Notes on VOMS

DRAFT!! Edited by Maria Dimou with input from Rich Baker, Vincenzo Ciaschini, Akos Frohner, Tanya Levshina and the IT-GD Group members.
Last Update: 2004-11-10 (Notes from the 2003-10-29 meeting)

The notes appended date from October 2003 but they are not obsolete. For those readers who want to deploy a service, here are some useful references to related documentation:

• VOMS and MyProxy interaction diagram by Ian Neilson
• VOMS and MyProxy integration by Markus Lorch
• VOMS Deployment instructions (installation, configuration, integration).
• GRID-IT, VOMS Integration Release by INFN
• EDG WP7 Security Coordination Group entry point for authentication and authorisation documents.
• EDG Security design paper.
• EDG document on VOMS.
• VOMS Installation Guide.
• EDG Security Installation Guide 1.5.6
• EDG-VOMS-Admin Installation Guide
• VOMS Administration Guide for developers.
• edg-voms-admin presentation .
• EDG LCAS Reference Manual.
• EDG LCMAPS Reference Manual.
• USCMS Virtual Organisation (VOX/VOMRS) design documents.
• List of USCMS presentations on VOMS and VOX/VOMRS experience.
• GUMS: Grid User Management System by BNL.

What is VOMS:

The Virtual Organisation Membership Service is a front-end to an RDBMS, where all the information about users is kept. It allows the administrator to register members within a VO (members should provide their DN, CA and Group affiliation). During the grid job submission a member issues voms-proxy-init (instead of grid-proxy-init) and gets extended proxy from the VOMS server. This proxy certificate includes the member's Groups and Roles as additional attributes.

Why should VOMS replace today's LDAP-based VO management:

Some issues that are not satisfactory in LDAP today are handled by VOMS as follows:

• Unfriendly mass-updates via the ldap[add|search|delete] commands or the LDAP browser:
  This is solved in VOMS via a user-friendly web interface. The database used in VOMS today is MySQL.
• CN name clashes within a given VO:
  This is solved in VOMS by using the entire DN coupled with the responsible CA name.
• Currently the LCG User Registration procedure allows a user to become a member of only one VO at a time:
  This is solved in VOMS by keeping a separate instance for every VO database.
• Even if user registration were allowing users to belong to multiple VOs, the gridmap file only considers one of the entries present for a given user:
  This is solved in VOMS by using LCAS/LCMAPS instead of gridmap. It is alreadly available today on the Computing Element (CE) of the LCG testbed. It is possible to use LCAS/LCMAPS without VOMS, with, obviously, reduced functionality.
• Added functionality in voms-proxy-init as opposed to grid-proxy-init. The VOMS registration and VO servers are contacted and all relevant credentials are matched to the user's request. This facilitates the update of the Information Service (no more copying of all the certificates will be needed to every node).
• Additional VOMS' attributes:
  • The user's working Group (e.g. registration, integration, testing)
  • The user's Roles (within a given "Group" i.e. inheriting the Group's privileges, e.g. production manager, user).

VOMS deployment in IT/GD:

Chih installed the VOMS server (process /opt/edg/sbin/edg-voms) from the EDG software depository on host tbed0152.cern.ch The machine is equiped with all prerequisite paraphernalia like TomCat, Globus GSI, PKI server and MySQL. All instances of the VOMS server(s) run on the same host.
The configuration for the VOMS daemon is in the directory /opt/edg/etc/voms .
The actual data are in /var/lib/mysql/voms_[VOname].
The configuration for the edg-voms-admin service is kept in the directory /opt/edg/var/etc/edg-voms-admin. We may agree, in the near future, to locate all these configurations in the same directory.
The "Trusted CA list" is picked up and regularly updated with a cron job from the /etc/grid-security/certficates directory of the VOMS server.
The web interface looks like: https://tbed0152.cern.ch:8443/edg-voms-admin/[VO-name]/index.html . It can only be opened by VO managers, whose certificates are included in the VOMS configuration by its administrator.
The configuration file of the VOMS web interface is in /opt/edg/etc/voms-httpd/httpd.conf .
The user interface is lxshare0276.cern.ch (the LCG-2 UI host). Users registered on that host can issue the edg-voms-proxy-init command. Example:

As more than one instances of VOMS are possible on the same server one instance with CMS VO data and another with dteam, trying the phase zero migration scenario, i.e. LDAP-to-voms synchronisation (still making gridmap-file out of LDAP).
Next step (when implemented) would be to change the "ldap://" entries in the gridmap config. file by "voms://" entries (phase 1 migration scenario).

Present migration issues:

1. All LDAP entries of the alice,cms,dteam,lhcb VOs introduced by the EDG scripts (cert2ldif,group.pl) appear encoded (e.g.
   member:: Y249TG91aXMgUG9uY2V0LG91PVBlb3BsZSxvPWR0ZWFtLGRjPWxjZyxkYz1vcmcg)
   as a result of ldapsearch and can't be imported in VOMS at this moment.
   Status: Fixed on 2003-10-27. Now under test.
2. VOMS' capability to contain the same person (same DN) in multiple VOs was successfully tested. However, as long as we use the gridmap file, this functionality is "wasted". We need to understand when all other dependencies will allow the usage of LCAS/LCMAPS instead. Besides, the command grid-proxy-info doesn't carry the VO name, so one can't see how the edg-voms-proxy-init -voms [VO name] option is used.
3. To be clarified and documented here:
• Integration issues with EDG WP1 (Workload Management Software) for the Resource Broker.
• Integration issues with EDG WP2 (Replica Manager Software).
• Filesystem integration (e.g. mapping of experiment-specific GID's on the Storage Element to VOMS credentials).
• The exact syntax of the voms:// lines for the gridmap file, how they are generated and fed.
• The Storage Element (SE) uses today gridftp, which requires the gridmap file. How can we decide to migrate given these dependencies?

Present administration issues:

Items 1 and 2 below are submitted with Bugzilla on 2003-10-28 (http://marianne.in2p3.fr/datagrid/bugzilla/show_bug.cgi?id=2178)

1. VOMS web interface doesn't show a counter with the total number of members in a Group.
2. VOMS users in a Group (web interface) are not sorted alphabetically.
3. VOMS will be issueing notification messages to the user (and to other relevant recipients) in case of successful registration completion but this is not yet implemented. See 2nd page of presentation http://edg-wp2.web.cern.ch/edg-wp2/security/voms/edg-scg-2003-09.pdf

Remarks related to accounting:

The purpose of accounting is to show how many computing resources have been used by a given user. Automatic VOMS updates by a resource are not allowed for security reasons (in case the resource is compromised). Only VO administrators and their delegates can do VOMS updates. Therefore, VOMS can't provide information about a resource usage but a given Group and Roles can be associated with a specific resource and accounting policies.
The remaining problem is how to manage grid users (who may belong to many VOMS Groups) and files on the computing resources (which can only belong to one Unix group). Either the file creator has to change appropriately his/her Group before writing the file, or all files should be world-readable, which is not acceptable by most experiments.

Relevant activities in other labs:

FNAL (input from T.Levshina):
VOMS is installed and tested in Fermilab. There will be further tests during the GRID3 run. The VOX (Virtual Organisation eXtensions) project was launched last February. It consists of a Member Registration and Notification Service providing:

• Secure storage of personal data , that are a superset of data required by the various VO sites (e.g. Fermilab requires a birth date, wherelse CERN doesn't).
• Automated notification and registration flow, e.g. when a member is registered email is sent to his institutional representatives for approval, then to the site administrator etc.
• Possibility to query/manage member's information. The amount of information you are able to get about the member depends on your Role in the VO, e.g the Group Manager is able to change a member's association with his/her group, a site administrator can get a member's personal information and allow/denied access to the site.

Related applications:
SAZ (Site Authorisation Service) : FNAL site access control commissioned by the Security Team in order to quickly respond to any security incident and block user access to the site regardless of user's standing in the VO. So, any job submitted from outside (e.g. via gatekeeper) will first access the SAZ database to check the user status at the site. This is done by using gatekeeper's callouts. This is a mechanism that allows to access extensions of authorisation (not covered in the limited set of Globus) offered by other applications.
LRAS (Local Resource Authorisation Service) : fine grain control to local resource and mapping to user account. This is done by using gatekeeper callout to access a local database where a VO member is mapped to a Unix account, and the local administrator can ban / allow member's access to the local resource.

The FNAL team plans to use the VOMS core server to generate extended proxy, and probably the VOMS admin package to populate the VOMS database. So they will probably keep two separate databases: one with members dn,ca and groups and another with all the registration information.

BNL (input from R.Baker):

GUMS is a tool, developed in the US, that automatically maintains a static one-to-one mapping between Distinguished Name (DN) and local account name.

The static one-to-one account mapping has several advantages. One major consideration is that many
sites (both in the US and Europe) have serious reservations about allowing group or pool account
mapping. The static mapping simplifies site audit procedures. It also solves the file protection issues.

GUMS and VOMS are very complimentary. The current deployments of GUMS are using VOMS servers
to obtain the list of users. GUMS produces a different grid-mapfile and logs account mapping information
locally. GUMS can use VOMS group membership info to maintain a local user account's membership in
local Unix groups.

GUMS could also allow account recycling, so the problem of total number of available UIDs (limited to 64K on some systems today) can be handled if it does become a limit for the Grid. Alternatively, operating
systems should increase the length of the UID from 16 to 32 bits.

Differences/similarities in these approaches:

SAZ and LRAS contain overlapping functionality with each other and with LCAS/LCMAPS to the extent that they can be considered similar but one can't make a one-to-one mapping between these products. As they all followed completely different implementation paths SAZ and LRAS use RDBMS to store user and group information, wherelse LCAS/LCMAPS use flat files (that may contain regular expressions to ease mass-updating).

Upcoming events:

VOMS workshop in the IT Auditorium on December 15th (14hrs) to 17th (12hrs). FNAL and BNL contacts will be present. Meeting chairman David Kelsey.

People:

Vincenzo.Ciaschini@cnaf.infn.it, Akos.Frohner@cern.ch (core service development),
chih-chiang.chang@cern.ch, maria.dimou@cern.ch (installation, evaluation)
Tanya Levshina <tlevshin@hppc.fnal.gov> (VOX project Leader)
Rich Baker <rbaker@BNL.GOV> (GUMS contact)
project-lcg-deployment-staff@cern.ch (advice and use)
project-lcg-security-group@cern.ch (advice)