SVOPME: A Scalable Virtual Organization Privileges Management Environment
Grids enable uniform access to resources by implementing standard interfaces to resource gateways. In the Open Science Grid (OSG), privileges are granted on the basis of the user’s membership to a Virtual Organization (VO). However, Grid sites are solely responsible to determine and control access privileges to resources using users’ identity and personal attributes, which are available through Grid credentials. While this guarantees full control on access rights to the sites, it makes VO privileges heterogeneous throughout the Grid and hardly fits with the Grid paradigm of uniform access to resources. To address these challenges, we are developing the Scalable Virtual Organization Privileges Management Environment (SVOPME), which provides tools for VOs to define, publish, and verify desired privileges and assists sites to provide the appropriate access policies. Moreover, SVOPME provides tools for grid site to analyze site access policies for various resources, verify compliance with preferred VO policies, and generate directives for site administrators on how the local access policies can be amended to achieve such compliance without taking control of local configurations away from site administrators. This paper discusses what access policies are of interest to the OSG community and how SVOPME implements privilege management tools for the OSG.
KeywordsPolicy Advisor Virtual Organiza Test Query Grid Site Security Assertion Markup Language
Unable to display preview. Download preview PDF.
- 1.Pordes R et al. 2007 The Open Science Grid Journal of Physics: Conference Series 7815Google Scholar
- 2.Laure E et al. 2004 Middleware for the next generation Grid infrastructure Proceedings of Computing in High Energy Physics and Nuclear Physics 2004, Interlaken, Switzerland 826Google Scholar
- 3.Garzoglio G et al. 2009 Definition and Implementation of a SAML-XACML Profile for Authorization Interoperability across Grid Middleware in OSG and EGEE Journal of Grid Computing DOI: 10.1007/s10723-009-9117-4Google Scholar
- 4.Garzoglio G et al. 2009 An XACML profile and implementation for Authorization Interoperability between OSG and EGEE Proceedings of Computing in High Energy Physics and Nuclear Physics 2009, Prague, Czech RepublicGoogle Scholar
- 6.Alfieri R et al. 2004 VOMS, an authorization system for virtual organizations Proceedings of European across Grids conference No1, Santiago De Compostela, Spain 2970 33–40Google Scholar
- 7.Ceccanti A, Ciaschini V, Dimou M, Garzoglio G, Levshina T, Traylen S, Venturi V 2009 VOMS/VOMRS Utilization patterns and convergence plan Proceedings of Computing in High Energy Physics and Nuclear Physics 2009, Prague, Czech RepublicGoogle Scholar
- 8.Moses T et al. 2005 Extensible access control markup language (xacml) version 2.0 Oasis StandardGoogle Scholar
- 9.Cantor S, Kemp J, Philpott R, Maler R 2005 Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2. 0 OASIS SSTCGoogle Scholar
- 10.Garzoglio G et al. 2008 An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids Fremilab White Paper CD-doc-2952-v2Google Scholar
- 11.Lorch M, Kafura D, Fisk I, Keahey K, Carcassi G, Freeman T, Peremutov T, Rana A S 2005 Authorization and account management in the Open Science Grid The 6th IEEE/ACM International Workshop on Grid Computing, 2005Google Scholar
- 12.The EGEE Authorization Service: http://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFrameworkAccessed on May 13, 2009
- 13.Cesini D, Ciaschini V, Dongiovanni D, Ferraro A, Forti A, Ghiselli A, Italiano A, Salomoni D 2008 Enabling a priority-based fair share in the EGEE infrastructure Journal of Physics: Conference Series 119 062023 DOI:10.1088/1742-6596/119/6/062023Google Scholar