VOMRS Glossary
Alias
A secondary Distinguished Name (DN) is considered an "alias" for the primary DN of a VO member. See Distinguished Name.
Applicant
An applicant to a VO is a person who has submitted a request to join the VO, whose identity has been confirmed and has thus completed the "candidate" stage of application (see Candidate), but for whom the request has not yet been approved. The applicant must start as a visitor (see Visitor). Once approval is granted, the applicant becomes a member (see Member).
Application Form
(See Registration Form)
Approved (membership status)
This membership status is given to approved VO members in good standing; this status is required in order for a member to perform any operations in the VOMRS.
Approved (authorization status)
This authorization status is initially granted, by a representative, to a VO applicant who is approved for membership (it triggers the applicant's membership status to change to "approved"). See Approved (membership status). This authorization status is required for accessing grid resources, and may be set for three separate phases: global (Representative phase), site-specific (SiteAdmin phase), resource-specific (LRP phase)).
Authentication
Authentication is the process of identifying an individual, and ensuring that the individual is who he or she claims to be. Authentication says nothing about the access rights of the individual; see Authorization.
Authorization
Authorization, in contrast to authentication, is the process of giving individuals access to system objects and resources based on their identity.
Authorization Status
Authorization status, as contrasted with membership status, refers to a VO member's authorization to use particular grid resources. There may be up to three levels of authorization status implemented in VOMRS; these levels are called "phases": (1) A representative has the authority to grant or deny, on an individual basis, authorization to use any grid resources recognized by the VO. (2) Once phase 1 is granted, a site administrator may grant authorization to use any resources located at his or her site. (3) Once phase 2 is granted, each local resource provider (LRP) may grant authorization to use his or her resource. In VOMRS, only phase 1, the global authorization, is required by the software; the other two phases may be implemented via external procedures. The authorization statuses are New, Approved, and Denied. See Phase, Membership Status, Local Resource Provider, Site Administrator and Representative.
Candidate
A visitor (see Visitor) who has applied for membership to a VO, but whose identity has not yet been confirmed by the VO, is assigned the role of "candidate" with respect to the VO. After identity confirmation, the candidate is assigned the role of applicant (see Applicant).
CA (Certificate Authority)
See Certificate Authority.
Certificate Authority
A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.
Certificate Status
Each VO member's X.509 certificate is given a status which indicates its standing with respect to the VOMRS. A certificate in good standing is a prerequisite for its holder to access grid resources.
CRL
(Certificate Revocation List) A CRL is a list of no-longer-valid certificates maintained by a CA (see CA) for the certificates it has issued. This list is used to determine the validity of a certificate at the time of a transaction. Certificates issued by a CA are considered valid unless they appear on the certificate revocation list.
Denied (membership status)
This status is given to applicants who do not meet membership requirements for any reason. Members with this status cannot perform any operations in the VOMRS beyond those available for applicants.
Denied (authorization status)
This status is given to applicants or VO members who are not eligible to access grid resources, for any reason. This authorization status, in the representative phase, effectively cuts off the access because it triggers the removal of the member's record in VOMS.
Distinguished Name (DN)
In a certificate issued by a CA, the DN is the string that uniquely identifies the individual.
DN
See Distinguished Name.
Email Address
This field on the registration form is for the email address to which the applicant or member wants VOMRS correspondence sent. This includes both person-to-person messages and automatic notifications via the subscription service.
Event
An event in the VOMRS is a change to the database. Some events require actions to be taken by particular VO members. Based on role, members can request to be notified when certain events occur. See Notification and Subscription.
Expired (certificate status)
The status indicates that the CA who issued this certificate is no longer valid.
Expired (institutional affiliation status)
This status indicates that the member's institutional affiliation is no longer valid.
Expired (membership status)
The status indicates that the member's VO membership has expired
Full Rights
Full rights refer to full membership rights (the alternative is "none"). See membership rights. A member who requests full rights at registration gets entered into the VOMS database upon membership approval; having a record in VOMS is prerequisite to accessing grid resources.
Grid Admin roles
Grid Admin roles include LRP and Site Administrator. VO members with these roles control user access to grid computing resources at a site. See LRP and Site Administrator.
Grid Proxy
Globus.org defines grid proxies as certificates signed by the user, or by another proxy, that do not require a password to submit a job. They are intended for short-term use, when the user is submitting many jobs and cannot be troubled to repeat his password for every job. VOMS creates proxies automatically for VO members from their grid certificates on an as-needed basis. See VOMS.
Grid Resource
A computing or storage node at a grid site that accepts and runs jobs (or stores output) for authorized VO members.
