Virtual Organization Management Registration Service VOMRS

1
Virtual Organization Management Registration
Service (VOMRS)

• T. Levshina
• J. Weigand
• S. White
• Co-Authors
• L. Bauerdick, G. Carcassi, I. Fisk, A. Heavey,
  P. Mhashilkar,
• R. Pordes, A. Sill, D. Yocum

2
Talk Outline

• VOMRS Scope
• Place in the GRID World
• Architecture
• Main Features Overview
• Since Last CHEP
• Implementation and Distribution
• Deployment
• Dependencies and Issues
• Summary

3
VOMRS Scope

• VOMRS offers a comprehensive set of services that
  facilitates secure
• and authenticated management of VO membership,
  grid resource
• authorization and privileges
• implements a registration workflow providing
  means for collaborators to register with a
  Virtual Organization (VO)
• supports management of multiple grid certificates
  per member
• permits VO-level control of a member's privileges
  
• provides email notifications of selected events
• supports VO-level control over its trusted set of
  Certificate Authorities (CA)
• permits delegation of responsibilities within the
  various VO administrators
• manages groups and group roles
• is capable of interfacing to third-party systems
  and pulling or pushing relevant member
  information from/to them

4
VOMRS Place in the GRID World
Grid Facility
VOMRS
register
Grid Cluster
Globus Gatekeeper
membership/ privileges
get proxy
Job Manager
callouts
Is authorized?
VOMS
membership/ privileges
Is authorized?
Facility Authorization Management
GUMS
submit job
5
VOMRS Architecture
gLite VOMS DB
VOMRS Host
Client Host
SAM DB Host
VOMS Admin API
GSI Authentication
CLI
SAM ADMIN API
SOAPSSL Authentication
CLI
gLite Trust Manager
ORGDB Host
HTTPSSL Authentication
Service Broker
LCG ORGDB API
VOMRS Admin
Service
WEB CLIENT
VOMRS DB
6
VOMRS Entities

• Certificate Authorities
• Allows list management of CAs accepted in VO
• Offers a consistent way of managing membership
  status for members whose certificate CAs become
  obsolete or invalid
• Groups and Group Roles
• Supports hierarchy of groups
• Allows creation/deletion of group roles
• Provides interface to manage groups and group
  roles
• Institutions and Sites
• Provides interface to manage Institutions and
  Sites
• Requires member affiliation with Institution
  expiration date imposed
• Personal Data Set
• Supports real time editing of data set collected
  during registration
• Distinguishes between private and public data,
  persistent and non persistent data, etc

7
VOMRS Administrators

• Allows for delegation of responsibilities within
  the VO
• VO Admin
• responsible for maintaining the VOMRS. A VO admin
  
• manages data pertaining to institutions, sites,
  CAs, members
• privileges, and can modify the set of personal
  information
• required by the VO
• Representative
• responsible for approving/denying applicants'
  requests for
• VO membership based on personal knowledge about
  each
• individual applicant's identity and institutional
  affiliation
• Group Owner and Group Manager
• responsible of managing the group's membership.
  Group Manager
• can create new subgroups and/or group roles
• Site Admin and Local Resource Provider
• able to access members information

8
Membership Registration

• In order to access VOMRS a user is required to
  have a valid certificate
• whose CA is recognized by the VO
• Registration consists of two steps
• During Phase I a new user
• fills out personal information
• selects a Representative
• provides email address
• After receiving email notification, a user
  proceeds to Phase II, and
• signs the Usage Rules for the VO
• selects group(s) and group role(s)
• In order to become a VO member with grid resource
  privileges, the
• user's registration must be approved by user's
  Representative or VO
• Admin.

9
WEB UI Example (Registration)
Phase II
Phase I
10
Notification Events

• An event in the VOMRS constitutes any changes to
  
• member's status/privileges
• new administrative role is assigned
• certificate is suspended
• member is assigned to group
• structure of the VO
• creation of a new group
• expiration of a CA
• addition of an institution
• Events can trigger a call to external system via
  registered interface.
• Some events can required action to be taken by a
  VO member
• a Representative is asked to approve/deny
  registration
• a member is asked to sign a new Usage Rules
  document
• The events to which member can subscribe depend
  upon member's
• roles and membership status.

11
Membership and Certificate Statuses

• Membership status
• New
• Approved
• Denied
• Suspended member is currently not in good
  standing in the VO
• Expired occurs when a new Usage Rules document
  must be signed member's validity period has
  expired member's institutional affiliation has
  expired
• Certificate status
• New
• Approved
• Denied
• Suspended the certificate has been somehow
  compromised
• Expired indicates that certificate issuer does
  not currently have a valid certificate
• Multiple certificates per member
• Each VO member has at least one registered
  certificate
• A valid member can request additional
  certificates
• Each such request should be approved by VO Admin
• Member can access VOMRS by using one of the
  approved certificates

12
Groups and Group Roles

• A VO Member can select group and group role
  association
• Group Owner, Manager or VO Admin can assign group
  and group role to any member
• Group Owner, Manager or VO Admin can block
  members association with any group or group role

13
Interfacing Third Party Software

• Interfaces can be registered with VOMRS and can
  be subscribed to
• receive event notification. Currently there are
  three known interfaces
• LCG Registration Type
• User's registration in CERN HR DB is verified via
  query during Phase I of VOMRS registration. No
  data is downloaded from CERN DB to VOMRS.
• VOMRS can be configured such that whenever an
  administrator queries a member's personal data,
  CERN HR DB is queried and both the VOMRS and CERN
  DB data display together.
• SAM Registration Type
• SAM DB is queried to obtain list of SAMs group
• SAM DB is updated by using sam-admin commands
  when
• Members status/privileges are changed
• EGEE VOMS
• VOMS is updated by using VOMS API when
• Members status/privileges are changed
• A group is added/removed
• A group role is added/removed

14
WEB Services Example

• Access to VOMRS is also available via web
  services.
• A certificate (or proxy) signed by a recognized
  CA is needed.
• The list of services available for a particular
  user is defined by user's role and status within
  VOMRS.
• Web Service example
• java -Daxis.socketSecureFactory
  -DsslConfigFile fnal/vox/vomrs/client/SoapClient
  https//fermigrid4.fnal.gov8443/vo/Test/services
  /VOMRS getGroups
• /test
• /test/development
• /test/production
• /test/production/stream1
• /test/production/stream2

15
Since last CHEP

• Implemented LCG Registration type using LCG
  Registration API (developed by K.Lorentey) to
  verify member standing with CERN HR DB
• Integrated with SAM by using VOMRS-SAM API
• Implemented Oracle support
• Implemented two phases of registration that
  include email verification
• Introduced VO and institutional membership
  expiration 
• Introduced VO-level management of CAs
• Implemented selection of groups and group roles
  by member
• Added multipart messaging, improved message
  format
• Implemented customizable on-line help

16
Implementation and Distribution

• Implementation details
• Java based ( 1.4.1 and higher)
• WEB UI uses JavaScript
• Configuration scripts are written in python (1.5
  and higher)
• Configuration files are in xml format
• DBMS Oracle or MySQL
• Product distribution
• The current distribution of VOMRS software is
  built with gLite 1.4 trustmanager package and can
  be synchronized with gLite VOMS.
• VOMRS components are distributed using Pacman
  package manager and are available from the
  cachehttp//www.uscms.org/SoftwareComputing/Grid
  /VO/VOMRS
• RPMs are available fromhttp//www.uscms.org/Soft
  wareComputing/Grid/VO/downloads.html

17
Current Deployment

• Fermilab
• 14 instances that are synchronized with
  corresponding installation of VOMS (VDT 1.3.9).
  VOMRS and VOMS are running on the same node
• Total number of registered users gt 5,000
• CERN
• 4 instances are using LCG Registration Type and
  connect to CERN HR DB
• 5 instances are using General Registration Type
  
• All instances are synchronized with corresponding
  installation of VOMS (gLite 1.4). VOMRS and VOMS
  are running on the same node.
• Total number of registered users gt 190
• BNL
• 2 instances (all are synchronized with
  corresponding installation of VOMS).
• Test installations
• 2 instances in Texas Tech University are
  synchronized  with corresponding installation of
  VOMS (VDT 1.3.7)
• 1 instance in University of Melbourne (Physics
  Department)

18
Dependencies and Issues

• EGEE trustmanager and VOMS admin package support
  is crucial for
• VOMRS
• Bug fixing is slow (depends on gLite releases and
  integration in VDT)
• Patches should be available much sooner
• Good news We have access to LCG savannah portal
  that allows us to submit bugs as soon as we find
  them and monitor the bug fixing progress
• We are working very closely with LCG VO
  Management Registration
• Task Force
• LCG VO Managers submitted many constructive 
  requests for improvements and new features. Most
  have  been implemented in previous releases. New
  requests included
• implement a hierarchy of representative
  associates with country, region and institution
• improve VOMRS performance
• add configurable subject in notification emails
• We are planning to transfer some of the
  responsibilities for VOMRS support to a yet to be
  chosen person at CERN
• VOMRS/VOMS workshop is planned in March

19
Summary

• VOMRS is a successfully implemented VO
  registration service providing the means to
  better identify and communicate with VO members,
  and to assign grid privileges to them.
• Through the use of its multiple administrative
  roles, VOMRS allows for delegation of
  responsibilities within the VO while still
  providing a high level of control over privileges
  granted.
• As a highly configurable service, it can meet the
  needs of a wide variety of VOs , both in terms of
  membership size and complexity of privileges
  required.
• Its installation at numerous sites has resulted
  in increased requests for additional features to
  improve management and control of VO membership.
• Fermilab is committed to future support of this
  product for the LCG and OSG.
• A lot of people took part in gathering and
  understanding requirements, and providing us with
  valuable feedback. Thanks a lot to all of them!
• More information can be found http//www.uscms.or
  g/SoftwareComputing/Grid/VO
• E-mail vo-project_at_fnal.gov