Workplan for the first year

Different authorization mechanisms, providing the same or similar functionality, are now used in the EMI job management services. This is clearly a complication from a deployment and maintenance point of view. Moreover in some cases multiple authorization systems are even used within the same job management service, and this can bring to inconsistent authorization decisions: because of bugs or mis-configurations a certain Grid user could be authorized by a certain authorization service, while the authorization could be denied by another authorization component.

As already identified in the DoW document, these issues will be addressed referring to a single EMI authorization service, where the gLite Argus service is supposed to be the reference implementation. The existing EMI job management services will therefore have to be properly integrated with such authorization framework.

Since all security in ARC is handled by HED, and since HED will be integrated with ARGUS, all services hosted by HED (that is also A-REX) will automatically get integrated with it. This is planned to be finalized by the first project year. If needed, some other components of the ARC-CE will be modified to be Argus-aware.

The integration between the CREAM CE and the Argus authorization service will be finalized for the first EMI major release. In this way ARGUS will be the only system used within the CREAM CE for authorization and user mapping. During the first year of the project, the integration between Argus and the gLite WMS will also start.

For what concerns UNICORE, it already has a clean, single XACML callout for making authorization decisions for each incoming web service call. Additional support for Argus will be added. However an evaluation of Argus will be performed during the first project year, in order to check whether Argus serves the same purpose and has the same scope as the current XACML policy check.

Implementation

Argus - ARC CE integration

Related information is collected and beaing updates at http://wiki.nordugrid.org/index.php/Argus_integration

Argus - CREAM CE integration

A profile for the CREAM CE has been defined and it is available here

The implementation in Argus is available with Argus version >= 1.2.

The implementation in the CREAM CE has been done and will be released in CREAM 1.13 (CREAM CE version 1.7).

The integration between gridftpd and ARGUS (needed because gridftp is part of the CREAM CE node) has been implemented.

More details:

• List of required RPMs and dependencies
• Configuration

Argus - WMS integration

The integration between gridftpd and ARGUS (needed because gridftp is part of the WMS node) has been implemented.

More details:

• List of required RPMs and dependencies
• Configuration

Argus - UNICORE integration

-- MassimoSgaravatto - 06-Sep-2010