Grid Site
(see Site)
Group
An organizational entity, defined by the VO, which refers to a subdivision of the VO's overall project, and to which some subset of the VO's members are assigned. Each group has one or more group managers, group administrators, and members, all of whom are registered VO members. Groups are organized hierarchically.
Group Admin role
Group Admin roles include Group Owner and Group Manager. See Group Owner and Group Manager. This is distinct from a Group Role.
Group Manager
A group manager may (a) access a group member's public personal information, and (b) assign and remove members to/from the group, and (c) assign and remove members to/from a group role within the group. A group may have multiple group managers. A group manager of a parent group is automatically a group manager of all its children groups.
Group Member
A group member is a VO member who has been assigned to a group.
Group Owner
A group owner owns a group. A group owner is automatically a group manager of the group. (See Group Manager.) In addition to the group manager functions, a group owner may (a) add a new child group, (b) delete the group or any child group, (c) assign/deassign group owners to the group or any child group, and (d) assign/deassign group managers to the group or any child group. A group may have multiple group owners. A group owner of a parent group is automatically a group owner of all its children groups.
Group Role
A group role is an attribute of a group (and of the members of that group) that gets transmitted to VOMS; it has no meaning within the VO or VOMRS, per se. Group roles are attached to requests for extended proxies, which is one of the VOMS functions. Group roles may be used by LRPs to map users to local accounts. A Group Role is distinct from a Group Admin Role.
Institution
A university, laboratory or other body which participates in the VO's project and with which some of the VO's members are affiliated.
Institutional Expiration Date
The date on which a member's institutional affiliation expires.
KX.509
KX.509 is a client-side tool, developed at the University of Michigan, that extends the Kerberos authentication mechanism for use in Grids.
Local Resource Provider (LRP)
An LRP is a VO member associated with a particular grid site, who manages the authorization of VO members for a grid resource at the site. This authorization is one level finer than the site-level authorization managed by the site administrator.
LRP
See Local Resource Provider.
Member
Once an applicant's (see Applicant) request has been approved, the applicant becomes a VO member. At this point the member may be given additional roles in the VO and/or be assigned to groups. A member with full rights and appropriate authorization can use grid resources.
Member CA
The CA that issued a VO member's certificate (and DN).
Member DN
The DN of a VO member.
Membership Application
See Registration Form.
Membership Expiration Date
The date on which a member's VO membership expires.
Membership Rights
Membership rights represent the permissions granted to a VO member regarding use of grid resources. "Full" rights grant the member job processing rights (assuming authorization status permits) in addition to access to the VOMRS web UI; "limited" rights grant the user access to the VOMRS web UI only.
Membership Status
A field in the VOMRS indicating the standing a member has in the VO. (See New, Approved, Denied, Revoked, and Suspended.)
New (membership status and authorization status)
This status is given to applicants to the VO; it remains in effect until the applicant's request is processed and either approved or denied.
Notification
All VO members and applicants may elect to receive email notification automatically when particular fields change in the database. These changes are called "events", this feature is called "subscribing to events", and the emails sent are the "notification". The events to which you can subscribe depend upon your role and membership status. See Event and Subscription.
Phase
Authorization status as a concept thus has three "phases", meaning three levels of authorization for using grid resources. Each phase is tied to the role responsible for the corresponding level of authorization: (1) representative grants a general, or global, authorization, (2) site administrator grants authorization for a particular site, and (3) local resource provider grants authorization for a given resource at a site. See Authorization Status, Local Resource Provider, Site Administrator and Representative.
Phone
A phone number where a VO applicant or member can be reached, usually a work phone number.
Primary DN
The DN under which a member has registered with the VO.
Private Personal Information
Private personal information fields are not visible to other VO members and do not get transmitted out of the VOMRS system; only authorized VO Administrators and site administrators may access the information in these fields.
Proxy
See Grid Proxy.
Public Personal Information
Public personal information fields may get transmitted out of the VOMRS system; they may be viewed by VO members with appropriate roles, and may be sent out in notification email.
Registration
The process of requesting membership in the VO via the VOMRS system. This is done using the Registration form. (See Registration Form.)
Registration Form
The form used by VO applicants to register with the VO. VO administrators may use this form to register a third party.
Representative (role)
A representative is a VO member responsible for approving/denying applicants' requests for VO membership based on personal knowledge about each individual applicant's identity and institutional affiliation. In VOMRS a representative is not constrained to be affiliated with the same institution as the individual he or she represents.
Representative CA
The CA that issued the DN of a VO member's representative.
Representative DN
The DN of a VO member's representative.
