Difference between revisions of "Virtual Organisation Management"

From Gcube Wiki
Jump to: navigation, search
Line 1: Line 1:
 
== Virtual Organisation Management ==
 
== Virtual Organisation Management ==
The Virtual Organisation Management (VO-Management) services are in charge to supply other gCube services with a robust and flexible security framework and to manage the VO. The Delegation and CredentialsRenewal services provide authentication support for gCube users and services.  
+
The Virtual Organisation Management (VO-Management) subsystem provides security-related components to implement the [[gCube Security Model]]. The VO-Management subsystem is part of the [[GCube Infrastructure Enabling Services]], and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure.
The Authorization service is in charge to manage permissions to perform action within the infrastructure.
+
Two main functionalities are provided by the VO-Management to a gCube infrastructure to control resource sharing: Authentication of interacting entities, and Authorisation of required actions. Components related to these two functionalities are briefly introduced below.
  
=== Authentication model ===
+
=== Authentication components ===
The gCube Security model is based on PKI paradigm to authenticate entities identities acting in the infrastructure. This implies that each action must be performed using valid credentials issued by a trusted Certification Authority (CA). The GSI-Secure Conversation standard built-in in the java-WS-Core container is used in gCube to authenticate RI invocations. In fact, there is the need to address every interaction with the system to a particular entity (user or service). For this reason all entities should have its own identity. In certain cases, services could act on behalf of a human user: GSI-SecureConversation can support credentials delegation. This choice is driven, above all, by the need to delegate caller credentials to the invoked RI.
+
As introduced in the [[gCube Security Model]], authentication-related components provides gCube users and Running Instances with credentials to operate in the infrastructure. The following picture shows main relations among authentication components.
 +
 
 +
--include image
 +
 
 +
In the diagram above, following authentication components have been created as part of the gCube VO-Management services:
 +
 
 +
* [[VOMS-API]] - this library enable interaction with the MyProxy [[[LINKHERE]]] credentials repository, to retrieve user's credentials. This component is typically used by the portal to load user credentials when the user logs in a VRE.
 +
* [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/VO-Management_Delegation Delegation] - this service provides credentials for gCube Running Instances. Credentials are needed by RIs to be authenticated to other gCube RIs. The set of credentials provided to RI depends on the security configuration of the Service the RI is instance of.
 +
*[https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/VO-Management_CredentialsRenewal Credentials Renewal] - this service interacts with the Delegation service to delegate user's credentials to RI on a given node, when these credentials are needed to perform background operations.
  
 
=== Authorization model ===
 
=== Authorization model ===
The Authorization rights in gCube are based on the RBAC model. This means that each user needs to hold a valid role to operate in a gCube-based infrastructure. The following diagram shows how the gCube VO model is implemented.
+
The authorisation model described in the gCube Security Model is implemented by the following set of components, as shown in the diagram below.
  
[[Image:Vo.jpg]]
+
----insert image authZ
  
== Reference Architecture ==
+
In the diagram above, following authorisation components have been created as part of the gCube VO-Management services:
VO management is the responsibility of a set of services: the Delegation, the CredentialsRenewal and the Authorization service. Precisely, the VO-management services manage the security aspects in terms of authentication and authorization mechanisms between of a gCube-based infrastructure’s actors.
+
The VO-Management is composed of:
+
**VO-Management Authorization: (Stub library, WSRF service and API library) A service allowing VO management (VO, VOs hierarchies and gCube system VO Model);
+
** [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/VO-Management_Delegation VO-Management_Delegation]: (Stub library and WSRF service) A service allowing clients to delegate proxy credentials to gCube services running on a GHN;
+
** [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/VO-Management_CredentialsRenewal VO-Management Credential Renewal]: (Stub library, WSRF service and [https://technical.wiki.d4science.research-infrastructures.eu/documentation/index.php/VO-Management_CredentialsRenewal-api API library]) A service allowing users to periodically delegate their credentials to GHN.
+
  
From a system wide perspective, the VO-Management services are placed in the gCube Infrastructure Enabling Services. Their main role is to support the entire infrastructure in managing authentication and authorization aspects. Referring to VO model, VOs, Users membership, and users to roles associations are maintained by a VOMS service. In the current implementation VOs are modeled as VOMS groups, while gCube Users and Roles fits with corresponding VOMS Users and Roles.Beyond VOMS functionalities, VO Management services offer a way to manage identities
+
* [[VOMS-API]] - beside provisioning of user's credentials, the VOMS-API library also allows for the management of user membership and roles in Virtual Organisations. The VOMS-API relies on VOMS as the backend service to store VO-related information.
of users and services interacting with the infrastructure, through Delegation and Credential Renewal services, and a way to manage authorization rights associated to each role, through the Authorization service.
+
* Authorisation Service - this service is in charge to store authorisation policies and provide services with authorisation decisions. The authorisation service is still under development, and it will be integrated in future gCube releases.

Revision as of 16:43, 9 July 2009

Virtual Organisation Management

The Virtual Organisation Management (VO-Management) subsystem provides security-related components to implement the gCube Security Model. The VO-Management subsystem is part of the GCube Infrastructure Enabling Services, and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure. Two main functionalities are provided by the VO-Management to a gCube infrastructure to control resource sharing: Authentication of interacting entities, and Authorisation of required actions. Components related to these two functionalities are briefly introduced below.

Authentication components

As introduced in the gCube Security Model, authentication-related components provides gCube users and Running Instances with credentials to operate in the infrastructure. The following picture shows main relations among authentication components.

--include image

In the diagram above, following authentication components have been created as part of the gCube VO-Management services:

  • VOMS-API - this library enable interaction with the MyProxy [[[LINKHERE]]] credentials repository, to retrieve user's credentials. This component is typically used by the portal to load user credentials when the user logs in a VRE.
  • Delegation - this service provides credentials for gCube Running Instances. Credentials are needed by RIs to be authenticated to other gCube RIs. The set of credentials provided to RI depends on the security configuration of the Service the RI is instance of.
  • Credentials Renewal - this service interacts with the Delegation service to delegate user's credentials to RI on a given node, when these credentials are needed to perform background operations.

Authorization model

The authorisation model described in the gCube Security Model is implemented by the following set of components, as shown in the diagram below.


insert image authZ

In the diagram above, following authorisation components have been created as part of the gCube VO-Management services:

  • VOMS-API - beside provisioning of user's credentials, the VOMS-API library also allows for the management of user membership and roles in Virtual Organisations. The VOMS-API relies on VOMS as the backend service to store VO-related information.
  • Authorisation Service - this service is in charge to store authorisation policies and provide services with authorisation decisions. The authorisation service is still under development, and it will be integrated in future gCube releases.