Grid access :: User groups (VOs) :: VOMS usage notes
WARNING! When working on the Grid, you must accept that some information on your jobs and on your Grid identity is made public. This includes your name, your affiliation, IP address of your client computer, job names and duration, used runtime environment names and other less sensitive information (see the Grid monitor for example).
In a Grid environment, users usually do not have login accounts with passwords for the computing resources they want to use, rather they hold a certificate issued by a Certificate Authority. This certificate authenticates them to the required resources. Authentication, however, does not mean automatic access to the resource. Access control for the computing resources, called as authorization, is an issue of a local policy, and in the Grid environment it is done by mapping the accepted set of user certificates to local user accounts.
During the authentication process the validity of your certificate is checked and the Issuer Certificate Authority of your credential is checked against a trusted group of Certificate Authorities recognized by the Grid resource. Being authenticated by a cite basicaly means that the Issuer CA of your credential is trusted by the Grid resource. Technically, cites implementing their authentication policy by installing trusted CA packages. You are not authenticated on a site unless the CA package of your Issuer CA is installed.
For the authorization you have to be a member of a recognized and supported User Group (or VO). In most cases sites implement authorization policies by selecting User Groups (VOs). If you are a member of a User Group (VO) which is authorized on a specific site then you can access the site resources (e.g. CPU cycles, storage space) provided your credentials are authenticated too.
Authentication and Authorization are decoupled processes. It is possible that although you are a member of an authorized User Group (VO) nevertheless you experience problems accessing the site's resources due to your untrusted certificate (in this case you may contact the site administrator and find out the reason your Issuer CA is not trusted). Similarly, you will not have access to the site in the opposite case when your certificate is authenticated but you are not member of any authorized User Groups. In order to access a resource you must be both authenticated and authorized, the former is achieved by possessing a site-recognized certificate (your credential was issued by a trusted CA) while the latter requires membership of an authorized User Group (you are a member of a User Group which was granted resource allocation on the site) .
Computing and storage resources of the Grid connected by the ARC middleware belong to different administrative domains, organizational units and computing centers. Allocation of the resources is granted by their respective owners.
In order to start using Grid, you need:
Possession of the certificate issued by the NorduGrid CA does NOT entitle you to resource usage or membership of any VO. You must apply for such membership by contacting VO managers, or negotiate access with resource owners.
A Virtual Organization (VO) is basically a group of people that are authorized to run Grid jobs on a set of Grid resources. For example, a research project members can join in a VO, so that they can negotiate access to Grid resources, policies etc. Typically, a VO has a manager which maintains the list of members and contacts resource owners whenever a negotiation is needed, for example, if a new user has a certificate issued by a new Certificate Authority (CA), or CA public keys have changed. VO managers are normally in charge of negotiating resources available for the VO members. Each site on the Grid can choose to authorize any set of VOs, allowing all their members to run Grid jobs or to store data on the corresponding facility.
You can always create your own VO and negotiate access to Grid resources with resource owners personally. NorduGrid Collaboration does not normally assist in such negotiations.
The lists of users of different VOs are maintained in different ways. VOMS technology gains increased popularity recently, see VOMS notes for more details. VOMS is one of the most convenient ways of requesting and maintaining VO membership.
Still, some VOs keep their user list in a GSI-enabled LDAP database, while others make use of a text file served from a HTTP(s) server.
For any case, ARC middleware provides a utility, the nordugridmap script (packaged in the nordugrid-arc-gridmap-utils package) which is capable of synchronizing the local gridmap file on the site with the user lists of requested VOs. The authorization of a user group technicaly is nothing more than adding the specific VO database contact URL (VO URLs are available via links in the table below) to the corresponding [vo] block of the (arc.conf) configuration file.
Below are the pointers to some of the existing user groups. You should either use VOMS Web interface when available, or contact personally the relevant user group administrators to obtain membership. Also, it is always a good idea to first contact your national resource allocation agency, if any, and inquire about Grid-enabled resources.
If you are not associated with any of the groups listed below and you are not entiteled to a membership, you might try to contact Grid resource owners one by one and negotiate access rights and allocations. You may also consider establishing an own user group for yourself and your colleagues, and negotiate access for the group with the resource owners.
| ARC Community | Users affiliated with institutes comitting to share their resources with each other | Details |
| ARC developers | Members of the nordugrid.org VO with developer role | Details |
| ARC demo | Group of anonymous users for demonstration and tutorial purposes | Details |
| nordugrid.org | Members of Nordic academic organisations agreeing to the User Policy document and the AUC | Details |
| knowarc.eu | VO for the Pilot Grid System of KnowARC | Details |
| ATLAS | Official ATLAS Virtual Organisation, maintained by ATLAS and LCG | Details |
| gin.ggf.org | GIN group participants | Details |
| swegrid.se | Swedish researches granted resources by SNAC | Details |
| dcsc.dk | Danish researches | Details |
| Estonian Grid VO | Estonian researches possessing Estonian certificates | Details |
| norgrid.no | Norwegian users granted resources by NOTUR | Details |
| materialscience.ndgf.org | Finnish researches | Details |
| bio.ndgf.org | Nordic bioinformatics community | Details |
| co2-cg.ndgf.org | CO2 sequestration project | Details |
| cc.ndgf.org | Nordic comutational chemistry community | Details |