Required Personal Information
Information that an applicant to the VO must provide in order to identify himself or herself to the VO. This information is stored for the duration of an individual's VO membership. Each individual information field is designated as public or private. (See Private Personal Information and Public Personal Information.)
Resource
See Grid Resource.
Revoked (membership status)
This status indicates that the VO member is in the CRL (certificate revocation list) of the CA that issued the member's certificate. Members with this status cannot perform any operations in the VOMRS and will be denied access to any grid resources.
Rights
See Membership Rights.
Role
A technique of member-to-functions mapping in which the permissions for performing particular functions in the VOMRS are grouped into a role. Each role gets assigned to designated VO members, thereby allowing them to perform the associated functions. In addition to the basic roles of Candidate, Applicant and Member, there are three categories of administrative roles: Group Admin, Grid Admin and VO Admin.
Role (pertaining to Group)
(See Group Role.)
Rules
(See Usage Rules.)
Secondary DN
A DN other than the DN you used to register with the VOMRS. (See Primary DN.) A secondary DN would be issued by a different CA than your primary, and to enter it into the VOMRS, the CA would need to be listed under Certificate Authorities. A secondary DN is also referred to as an alias.
Site (Grid Site)
Set of grid computing resources (compute and/or storage nodes) owned and managed by the same institution and by a single VO. There may be multiple computing resources within a site, and there may be multiple sites at a single institution.
Site Administrator
A site administrator, like an LRP, is associated with a particular grid site, and is responsible for granting VO members access to site resources (this authorization is one level higher than per-resource authorization, managed by the LRP). A site admin is responsible for maintaining the required site-specific personal information in VOMRS and may assign/deassign members as LRPs or as additional site administrators.
SN (certificate Serial Number)
The serial number associated with an X.509 certificate.
Status
See Membership Status and Authorization Status.
Subscription
"Subscription to events" is the mechanism VOMRS uses for notifying VO members of changes in the database. Members choose the events that they wish to monitor (they "subscribe" to these events), and then notification emails get sent to them as corresponding changes occur. Notifications go only to the notification email address. (See Event and Notification Email.)
Suspended (membership status)
This status indicates that the VO member is currently not in good standing in the VO. Members with this status cannot perform any operations in the VOMRS are denied access to any grid resources.
Usage Rules
A set of grid usage rules that make up a computing resources use policy. VO members are required to agree to these rules.
Virtual Organization (VO)
A Virtual Organization consists of members that may come from many different home institutions, may have in common only a general interest or goal (e.g., CMS physics analysis), and may communicate and coordinate their work solely through information technology (hence the term virtual). In addition, individual members and/or institutions may join and leave the organization over time; sometimes VOs are called dynamic virtual organizations for this reason.
Virtual Organization Membership Service (VOMS)
The Virtual Organization Membership Service (VOMS) is a system that manages user authorization information for a VO. VOMS is designed to maintain only general information regarding the relationship of the user with his VO, e.g., groups he belongs to, roles he has been assigned, and certificate-related information. It maintains no personal identifying information. VOMS is part of VOX, but separate from the VOMRS.
Visitor
An individual who is not a member of a VO (nor candidate, nor applicant; see Candidate and Applicant), but who possesses a valid certificate from a CA trusted by the VO, automatically has the role of "visitor" with respect to the VO. A visitor may browse certain screens in VOMRS, and can access the application form.
VO
See Virtual Organization.
VO Administrator (role)
The VO administrator is responsible for maintaining the VOMRS, and as such may view and change all member-related information. This person can add and delete institutions, sites, CAs, can modify the personal information required by the VO for each member, and can assign/deassign roles to/from members (e.g., root group owner, site administrator). The VO administrator can assign/deassign this same role to/from other VO members.
VO Administrator Roles
VO Administrator roles include representative and VO administrator. People with these roles are responsible for the integrity of the VO, as maintained in the VOMRS. See Representative and VO Administrator.
VOM Registration Service (VOMRS)
The VOM Registration Service (VOMRS) is the major component of VOX. VOMRS is a server that provides the means for registering members of a VO, and coordination of this process among the various VO and grid resource administrators. It consists of a database to maintain user registration and institutional information, and a web UI for input of data into the database and manipulation of that data.
VOMRS
See VOM Registration Service.
VOMS
See Virtual Organization Membership Service.
VOMS eXtension (VOX)
The VOX project is an extension of the VOMS project. VOX maintains additional information (relative to VOMS) on each VO member as required by individual grid resource providers. VOX provides an interface for entering information, stores it in its database, and populates the VOMS database via the VOMS administration package.
VOX
See VOMS eXtension.
X.509
X.509 is a standard for public key certificates, the type of certificate generally used for authentication in the grid world. The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format).
|
|