Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

VO Support and directions in OMII-UK Steven Newhouse, Director

advertisement 
VO Support and
directions in OMII-UK
Steven Newhouse, Director
Our Mission…
OMII-UK aims to provide software and
support to enable a sustained future for
the UK e-Science community and its
international collaborators
•Promote the use of good-quality open-source software
•Reduce the risk of moving to new e-infrastructure world
•Recognise distinct user communities: by domain and function
©
2
Primary Concerns



Standards driven
Need to interoperate
Recognise distinct requirements





End-user
Developer
Service Provider
Need to federate across multiple containers
Provide infrastructures that are usable
©
3
OMII-UK Job Authorisation

OMII 1.x: Application execution from GRIA






Defined model enforced by PBAC
PBAC: Process Based Application Control
User registration & account (quota) creation
Resource allocation for compute and data
Data in  Application execution  Data out.
Application needs to be installed on the machine
©
4
OMII-UK Job Authorisation

OMII 2.x: GridSAM




GridSAM: Job Submission and Job Monitoring
Uses JSDL to define the ‘job’
Various back end environments ‘DRMConnector’
Service specific Authorisation


gridmap like
Connector specific Authorisation
©
6
Within OMII 3.x

Within a web service hosting environment


Primarily Authentication through WS-Security




Tomcat, Axis, WSS4J (WS-Security)
Digital Signature on a signed message
Signature MUST be signed by a certificate
from a known CA
Authentication data available to the service
Outgoing message signed
©
7
Need to do better…

An Authorisation policy that can be applied across
consistently across all services



A solution that can be reused:



Within a hosting environment
A network of hosting environments (e.g. VO)
Apply policy for portlet access
Service specific policies:
 Data tables within a database
 Queues or processor/memory limits within a job
Standards driven
©
8
Current Prototype
PEP
PEP = Policy Enforcement Point
TestService
PEP
OpenSAML
AXIS Handlers
WS
Request/
Response
Due April 07 - OMII 3.4.0
OMIIAuthz
PERMIS
LDAP
PERMIS
Management
GUIs
WS Container


PERMIS: Generate Attribute Certs & Policy
Authz Service: SAML 1.1 Assertion port type
©
9
But what is a VO?

About roles, responsibilities and relationships



End-users:


Dynamic & flexible policy around their needs
Resource Providers:


Binding: Contractual
Non-Binding: Best-effort
Focus on users or VOs or real organisations?
Usability:

Critical need for tooling and integration into software
©
10
OMII-UK Users
Users
Applied
Research
Domain
Casual User
(Novice
or
Infrequent)
Intensive User
(Expert
or
Focused)
Applied e-Researchers
Applied
e-Researchers
Technologists
Assemblers
Builders
of domain
of domain
Components/ Components/
Services/Tools Services/Tools
Assemblers
of generic
Components/
Services/Tools
Providers
Builders
of generic
Components/
Services/Tools
Technology Specialists
Technology Specialists
(domain & generic)
©
VO
Managers
Resource
Owners
Helpdesk &
Training
System
Administrators
e-Infrastructure Providers
e-Infrastructure
Providers
11
Emerging Need:
Dynamic Service Authorisation

On job creation create a job specific policy



Steven’s job – he can manipulate & delete it
But, the administrator can also delete it.
But Steven may also want to allow June to be
able to manipulate the job


Provide an interface to manipulate policies
Fine grained dynamic delegation
©
12
Other gaps in AAA…

The third ‘A’ – Accounting





Looking at RUS & UR options
Account (quota) solution from GRIA
Applying for an account (e.g. GAMA, PURSe)
The silent ‘A’ – Audit
Attribute Management


VOMS
Standards?
©
13
Summary



Mange authorisation policies across services
Accounting (use against quota) is important
Pick up on existing standards & tools




OMII-UK currently a non-GSI world


Authorisation infrastructure
User registration & account generation
Think about the stakeholders in the system
But out-of bound use through MyProxy
Emerging need for dynamic policies & VOs
©
14
Where next…

For further information, project lists, etc:




For further questions, support issues, etc:


Web: www.omii.ac.uk
Downloads: OMII 3.2.0 released last week.
Calls: Portlets & GridAPIs
Mail: support@omii.ac.uk
For me:

Mail: director@omii.ac.uk
©
15
Related documents
Accelerating the deployment and Research community: what are the
Accelerating the deployment and Research community: what are the
Open Source/Open development Present: Steve Brewer (scribe), Steve Lee
Open Source/Open development Present: Steve Brewer (scribe), Steve Lee
Providing Security in e-Infrastructure to Meet the Needs of e-Research
Providing Security in e-Infrastructure to Meet the Needs of e-Research
Externally Funded Research Post Authorisation
Externally Funded Research Post Authorisation
Sunset clause: request for public health exemption from
Sunset clause: request for public health exemption from
Best practices for software development in research community
Best practices for software development in research community
OGSA-DAI Platform Dependencies Malcolm Atkinson
OGSA-DAI Platform Dependencies Malcolm Atkinson
Overview
Overview
GGF 16, February 2006, Athens Grid Forum Steering Group Meeting
GGF 16, February 2006, Athens Grid Forum Steering Group Meeting
OMII-UK collaborations workshop Exploiting and sustaining research code 30/04/2009
OMII-UK collaborations workshop Exploiting and sustaining research code 30/04/2009
Timesheet - Julia Wade Ltd
Timesheet - Julia Wade Ltd
Project Proposal Safety Authorisation form
Project Proposal Safety Authorisation form
Download
advertisement