DRAFT for comments!! Edited
by Maria
Dimou with input from Akos Frohner, clarifications from Ian Neilson
and comments from the participants.
The LDAP-based registration of users who adhere to the LCG usage rules (Guidelines) and their admission in a Virtual Organisation (VO) cannot be replaced today with a VOMS-only procedure because:
2003-11-07 meeting with the VO managers
Chih-Chiang Chang (VOMS installation), Joel Closier (LHCb VO), Maria Dimou
(DTEAM VO), Akos Frohner (VOMS developer), Ian Neilson (DTEAM VO) and Andrea
Sciaba (CMS VO) discussed first impressions from the test installation and
management interface.
Concerning the issue of populating VOMS Groups, it was
decided that the VO manager decides on the Group names but each Group may be
administered by different people.
By default only the VO manager can create
a Group or sub-Group but (s)he can set ACLs appropriately to change permissions.
The meeting decided that there should be a default user expiration date.(Akos'
notes).
Chih-Chiang Chang, Maria Dimou, Akos Frohner and Ian Neilson
were invited to a VOX demo by Greg Graham (FNAL).
Overall, one may say that VOX is a pre-VOMS interface for registration only.
It is richer than VOMS in terms of amount of information one can enter
about the user. Several VOX fields, e.g. citizenship, will never be
part of VOMS. Others, e.g. Rights, Status donot exist today
and, probably, won't, in the future, either. The function of a user's Supervisor is called in VOX Representative.
It is noticeable that the VO manager can easily add/remove fields from the
user interface and the database schema and can even decide which ones to classify
as mandatory.
VOX contains the notion of "Role" which is different to the
one
of VOMS, as
it relates to the process of registration (e.g. "applicant" when asking to
register or "LRP", (Local Resource Provider) when approving a user's acceptance
to the VO).
VOX contains the list of sites supporting a given VO. Every site publishes
in VOMS the list of fields they consider mandatory in order to accept a user
registration. It is supposed that a successful registration can occur when
the union of all required information is provided. It is not known whether
this assumption is actually correct and, actually, implemented.
| What to do | What happened | What next |
| Try immediately to continue sending the gridmap file to all sites but stop including all user subjects with their certificates in all Information Services (IS). | Marco did it and found that it works with a potential security problem,
i.e. an unauthorised user can submit a job and the system will accept
him/her hoping (s)he belongs to another VO. This should not be a problem
because either gridmap or LCAS will prevent unauthorised usage at the
CE level. |
As of Nov.4 publishing of certificates to the IS is stopped. Planned operation in LCG-2. |
| Requirement | Action | People |
| Confirm decision to use VOMS as the LCG VO management software. The date can only be defined after LCG-2 (20,Nov.2003) | usage on the C&T testbed AND... | C&T managers with imported data from LDAP into VOMS on tbed0152.cern.ch (done) AND... |
| ...brainstorming meeting with all VO managers. | ...Akos discussed with the CMS,LHCb &Dteam VO managers. | |
| Clarify user registration flow, i.e. how to ensure user's compliance to the Guidelines before acceptance in the VO. Impact in VOMS design and implementation. (More on guidelines) | Decision to be made by the LCG security group | Ian N. & Akos introduced it on 2003-11-03 but decision was left for the VOMS Workshop on 2003-12-15. |
| Evaluate the functionality of VOMS user interface and update procedure. | submit with Bugzilla. Example | project-lcg-vo-[VOname]-admin@cern.ch |
| Decide on a limit to the amount of VOMS Roles a person can have. | Limit to 2 or 3 to keep Unix groups' administration manageable. Reason | VO managers give the Group and Role names they prefer. |
| The open question is: how can the job figure out the site specific group name from the VO group/role name? |
EDG/WP4 shall provide a small utility for this, which might use the LCMAPS config file as a basis.(More on VOMS-Group/Unix-groupMore on VOMS-Group/Unix-group) |
More on guidelines' acceptance by all VO members:
(1) If not everyone has signed acceptance to the guidelines, then one
VO
must be introduced for
the
guidelines
and
every
user
has to acquire two credentials with the command voms-proxy-init: One
from the guidelines and one from his/her real VO's VOMS server. The existence
of _both_ credentials would be checked at the resource (i.e. LCAS/LCMAPS, edg-java-security
etc.) (Ian Bird, Akos' preference, most probably the one we'll adopt. It matches
today's 'registrar' and [VOname] data in LDAP).
