On a shared computing system, the system must be able to decide whether a particular user is allowed to run a particular job and, if so, what other resources that job may use. On a simple system, like a Linux workstation, file permissions may be adequate to perform both jobs. The privilege system in grid computing is much more complex – there are more computing resources at stake, they are spread across geographic and administrative boundaries, and chains of trust are longer and more complicated. The VDT's privilege components work together to ensure that jobs access only those computing resources for which they are authorized. The goal is to make the privilege system nearly transparent to end users and easy to maintain for administrators.
The VDT 2.0.0 includes the following privilege components:
The privilege components are described below and are shown in the following diagram:
VOMS. The Virtual Organization Membership Service organizes grid users into Virtual
Organizations (VOs), so that users working together on a common project across multiple real organizations can be
grouped together in the privilege system. Each VOMS server instance lists the X509 certificate for each user
belonging to its VO and may include other information about users including the subgroups and roles in which they
participate. VOMS is used to find out whether a user is a member of the VO or one of its subgroups, and whether
the user may assume a given role or capability. The VOMS Admin web application and service (not
shown in the diagram) is used to manage the VO, and
voms-proxy-init is the client side tool that an
end user uses to obtain a proxy certificate.
GUMS. The Grid User Management System maps an end-user's credentials (proxy certificates) to a local user account under which the user's job can be run. While a GUMS service can be configured to perform all mappings based on a static configuration, typically it is configured to look up users in one or more VOMS servers and to map them based on VO membership and role(s).
PRIMA. The PRIvilege Management and Authorization component is the interface between a Globus Toolkit gatekeeper (or other GSI service) and a mapping service like GUMS. It implements a Globus authorization callout by packaging requests in the SOAP web service format required by GUMS and handling responses.
For more information about the privilege components in the VDT: