The Virtual Organization Membership Service (The Virtual Organization Membership Service (VOMS ) is an Attribute Authority that asserts attributes for users, both in the form of X.509 Attribute Certificates and SAML Attribute Assertions.
It is actively developed within the Italian Grid community and released under the Apache 2.0 license.
VOMS is used in the Grid environment for authorisation purposes, serving as a central repository for Virtual Organization user authorisation information and providing support for organising users into group hierarchies, keeping track of their roles and other attributes.
The service follows an established client-server architecture and consists of:
- The VOMS core service (vomsd) that accesses a database (e.g. MySQL) shared with the administrative service (voms-admin);
The VOMS-Admin tool, a Web application used to manage users and their privileges within a VO;
Client tools and utilities (voms-proxy-init, voms-proxy-info, voms-proxy-destroy etc.) used to request a signed token (an Attribute Certificate compliant with RFC 3281) from a VOMS server, which carries the attributes that a person holds in a certain VO and is usually embedded inside an X.509 Proxy Certificate;
APIs for attribute-based authorisation available in Java and C/C++ bindings, enabling easy integration of VOMS-based authorisation in existing services.
Following figure shows the Architectural Design with VOMS-Admin:
Features
VOMS is a tool that allows communities to independently manage their structure and membership. As such, VOMS provides the administrators with the ability to organise users in groups, so called virtual organisations (VO) and designate specific roles and custom attributes to users. VOMS Admin provides a GUI for registration and VO management. Users can request membership via the same GUI. An API is also available, thus VOMS can be used both programmatically and interactively. VOMS outputs can be used in a delegation workflow. VOMS mainly speaks X.509, but the VO membership can be queried through a SAML attribute query as well, although this feature is not used in production.
Supported standards
- X.509, proxies (RFC 3820)
- VOMS Attribute Certificate (OGF/GFD.182)
- SAML2 (OASIS)
- SOAP 1.2 (W3C)
User Interfaces and APIs
The VOMS-admin tool, a web application, to manage the users and their privileges in the VO. Easy to use and integrated C/C++ and Java libraries to interact with VOMS.
Support for Virtual Organisations
VOMS is the Virtual Organisation standard in the grid community (i.e. WLCG, EGI-based grids, but also available in Unicore-based grids).
Dependencies on other technologies
VOMS depends on an SQL database, per default this is MySQL, and on the Java virtual machine. It also heavily relies on OpenSSL.
Operational overview
A single VOMS service can support many VOs, depending on the number of users and the load on the service, VOs may prefer to deploy their own instances, but is more common among VOs that service providers particularly connected with the community operate a VOMS for many VOs. e-Infrastructures may have central catch-all instances to support communities without the need for the VO to deploy their own.
VOMS can be deployed in high availability configuration, i.e. two instances can be configured to host the same VOs and to replicate users’ data, and be transparently used as alternatives.
Expected level of support
Due to the adoption of VOMS by many existing Grid infrastructures, support will continue, in terms of bug fixing and security support. However, support for new features is uncertain.