VOMS:Status & Plans

Vincenzo Ciaschini, Valerio Venturi

MWSG Meeting, CERN, Feb 23-24 2005

MWSG Meeting, CERN, Feb. 23-24 2005 - 2/21

Current status• Included in EGEE RC1 tag.

• Passed Stress test from JRA3.

• Included in LCG 2.4

• Included in VDT 1.3.1

• Used in INFN-Grid since July 2004 (release 2.1.0)

MWSG Meeting, CERN, Feb. 23-24 2005 - 3/21

INFN-Grid experience - Core

• Four VOs running: cdf, compchem, infngrid, planck.

• Less than 300 certificates/month generated.

• Problems: Error messages are unclear. In earlier days, sometimes the server hanged.

• Same problem found by EGEE. Fixed in newer releases, and the fix is committed on the EGEE CVS.

Voms-proxy-init by itself works, but creates standard, non voms-enabled proxies, leading to job failure for VOMS-only VOs.

• A warning message will be printed on screen warning the user of the fact.

MWSG Meeting, CERN, Feb. 23-24 2005 - 4/21

INFN-Grid experience - Admin

• Versions 0.7.1 and 0.7.5 used throughout the experience to administrate VOMS.

• Some problems have been found. The most notable: The user search feature still does not work correctly. The limit of 6 characters for a VO name. Here in INFN-Grid we

have longer names: infngrid and compchem. Removing a role from a user removed also the user himself.

• In 0.7.1, not verified for 0.7.5.

MWSG Meeting, CERN, Feb. 23-24 2005 - 5/21

Future Plans

From now to the end of the EGEE project

MWSG Meeting, CERN, Feb. 23-24 2005 - 6/21

Summary

• DB Replica.

• Oracle Support.

• Multiple DNs.

• APIs.

• Fake proxy creation tool.

• Certificate SN tracking.

• Miscellanea.

MWSG Meeting, CERN, Feb. 23-24 2005 - 7/21

DB Replica• A replica system has very recently been released.

Only one master, multiple slaves. Done using the DB replica mechanism. Clients can contact indifferently every server. Load balancing is done automatically by the client program.

• Just specify –voms <nick>, and the client will contact one server at random among those serving the vo <nick>

• In fact, it has already been committed, but the documentation is incomplete

MWSG Meeting, CERN, Feb. 23-24 2005 - 8/21

Oracle support• Requirement from LCG

• DB support for VOMS will be in the form of plugins. A plugin library will be available for each DB server type. Initial distribution will contain MySQL and Oracle. The plugin interface will be published.

• Interaction with replicas: First version: Only replicas between the same DB type. Following version: Will make use of a multi-DB replica system. One such system that will be investigated is Constanza.

MWSG Meeting, CERN, Feb. 23-24 2005 - 9/21

Multiple DNs (1/7)• Problem statement:

• Users may have more than one certificate. Current version of VOMS will consider them to belong to different

users -> But it is the same user!

• Or, a certificate may change over time. And so, an user may lose property of his resources or access to

them.

MWSG Meeting, CERN, Feb. 23-24 2005 - 10/21

Multiple DNs (2/7)• It will be possible to assign multiple certificates to the same

userID (uid). Will the admin interface work if the auto_increment is dropped from

the definition of the uid field in the usr table? Any certificate will work. The generated AC will have as holder the certificate used for

authentication with the server, but will include all known alternative names.

MWSG Meeting, CERN, Feb. 23-24 2005 - 11/21

Multiple DNs (3/7)• Also, a world-wide unique ID will be associated to every

user.• Based on the creation of a 20-byte secure random number associated

to each master VO server.• Combined with the user ID inside the VO.• Will be guaranteed to last as long as at least one alias of the user will

remain registered with the VO.• User IDs will never be reused (Karoly?)• This, too, will be published in the AC.

MWSG Meeting, CERN, Feb. 23-24 2005 - 12/21

Multiple DNs (4/7)• Alias registration: Prerequisites

The user already has at least an alias registered -> Must have been added by the admin.

The user hold the private key of the new credential.

MWSG Meeting, CERN, Feb. 23-24 2005 - 13/21

Multiple DNs (5/7)• Alias registration: specifics

Done through a command line utility. The user to the VOMS server. The user Authenticates via GSI with the old credentials. A challenge/response protocol is used to authenticate with the new

credentials, inside the already established connection. If all goes well, a row is added to the usr table, with the same user

ID.

MWSG Meeting, CERN, Feb. 23-24 2005 - 14/21

Multiple DNs (6/7)• Alias Cancellation: prerequisites

The user must still hold either the credential being deleted, or a credential aliased with the one to delete.

• Alias Cancellation: specifics The user authenticates via GSI to the VOMS server. The user sends the name of the alias to be removed, in the form of

an (invalid?) certificate. If the user holds the specified alias, then it is removed. WARNING: It is possible to remove all aliases! Maybe force at least

one to remain?

MWSG Meeting, CERN, Feb. 23-24 2005 - 15/21

Multiple DNs (7/7)• Command line implementation advantages:

Can be scripted. Does not require support of uncommon protocols like HTTPG Can be easily used in a web interface via CGI

• Disadvantages: Requires giving the server write access on the usr table

• Workaround: Create a new ‘alias’ table to only contain new alias, and work on it ONLY. Has the additional advantage of ensuring that the user cannot delete himself from the VO.

MWSG Meeting, CERN, Feb. 23-24 2005 - 16/21

APIs

• Unify the C and C++ APIs into the same library.

• Add function to create a proxy from the APIs. Right now, it can create ACs, but not include them into valid proxies.

• Add Java APIs Need to create ACs and proxies from Java.

• Drop support for pre-AC servers. N.B: After a year of ‘deprecated’ status, This will be removed in the

next version.

MWSG Meeting, CERN, Feb. 23-24 2005 - 17/21

Fake Proxy Creation Tool

• There is a need to create VOMS proxies without access to a server for TEST purposes. Will allow the creation of proxies, both valid and invalid (to verify

expected failure cases). Will allow to specify everything that the ‘normal’ voms-proxy-init

allows, plus:• The exact list of group/role/capabilities attributes.• The fake server certificate.• The fake server uri.

First version will permit to include only a single AC. Following versions will allow inclusions of more ACs in the same

proxy.

MWSG Meeting, CERN, Feb. 23-24 2005 - 18/21

Certificate SN tracking

• LCG requested to keep track of the User’s Certificate Serial Number. Simple solution: Add a field ‘sn’ to the usr table, and update it every

time the user connects to the server.• Requires update access to the usr table.

Alternatively, a new ‘(dn, ca, sn)’ type table may be created.

MWSG Meeting, CERN, Feb. 23-24 2005 - 19/21

Miscellanea

• Documentation improvements.

• Error messages improvements.

• Bug Fixes.

• Support and interaction with Policy management systems.

• Suggestions?

MWSG Meeting, CERN, Feb. 23-24 2005 - 20/21

Timescale

• Replica (Done)

• Voms-fake-init (real soon now)

• Oracle (April 2005)

• Multiple DNs (June-July)

• APIs (….)

• Bugfixes will be done throughout the whole time.

MWSG Meeting, CERN, Feb. 23-24 2005 - 21/21

Contacts

• Developers: vincenzo.ciaschini@cnaf.infn.it, valerio.venturi@cnaf.infn.it

• Mailing list: Voms-users@cnaf.infn.it

• Projects under investigation: Constanza: http://infnforge.cnaf.infn.it/projects/constanza/