Conceptual scheme and definition of terms

Perun is a wide system providing user management and user-connected services to the various types of facilities (single machines, clusters, storage, elements or even software licenses) in various infrastructure sizes (from managing single access to software license to creating accounts in cloud-like environment with thousands CPUs).

Whole Perun is based on Virtual organizations, groups and facilities. Managers of these basic entities cooperate in Perun to gain desired results. All of them use complex GUI (or CLI) to manage his part of duties.

In short, the facility manager provides resources to VOs and configures settings of these resources or the facility itself.

Key feature: As was already mentioned, facility manager just provides the resource to the VO but does not manage users who utilize his facility. Since facility manager is familiar with VO's user policy and every single VO member must agree with policies, facility manager has assurance that all users utilizing his facility fulfill his requirements.

The VO manager manages members of his VO and decides which groups under the VO can utilize resources provided to the VO by the facility manager. Moreover groups within the VO can obtain even a self-management by having their own group manager. He can add and remove members in group and edit an application form.

The application form is highly customizable tool to manage users coming to the VO (or the group). Content and required information is fully in the hands of particular manager. Also the way how to accept filled forms is up to managers, it could be done manually or automatically.

Key feature: Application form is a great way to make user management easier. User in application form fills all data which manager needs and by submitting application form user agrees with terms of use and (defined by VO manager).

Groups often cover work-life roles. It is recommended to create groups matching with roles (for example groups managers, user support, maintenance) consequently is really easy to list, add or remove some resource accessible to the whole group.

By adding new member into group covering his work role, all resources and accesses he needs to have to do his job is available for him. Another use case is when VO manager adds a new member into group, the member gains all accesses available to group's members.

To sum up, all users' settings are in one place and easy to manage via GUI or CLI. There is a great level of customization in nearly every aspect of user management. Even more, system is prepared to fit to nearly any customer's requirement (for example, new service, new attribute etc.). Also many processes in system can be done automatically, or not (depending on managers' will). All together creates flexible and scalable role-based system of sharing resources.

Concept scheme definition

Virtual organization (VO) management

VO has members and managers. VO is a very basic unit to assign resources.

Resources management within VO

Resources are provided to VO based on agreement. There is no formal form for this agreement, the whole process depends on the mutual agreement of the VO manager and facility manager.

Service management defines which type of resources is provided and assign these resources to VO that consequently use them.

  • Management of configuration for services

Services in resources must be configured before the user can access any of them. Perun pushes configuration data to resources according to their configuration.

Basic terms description

An account shared among users - Service member

The service member is an account that is not based on a physical person's identity but created in the system and one or more users can be assigned to operate with it. Except this functionality, it works as a normal user with all his rights.

Every service member account has evidence:

  • it is for service purposes
  • who are allowed to manipulate with it (change password, change an email)

For example: Regular backuping of the system must be done, but it is unsafe to store backups into personal accounts. Moreover, there are more people responsible for backuping and backups would be spread into several personal accounts. Service member solves this task because all backups are stored in his storage space and all responsible people have access to it.

For example: If an application (Hudson in our case) needs access to the system via username and password, then it is unsafe to provide somebody's personal account, so service member account is advisable to provide.

Tutorial to create a service member.

Application form

The application form serves as a gate to the particular VO or group. It is form created by the administrator of VO or group for users. After the application form is filled and approved, the user becomes a member of a particular VO. The approval process can be automatic or manual (approved by the VO manager). The new user must be verified by the IdP or information system of the organization.

Attributes - Attributes

Entities in Perun (e.g. facility, resource, service) and relations (member-resource, user-facility) can contain more information in a form of attributes. Attributes serve as support information to the services.

Example: The facility manager defines the list of available shells in the cluster as an attribute. VO manager can select a shell from this list for his members. This list is saved as an attribute at a resource. Every single member can have a preferred shell that is saved as an attribute in the relation user-facility.

