICS WITH SCIDB Marius Appel marius.appel@uni-muenster.de EO

SCALABLE EARTH OBSERVATION ANALYTICS WITH SCIDB Marius Appel marius.appel@uni-muenster.de EO

SCALABLE EARTH OBSERVATION ANALYTICS WITH SCIDB Marius Appel marius.appel@uni-muenster.de EO DATA ORGANIZATION LANDSAT 8 2 2 EO DATA ORGANIZATION SENTINEL 2 3 3 EO DATA ORGANIZATION SENTINEL 2 4 4 EO DATA ORGANIZATION SENTINEL 2 5

247 views • 23 slides
Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory

Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory

Computer Organization &amp; Assembly Language Programming (CSE 2312) Lecture 24: Virtual Memory and Dependable Memory Taylor Johnson Announcements and Outline Programming assignment 2 assigned, due 11/13 (tonight) by midnight Finish

2.43k views • 164 slides
Virtual Memory CS 3410 Computer System Organization &amp; Programming [K. Bala, A. Bracy, E.

Virtual Memory CS 3410 Computer System Organization &amp; Programming [K. Bala, A. Bracy, E.

Virtual Memory CS 3410 Computer System Organization &amp; Programming [K. Bala, A. Bracy, E. Sirer, and H. Weatherspoon] Click any letter let me know youre here today. Instead of a DJ Clicker Question today, please take a minute to think

856 views • 37 slides
CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization and country in the chat Function: Example: Peter Pan, Office of the Auditor General, Never Never Land Please use the chat function to communicate

373 views • 34 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the

Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the

Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the Cell BE Processor BE Processor Cell Cell BE Processor Daniele Scarpazza, Oreste Villa, Fabrizio Petrini Applied Computer Science Group Pacific

408 views • 21 slides
CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M.

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M.

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M. Samik-Ibrahim (ed.) University of Indonesia https://os.vlsm.org/ Always check for the latest revision! REV254 27-Oct-2020 Rahmat M.

933 views • 27 slides
Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of

Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of

Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of Matthias Ferdinand 08.07.2002 Structuring Problem Situation Goals and Proceeding B2B E-Commerce with RosettaNet Semantic Web

378 views • 16 slides
Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3

Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3

Fundamentals of Multimedia, Chapter 1 Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3 World Wide Web 1.4 Overview of Multimedia Software Tools 1.5 Further Exploration 1 Li &amp; Drew c

388 views • 18 slides
Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V

Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V

Mobile Web Services T-110.456 Next Generation Cellular Networks 13.04.2005 Yrj Raivio 28916V T-110.456 Next Generation Cellular Networks/13.04.2005/YR Contents Motivation Standardization bodies Web Services Interoperability

537 views • 20 slides
Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics WWW HTTP: Hyper Text Transfer Protocol HTTP Security HTML Protocol HTML Security

1.09k views • 74 slides
XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at

XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at

Introduction XML Documents DTDs DOCTYPE Decl. XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Winter 2019/20 http://www.informatik.uni-halle.de/brass/xml19/ Stefan Brass: XML

1.16k views • 87 slides
L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for

L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for

L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives So far, all the data weve worked with have either been manually instantiated as NumPy arrays

308 views • 9 slides
Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a free and open-source content management system based on PHP and MySQL. It uses a plugin architecture and a template system. It is most

367 views • 17 slides

More recommend