Speaker
Abhishek Singh Rana
(UCSD)
Description
Securely authorizing incoming users with appropriate privileges on distributed grid
computing resources is a difficult problem. In this paper we present the work of the
Open Science Grid Privilege Project which is a collaboration of developers from
universities and national labs to develop an authorization infrastructure to provide
finer grained authorization consistently to all grid services on a site or domain.
The project supports the utilization of extended proxy certificates generated with
identity, group and role information from the European Data Grid (EDG) Virtual
Organization Management System (VOMS). These proxies are parsed at the grid interface
and an authorization request is sent a central Grid User Mapping Service (GUMS). The
GUMS service will return the appropriate mapping based on the identity, role or
group. This allows the user to propagate information about affiliation and activity
in the credentials and allows the site to make decisions on authorization, privilege,
and priority based on this information. The Privilege components have been packaged
and deployed on OSG sites. The infrastructure has been used to support sites with
multiple computing elements and storage elements. We will present the motivation and
architecture for finer grained authorization as well as the deployment and operations
experience.
Primary authors
Abhishek Singh Rana
(UCSD)
Alan Sill
(Texas Tech University)
Frank Wuerthwein
(UCSD)
Gabriele Carcassi
(Brookhaven National Laboratory)
Gabriele Garzoglio
(FERMILAB)
John Weigand
(ProApps)
Markus Lorch
(IBM)
TImur Perelmutov
(FERMILAB)
