Conceptual scheme and definition of terms
Perun is a wide system providing user management and user-connected services to the various types of facilities (single machines, clusters, storage, elements or even software licenses) in various infrastructure sizes (from managing single access to software license to creating accounts in cloud-like environment with thousands CPUs).
Whole Perun is based on Virtual organizations, groups and facilities. Managers of these basic entities cooperate in Perun to gain desired results. All of them use complex GUI (or CLI) to manage his part of duties.
In short, the facility manager provides resources to VOs and configures settings of these resources or the facility itself.
Key feature: As was already mentioned, facility manager just provides the resource to the VO but does not manage users who utilize his facility. Since facility manager is familiar with VO's user policy and every single VO member must agree with policies, facility manager has assurance that all users utilizing his facility fulfill his requirements.
The VO manager manages members of his VO and decides which groups under the VO can utilize resources provided to the VO by the facility manager. Moreover groups within the VO can obtain even a self-management by having their own group manager. He can add and remove members in group and edit an application form.
Application form is highly customizable tool to manage users coming to the VO (or the group). Content and required information is fully in the hands of particular manager. Also the way how to accept filled forms is up to managers, it could be done manually or automatically.
Groups often covers work-life roles. It is recommended to create groups matching with roles (for example groups managers, user support, maintenance) consequently is really easy to list, add or remove some resource accessible to the whole group.
By adding new member into group covering his work role, all resources and accesses he needs to have to do his job is available for him. Another use case is when VO manager adds a new member into group, the member gains all accesses available to group's members.
To sum up, all users' settings are in one place and easy to manage via GUI or CLI. There is a great level of customization in nearly every aspect of user management. Even more, system is prepared to fit to nearly any customer's requirement (for example, new service, new attribute etc.). Also many processes in system can be done automatically, or not (depending on managers' will). All together creates flexible and scalable role-based system of sharing resources.
- 1 Concept scheme definition
- 2 Basic terms description
- 2.1 An account shared among users -- Service member
- 2.2 Application form
- 2.3 Attributes - Attributes
- 2.4 Evidence of facility - Hosts
- 2.5 External identity resources - Ext_sources
- 2.6 Facility owners - Owners
- 2.7 Groups - Groups
- 2.8 Perun services - Services
- 2.9 Resources - Resources
- 2.10 Service goals - Destinations
- 2.11 Types of resources - Facilities
- 2.12 Users - Users
- 2.13 Users into VO - Members
- 2.14 Virtual organization - VOs
- 3 User account states
- 4 Level of assurance
Concept scheme definition
Virtual organization (VO) management
VO has members and managers. VO is very basic unit to assign resources.
Resources management within VO
Resources are provided to VO based on agreement. There is no formal form for this agreement, whole process depends on mutual agreement of VO manager and facility manager.
Service management defines which type of resources is provided and assign these resources to VO that consequently use them.
- Management of configuration for services
Services in resources must be configured before user can access any of them. Perun pushes configuration data to resources according to their configuration.
Basic terms description
Service member is an account that is not based on physical person's identity, but created in the system and one or more users can be assigned to operate with it. Except this functionality, it works as a normal user with all his rights.
Every service member account has an evidence:
- it is for service purposes
- who are allowed to manipulate with it (change password, change an email)
For example: Regular backuping of system must be done, but it is unsafe to store backups into personal accounts. Moreover, there are more people responsible for backuping and backups would be spread into several personal accounts. Service member solves this task because all backups are stored in his storage space and all responsible people have an access to it.
For example: If an application (Hudson in our case) needs an access to system via username and password, then is unsafe to provide somebody's personal account, so service member account is advisable to provide.
Tutorial to create service member.
Application form serves as a gate to the particular VO or group. It is form created by administrator of VO or group for users. After application form is filled and approved, user becomes a member of particular VO. Approval process can be automatic or manual (approved by VO manager). New user must be verified by IdP or information system of organization.
Attributes - Attributes
Entities in Perun (e.g. facility, resource, service) and relations (member-resource, user-facility) can contain more information in a form of attributes. Attributes serve as support information to the services.
