VOX Project

1
VOX Project

• Tanya Levshina

2
Presentation overview

• Introduction
• VOX Project
• VOMRS Concepts
• Roles
• Registration flow
• EDG VOMS
• Open Issues
• VOMRS Status
• Web Gui Examples

3
Introduction

• VOX Goals
• to understand and model the registration
  workflow
• to provide VO registration mechanism
• to negotiate and monitor member authorization to
  grid resources
• End Goal
• To facilitate the remote participation of
  physicists in effective and
• timely analysis of data from the LHC experiments
  during DC04.

4
VOX Project
VOMS EDG (ATLAS)
VOMRS (ATLAS)
BNL
VOMS EDG (SDSS)
VOMRS (SDSS)
Local Center Registration Service
Gatekeeper callouts
VOMS EDG (USCMS)
VOMRS (USCMS)
GUMS
Grid Cluster
Fermilab
LRAS
Gatekeeper callouts
Grid Cluster
SAZ
VO Members
5
VOMRS Identifying the workflow

• Understand that VO registration is a multi-level
  process (institution, grid site, country, VO).
• Identify necessary elements of the registration
  procedure and develop a model workflow.
• Identify administrative roles and
  responsibilities.
• Identify various implications of our model on
  sites and site policies.
• Realize that the implementing technology must be
  flexible to accommodate the different levels of
  policies and requirements and to anticipate
  ongoing changes.

6
VOMRS Concepts (I)

• Grid, VO, Certificate (DN,CA,..), Grid resource,
  Grid job
• Experiment
• represents research activities that are specific
  to a particular VO.
• Group
• an experiment contains groups. Group may have
  sub-groups.
• Institution
• is an organization whose members participate in
  experiments within a
• particular VO.
• Grid site
• is an institution that provides grid resources.
  Each site has policies
• that require specific personal information.
• Grid job submission rights
• distinguishes between members who can submit grid
  jobs and those
• who can only perform administrative tasks.

7
VOMRS Concepts (2)

• Personal information
• private and public data about an individual that
  is collected by
• the VO.
• Notification Event
• an action taken by the registration software that
  notifies
• interested members of a change within the VO and
  describes
• any required responses if any.
• Role
• defines actions that a VO Member can perform
  within the VO.A
• VO member can have one or more roles.

8
Roles (I)

• Visitor
• A person who posses a valid certificate from the
  Certificate Authority approved by VO.
• Applicant
• An experimenter who belongs to one of the VO
  institutions and possesses a certificate from one
  of the VO-approved Certificate Authorities. An
  applicant has submitted a VO registration form
  but has not yet been approved.
• Member
• An applicant who has been approved. A member can
  submit jobs to the Grid. By default a member is
  assigned to an experiment wide group.
• VO administrator
• A designated VO member who is in charge of
  registration and has access to all information
  collected by the VO. He is responsible for
  assigning administrative roles.

9
Roles (II)

• Institutional VO representative
• Vouches for the identity of an applicant.
• Upon registration a member can select a
  representative from the list of known
  representatives. The selected representative does
  not necessarily belong to the members
  institution.
• Grid site administrator
• Assigns/revokes the role of System Administrator
  or Local Resource Provider to/from the VO members
  affiliated with the site
• Administers authorization of VO member to the
  site. The details are site specific and depends
  on regulations and policies of each particular
  site.
• Local resource provider
• Administers authorization a member to use the
  grid resource (this could include addition of
  this member to the gridmapfile, mapping member to
  local account, etc)

10
Roles (III)

• Group owner
• Creates groups and subgroups within the
  experiment.
• Assigns/revokes group manager/owner role to a
  member of the VO.
• A Group owner is a Group manager as well.
• A Group owner owns the group if he owns any of
  ancestor group.
• Group managers
• Assigns/removes members to/from the group he
  manages

11
Registration Flow
12
Association with EDG VOMS

• EDG VOMS is used currently as a significant part
  of VOX project
• Extended Proxy generation
• Gridmapfile generation for local grid resource
• Query to get members, groups, roles by
  authorization services on local grid clusters
• VOMS VOMRS have some overlap in functionalities
  and stored data, but
• VOMRS is a registration service that is accessed
  infrequently by people (not hosts)
• VOMS is a service that provides member with 
  extended proxy and should sustain heavy load. It
  allows access by registered hosts.
• VOMRS keeps a lot of information about members
  and VO entities (institutions, sites, etc).
  Member information is persistent.
• VOMS keeps minimum information related to member
  (dn,ca, group, role). Member has to be deleted in
  order to deny him access to the Grid.
• VOMRS Synchronizer is responsible for updating
  VOMS database

13
Open Issues

• More complicated logic needs to be implemented to
  handle deletion of Institution, Certificate
  Authorities
• Membership suspension mechanism should be more
  sophisticated (reason for suspension should be
  provided and stored for auditing)
• Membership expiration mechanism should be defined
  and implemented
• Suspension of a specific DN CA that has been
  compromised
• Responsibilities of Sites are not really
  finalized
• Should VO have up to date list of banned users
  per each site
• Should it be mandatory to notify VO about
  approved/denied members authorization status
  during the registration process with a site
• Database issues
• Transition to ORACLE
• Replication
• Report Generation

14
VOMRS Status

• Version 1.0.3 has been released. It consists of
• Server that is handling event notifications and
  synchronization with VOMS
• WEB UI and Web Services that provide means for
  member registration, role and group assignments,
  and various administrative tasks
• VOMRS database, scripts to facilitate its initial
  creation and population
• Scripts to start/stop server and client
• Configuration files that control behavior of the
  server, WEB UI and database setting
• Documentation
• RPMs pacman cache (for server and client) are
  available on
• http//www.uscms.org/sc/VO/downloads.html
• User Documentation is available on
• http//computing.fnal.gov/docs/products/vomrs
• Test installation is running on (valid
  certificate is required to login)
• https//cmssrv08.fnal.gov8443/vo-TEST/vomrs
• Bugs report
• http//cmssrv08.fnal.gov3080/bugzilla
• More info
• http//www.uscms.org/sc/VO
• E-mail
• vo-project_at_fnal.gov

15
WEB UI(welcome page)

• The following VOMRS
• entities are controlled
• by configuration
• VO Name
• Usage Rules
• Database configuration
• Host location
• Location of VOMS service and synchronization
  level

Fill in and submit the Registration form to apply
for membership in the USCMS VO. You will need
to enter the Required Personal Info (see link
under menu).
Popup help
Displayed menu items depends on your role within
the VO
16
WEB UI(registration)
Required personal information is dynamically
configured by a VO Administrator and can be
specific to a particular VO.
17
WEB UI(administration)
18
WEB UI(notification subscription)
Member related events
VO Admministrator related events