Just a quick note to thank the prompt action of the VOMS team in this issue. Considering the many emails users were getting (and we were getting from them), they took care of re-enabling all our suspended users!

Hopefully next time users will get notified on time that they have to renew their membership and this problem will not happen anymore.

Cheers

Alexandre

It's through feedback like this that we can enhance the existing tools and services, so first thanks for raising the problem and letting us know of the issues for your users.
We are now following up the issue in detail through the GGUS user support tool (the helpdesk is the tool to be used to get specialized support from the operators and the software providers) , but I would like to touch upon a broader topic that is relevant to the incident you reported, which is the current membership renewal policy and its support in VOMS.

Membership renewal and reaffirmed approval of the AUP are two distinct aspects. I'll just focus on the first, which is where the incident started.

VO membership is one of the main pillars on which secure access to resources rests.

Secure access to resources is very important to both our users who need access to resources, and to the managers of those resources who are responsible for resource access authorization, and for providing a secure environment to resource users. We also need to support VO managers, who need policies, procedures and tools that can support VOs regardless of their scale.

The policy for membership renewal is defined in the VO membership management policy. Having been in place for several years, it  takes on board the interests of both consumers and providers of resources, so that access is provided to users who are truly authorized by their research community. You are right in saying that while providing a secure environment, VO management procedures should give access to authorised users as simply as possible.

The current VO membership renewal policy currently says that the renewal process must include:
1- "Confirmation, by the VO Manager, that continued membership of VO is still allowed".
2. "Confirmation or update of all data provided during registration and all special authorisations"
3. "Reaffirmed acceptance by the user of the Grid Acceptable Use Policy and the VO Acceptable Use Policy."
4. "Membership of the VO must be renewed at least every 12 months. Additionally all members of the VO should renew following a major change to the Grid Acceptable Use Policy".

Point (1) implies that a user does not decide by themselves to extend membership: the responsibility for deciding if membership can be extended is owned by the VO manager. For, example users of an expired project/collaboration may no longer be authorized to access resources, and the VO manager needs to confirm which users are still authorised members. How to improve this?

Both the policy and the tools implementing it may be revised.
- The policy could be changed so that duration of membership is no longer mandatory (point 4), but is configurable by the VO manager (the default could still be 12 months). Discussion of a such a change would need to involve resource providers, users and security experts.
- Even with the existing policy, the mechanism for membership renewal could be improved. Renewal of membership could be triggered by the user instead of the VO manager. By notifying the user about the expiring membership (for example 2 weeks before the deadline), users interested in extending the membership could notify the VO manager by  re-signing the AUP. Then, the VO manager could be notified about users willing to extend the membership, and could accept/reject requests.
- The default time to accept a new AUP in the tool could be extended from 24 hours to something like 2 weeks (but the time is already configurable in VOMS admin system and the VO managers may already extend this time if they wish to give users more time to respond).
- Search of suspended users for revocation of suspension should be supported by the tool.

These are some ideas on how to improve membership renewal. I'm sure other approaches/solutions are also possible. I suggest we discuss this with other Virtual Research Communities, the security policy group and the developers, so that we can reach community consensus on how to improve the user experience while maintaining secure access to the resources.

Tiziana

If EGI is making true its goal to serve a much larger user community in the future, increasing its user base from the current ~18'000 to 180'000 or even more (wouldn't that be nice!), changes in policy and tools is a must and Tiziana has been suggesting a few based on the feedback we provided on this particular problem:

- The policy could be changed so that duration of membership is no longer mandatory (point 4), but is configurable by the VO manager (the default could still be 12 months). Discussion of a such a change would need to involve resource providers, users and security experts.

Why not by default trust our users? Now the current policies seem to make everyone a suspect. Extending or relaxing the duration would be a good move.

- Even with the existing policy, the mechanism for membership renewal could be improved. Renewal of membership could be triggered by the user instead of the VO manager.

It seems to me this should really be the default. Has any physics VO with a few thousands users encountered the same problem? I can't see how VO manager could monitor the memberships of so many users...

By notifying the user about the expiring membership (for example 2 weeks before the deadline), users interested in extending the membership could notify the VO manager by  re-signing the AUP. Then, the VO manager could be notified about users willing to extend the membership, and could accept/reject requests.

Please implement this as soon as possible.

- The default time to accept a new AUP in the tool could be extended from 24 hours to something like 2 weeks (but the time is already configurable in VOMS admin system and the VO managers may already extend this time if they wish to give users more time to respond).

If it is that simple, then please change the default to two weeks in the next distribution. 24 hours is clearly not reasonable. Most user complains we received were not about having to renew their membership, but rather about the ridiculously short deadline for this. Remember you need to access the VOMS server from a browser containing your certificate, which you might not always have at hand. And of course, access should be smooth from all devices, including mobile devices these days.

- Search of suspended users for revocation of suspension should be supported by the tool.

Add to that sorting users based on their expiration date to facilitate life of VO managers.

I would say, let's start this policy and tools discussion in a broader context!

Alexandre

Just a note - if, per chance, you decide to change the AUP to another version and you increment the version number, you should disable the ability for users to register with the VOMS BEFORE incrementing the value, thus preventing members from having to sign the AUP.  

This can be done by setting 'voms.request.webui.enabled = false'  in the voms.service.properties file, and re-deploy the voms-admin instance for that VO.  

Then, go through and re-sign the AUP for everyone before setting  'voms.request.webui.enabled = true' and again re-deply the instance.

Cheers!

Dan

yocum@fnal.gov

 Yes, VOMRS is nice for sending notifications that members need to re-sign the AUP.  Tanya does good work.  And she brings us chocolate (bonus!).  

You mentioned there are 2 other products that fulfill the VOMS-Admin role - what are they?

Thanks,

Dan

yocum@fnal.gov