Attributes can store anything that it is necessary to propagate to the device. Also, it could be set by the user. Attributes have type string, int, an array of string.

Evidence of facility - Hosts

Hosts serve as evidence where the facility is placed. It is only evidence, as a destination of services is taken information from Destinations.

External identity resources - Ext_sources

External identity resource is assigned to each user. This resource can be identity providers, some LDAPs, SQL database of organizations, outputs of information systems ... etc. and primary user identity is taken from it.

External identity resources serve as proof that the user is a part of the real organization and therefore can access the resources and services.

External resources can serve as a condition to become a member of a Virtual Organization or a group in the VO. Information from the external resource can be used to the automatic export of the user into VO.

LoA (level of assurance) is a term connected with external resources, especially federations'. Loa should be same for all external identity providers, see Level of Assurance

Facility owners - Owners

Contact the facility manager. It serves to VO manager to contact him to create an agreement to gain access to resources.

Groups - Groups

Groups can be created within the VO automatically based on some user property or manually based on the VO manager's decision. Groups serve to refine internal structure to access to resources. Groups and subgroups of members who are part of the VO. Every VO member is part of group "Members" by default.

Perun services - Services

Perun services propagate data from Perun database to the facility (clusters, data storage.. etc.). Services create configuration files in clusters (e.g. /etc/passwd), fill Kerberos, actualize list of acceptable certificates etc.

Services run automatically based on predefined events in the Perun system (e.g. change in membership in a group, new member in VO...). Propagation can be run also manually.

Resources - Resources

The resource is a "bundle of services" provided by the owner of physical device or software, e.g. one storage volume with its size and access protocols, possibility to submit jobs in specific queues (or utilize specific clusters), possibility to use specific software.

The resource is one basic unit provided to VO on the basis of an oral or written agreement.

Resources are used by members. VO manager sets access rights for members in VO by utilization of a group system. Agreement between VO manager and facility manager sets "maximal scope of use or limiting conditions" that can not be exceeded by members in VO.

Purpose of resource - Resource tags

To resources can be assigned tags that marked special properties of resources. (For example, tag computational node means, this resource is used for users to compute their tasks, tag service machine marked the resource like a machine for internal operations at VO, etc..)

Service goals - Destinations

Many services create configuration files and propagate them to some goal. This goal can be device, some special device, email address or URL where is an output of service.

Types of resources - Facilities

The facility is an entity (pc, software, storage) existing in the real-world, for which access needs to be managed by Perun. To provide access to a facility, the Resource must be created, that provides the facility to a Virtual Organization.

Following conditions facility meets:

  • they are using the same technology and share configuration (e.g. they are NFSv4 volumes, they need an account in the local machines.. etc., Perun pushes its data coherently)
  • they have single management (one manager responsible for all pieces that can be identified - e.g. data storage elements owned by CESNET).

On the other side, "service provided to the user", e.g. NFSv4 volumes export from one physical storage to the other should be considered as one facility, not more. Attributes are connected with facilities.

Users - Users

The user is an account in the Perun system that matches with the physical person (it could happen that a physical person has more accounts but it is not recommended). At least one external identity is connected with the user.

Users into VO - Members

Member is the user in the particular VO. The relation between user and VO can contain attributes.

Virtual organization - VOs

VO has members and managers. VO is a very basic unit to assign resources. VO is an organization of users who have common specific goals and want to be managed by the VO manager. VO could have specific requirements to access to resources, to verify the user, etc. The possible specification is defined in the VO policy.

User account states

Invalid
The user is a VO member, but some important information to propagate the services is missing. When all attributes are complete, the user can be switched to the state valid.

Valid
The user is VO member and all necessary attributes are filled.

Expired
Membership in VO has expired, to move to state valid user must apply for an extension.

Disabled
Access to all resources has been blocked by the member.

Level of assurance

Level 1
E-mail address is verified.

Level 2
Identity and institution are verified.

Level 3
Level 1+ strict requirements to password quality and its use.