(2) If everyone has signed acceptance to the guidelines, then the VOMS server
has to ensure this policy by checking the membership of every new user in the
guidelines' VOMS server and doing synchronization later every hour (David Groep's
preference).
Number of VOMS Roles limitation
Suppose a user was registered in VOMS with x valid Roles and he presents his/her credentials to the resource fulfilling y out of those x. The process has to run using a user account that must be present in /etc/group as a member of all the local Unix groups that correspond to his/her present y VOMS roles, and only those. This means that a user account under which a job runs may belong to any valid combination of groups in /etc/group, which makes their maintenance difficult to manage.
More on VOMS-Group/Unix-group:
UI |
RB |
Site |
Persons |
User is registered in VOMS with 2 Roles: |
Matches the user job request with the site's IS content (i.e.
checks if the site can accept jobs for [EXPERIMENT]-PRODUCTION_MGR
and [EXPERIMENT]-USER) and Submits to the site's CE. |
IS announces that it accepts jobs for EXPERIMENT]-PRODUCTION_MGR
and [EXPERIMENT]-USER |
We don't have a list of Roles per experiment and an idea how they want to reflect these in the terms of Groups in the Unix File system. Suggestion: ask the VO managers. |
| User obtains a proxy with voms-proxy-init where both his roles appear. |
CE contains the mapping in LCMAPS: [EXPERIMENT]-PRODUCTION_MGR<=> local_exp_prod_mgr
in /etc/group [EXPERIMENT]-USER<=> local_exp_user in /etc/group And sets, before submitting, the process environment such that generic name [EXPERIMENT]-USER becomes local real group name local_exp_user |
||
User does edg-job-submit with job.jdl containing: |
The batch system runs job.jdl as a local
user in a local group. |
| Today' facts | Ideally | Realistically | Persons |
| Files are created by users of the same VO with permissions
-rwxrwxr-x (775) but a given pool account can be re-assigned to other people,
who can change a
foreign file to -rwx------ (700), preventing (as a result) the original
file creator to acces his/her own data. Unix group names can be different across sites. |
certificate-driven ACLs for files and/or finer grained VOMS access control OR... | VO -> UNIX group mapping tool lcg-group-map-tool . A possibility to create an ENV variable with the user's Group/Role was discussed. |
Akos+David Groep. Proposal on Job Repository Deploy+test: 6 weeks |
| ...(solutions too intrusive for most sites): - CE: LCMAPS with pool of accounts and groups, supported by an LDAP-based site nameservice for passwd and group info (instead of /etc/passwd and /etc/group) - SE/disk: SlashGrid. |
static mapping to a limited number of pool accounts.VOMS should contain max. 3 roles or groups. |
LCMAPS deployers ?(Who?) | |
| gridftp doesn't know about VOMS | patch by EDG WP4 (deploy+test: 2 weeks) | David Groep | |
| Question | Action | People |
| Today voms-proxy-init -voms [VOname] doesn't show for which VO we obtained a proxy. | test the proxy renewal in case of long jobs. MySQL database & VOMS server replication will handle proxy renewal when the original server is down. | Akos for this and overall co-ordination with WP1/4/6 |
| develop the voms-proxy-info command, that will be used instead of the grid-proxy-info command. | ||
| Job matching of groups/roles? | introduce a common format for attibute names and make API calls, which return this for services. | V.Ciaschini |
| publish the CE information in this format into the Glue schema. |
EDG/WP4(D.Groep) | |
| acquire the VO/Group/Role information from the VOMS credentials (or from JDL) in this format and do the job matching as with the current VOMS-aware implementation (iterating through all attribute and CE combinations). | EDG/WP1 |