Example: Facility manager defines list of available shells in cluster as an attribute. VO manager can select a shell from this list for his members. This list is saved as an attribute at resource. Every single member can have preferred shell that is saved as an attribute in the relation user-facility.
Attributes can store anything that it is necessary to propagate to the device. Also it could be set by user. Attributes have type string, int, array of string.
Evidence of facility - Hosts
Hosts serve as an evidence where facility is placed. It is only an evidence, as a destination of services is taken information from Destinations.
External identity resources - Ext_sources
External identity resource is assigned to each user. This resource can be identity providers, some LDAPs, SQL database of organizations, outputs of information systems ... etc. and primary user identity is taken from it.
External identity resources serve as a proof that user is a part of the real organization and therefore can access to the resources and services.
External resources can serve as a condition to become a member of virtual organization or a group in the VO. Information from external resource can be used to automatic export of user into VO.
LoA (level of assurance) is a term connected with external resources, specially federations'. Loa should be same for all external identity providers, see Level of assurance
Facility owners - Owners
Contact to facility manager. It serves to VO manager to contact him to create an agreement to gain an access to resources.
Groups - Groups
Groups can be created within the VO automatically based on some user property or manually based on VO manager decision. Groups serves to refine internal structure to access to resources. Groups and subgroups of members who are part of the VO. Every VO member is part of group "Members" by default.
Perun services - Services
Perun services propagate data from Perun database to the facility (clusters, data storage.. etc.). Services create configuration files in clusters (e.g. /etc/passwd), fill Kerberos, actualize list of acceptable certificates etc.
Services run automatically based on predefined events in Perun system (e.g. change in membership in a group, new member in VO...). Propagation can be run also manually.
Resources - Resources
Resource is "bundle of services" provided by owner of physical device or software, e.g. one storage volume with its size and access protocols, possibility to submit jobs in specific queues (or utilize specific clusters), possibility to use specific software.
Resource is one basic unit provided to VO on the basis of oral or written agreement.
Resources are used by members. VO manager sets access rights for members in VO by utilization of group system. Agreement between VO manager and facility manager sets "maximal scope of use or limiting conditions" that can not be exceed by members in VO.
To resouces can be assigned tags which marked special properties of resources. (For example tag computational node means, this resource is used for users to compute their tasks, tag service machine marked resource as machine for internal operations at VO etc..)
Service goals - Destinations
Many services create configuration files and propagate them to some goal. This goal can be device, some special device, email address or URL where is output of service.
Types of resources - Facilities
Facility is an entity (pc, software, storage) existing in a real world, for which access needs to be managed by Perun. To provide access to a facility, resource must be created, that provide the facility to a Virtual Organization.
Following conditions facility meets:
- they are using same technology and share configuration (e.g. they are NFSv4 volumes, they need an account in the local machines.. etc., Perun pushes its data coherently)
- they have single management (one manager responsible for all pieces can be identified - e.g. data storage elements owned by CESNET).
On the other side, "service provided to user", e.g. NFSv4 volumes export from one physical storage to the other should be consider as one facility, not more. Attributes are connected with facilities.
Users - Users
User is an account in Perun system that matches with physical person (it could happen that physical person has more accounts but it is not recommended). At least one external identity is connected with user.
Users into VO - Members
Member is the user in the particular VO. Relation between user and VO can contain attributes.
Virtual organization - VOs
VO has members and managers. VO is very basic unit to assign resources. VO is organization of users who have common specific goals and want to be managed by VO manager. VO could have specific requirements to access to resources, to verify the user etc. Possible specification is defined in VO policy.
User account states
User is a VO member, but some important information to propagate the services is missing. When all attributes are complete, user can be switched to state valid.
User is VO member and all necessary attributes are filled.
User move to suspended state after security incident connected with his account
Membership in VO has expired, to move to state valid user must apply for an extension.
An access to all resources has been blocked to the member.
Level of assurance
- Level 1
email address is verified
- Level 2
identity and institution is verified
- Level 3
level 1+ strict requirements to password quality and its use