Virtual Organisation Management
The Virtual Organisation Management (VO-Management) subsystem provides security-related components to implement the gCube Security Model. The VO-Management subsystem is part of the GCube Infrastructure Enabling Services, and its main aim is to enable the controlled sharing of gCube resources within a gCube infrastructure. Two main functionalities are provided by the VO-Management to a gCube infrastructure to control resource sharing: Authentication of interacting entities, and Authorisation of required actions. Components related to these two functionalities are briefly introduced below.
Authentication components
As introduced in the gCube Security Model, authentication-related components provides gCube users and Running Instances with credentials to operate in the infrastructure. The following picture shows main relations among authentication components.
In the diagram above, following authentication components have been created as part of the gCube VO-Management services:
- VOMS-API_v3 - this library enable interaction with the MyProxy[1] credentials repository, to retrieve user's credentials. This component is typically used by the portal to load user credentials when the user logs in a VRE.
- Delegation - this service provides credentials for gCube Running Instances. Credentials are needed by RIs to be authenticated to other gCube RIs. The set of credentials provided to RI depends on the security configuration of the Service the RI is instance of.
- Credentials Renewal - this service interacts with the Delegation service to delegate user's credentials to RI on a given node, when these credentials are needed to perform background operations.
Authorization model
The authorisation model described in the gCube Security Model is implemented by the following set of components, as shown in the diagram below.
In the diagram above, following authorisation components have been created as part of the gCube VO-Management services:
- VOMS-API - beside provisioning of user's credentials, the VOMS-API library also allows for the management of user membership and roles in Virtual Organisations. The VOMS-API relies on VOMS as the backend service to store VO-related information.
- Authorisation Service - this service is in charge to store authorisation policies and provide services with authorisation decisions. The authorisation service is still under development, and it will be integrated in future gCube releases.