June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite...
-
Upload
david-mclaughlin -
Category
Documents
-
view
212 -
download
0
Transcript of June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite...
June 24-25, 2008
Regional Grid Training, University of Belgrade, Serbia
Acad
em
ic a
nd E
ducat ional Gr id Init iat ive o
f Serbia
A E G I S
Introduction to gLiteIntroduction to gLite
gLite Basic ServicesgLite Basic Services
Antun BalažSCL, Institute of Physics Belgrade
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Set of basic Grid Set of basic Grid servicesservices
Job submission/management File transfer (individual, queued) Database access Data management (replication,
metadata) Monitoring/Indexing system
information
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Multi-institution Multi-institution issuesissues
Trust Mismatch
Mechanism Mismatch
CertificationAuthority
CertificationAuthority
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
Task
Domain B
Sub-Domain A1 Sub-Domain B1
No Cross-
Domain Trust
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Why Grid security is hardWhy Grid security is hard
Resources being used may be valuable & the problems being solved sensitive- Both users and resources need to be careful
Dynamic formation and management of virtual organizations- Large, dynamic, unpredictable…
VO Resources and users are often located in distinct administrative domains- Can’t assume cross-organizational trust agreements- Different mechanisms & credentials
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Why Grid security is hard Why Grid security is hard 22 Interactions are not just client/server,
but service-to-service on behalf of the user- Requires delegation of rights by user to service- Services may be dynamically instantiated
Standardization of interfaces to allow for discovery, negotiation and use
Implementation must be broadly available & applicable- Standard, well-tested, well-understood protocols; integrated with wide variety of tools
Policy from sites, VO, users need to be combined- Varying formats
Want to hide as much as possible from applications!
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Grid solution: use of VOsGrid solution: use of VOs
Certification
Domain A
Server X Server Y
PolicyAuthority
PolicyAuthority
TaskDomain B
Sub-Domain A1
GSI
CertificationAuthority
Sub-Domain B1
Authority
FederationService
VirtualOrganization
Domain
No Cross-
Domain Trust
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Effective policy governing Effective policy governing access within a access within a collaborationcollaboration
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Use delegation to establish Use delegation to establish dynamic distributed systemdynamic distributed system
ComputingCenter
VO
Rights
ComputingCenter
Service
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
GSI implementationGSI implementation
ComputeCenter
SSL/WS-Securitywith ProxyCertificates
VO
RightsVO
Users
Services (runningon user’s behalf)
Rights’’
Rights’
Access
Local Policyon VO identityor attributeauthority
CAS or VOMSissuing SAMLor X.509 ACs
Authz Callout
KCA
MyProxy
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
““Logging on” to the GridLogging on” to the Grid
To run programs, authenticate to Grid:voms-proxy-init –voms VONAMEEnter PEM pass phrase: ***************
Creates a temporary, local, short-lived proxy credential for use by our computations
Delegation = remote creation of a (second level) proxy credential, which allows remote process to authenticate on behalf of the user
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
User view of the GridUser view of the Grid
User Interface
Grid services
User Interface
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
What really happensWhat really happensFileFilecataloguecatalogue
Logging &Logging &Book-keepingBook-keeping
WMSWMS
StorageStorageElementElement
ComputingComputingElementElement
Information Information ServiceService
Job Status
DataSets info
Auth.&Auth.
Job
Su
bm
it Even
t
Job
Q
uery
Job S
tatu
s
Input“sandbox”
Input “sand
box”
+Broker Info
Outp
ut “san
dbox”
Output“sandbox”
Pu
blis
h
SE & CE info
User User interfaceinterface
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Workload Management Workload Management System (WMS)System (WMS)
Distributed scheduling multiple UIs where you can submit your job multiple WMSs from where the job can be
sent to a CE multiple CEs where the job can be put in a
queuing system
Distributed resource management multiple information systems that monitor the
state of the grid Information from SE, CE, sites
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Authentication and Authentication and AuthorizationAuthorization Authentication
User obtains certificate from CA Connects to UI by ssh Downloads certificate Invokes Proxy certificate Single logon – to UI - then Secure Socket
Layer with proxy identifies user to other nodes
Authorization - currently User joins Virtual Organisation VO negotiates access to Grid nodes and
resources (CE, SE) Authorization tested by CE, SE: VOMS (or
grid-mapfile) maps user to local accounts
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
User Interface (UI)User Interface (UI) UI is the user’s interface to the Grid -
Command-line interface to Proxy certificate Job operations
To submit a job Monitor its status Retrieve output
Data operations Upload file to SE Create replica Discover replicas
Other grid services To run a job user creates a JDL (Job
Description Language) file
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Computing Element Computing Element (CE)(CE)
Homogeneous set of worker nodes
Grid gate node
Local resource management system:Condor / PBS / LSF master
Gatekeeper
Job request
Loc. Info system
Logging
A&A
Information system
L&B
A CE is a grid batch queuewith a “grid gate” front-end:
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Storage Element (SE)Storage Element (SE) Storage elements hold files: write once, read many Replica files can be held on different SE:
“close” to CE; share load on SE File Catalogue - what replicas exist for a file and where
are they?
Loc. InfoSystem
EventLogging
A&A
GridFTP
Disk arrays or tapesDisk arrays or tapes
Info system
L&B
Gatekeeper
File transfer Requests
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
WMS (RB)WMS (RB) Run the Workload Management System
To accept job submissions Dispatch jobs to appropriate Compute Element (CE) Allow users
To get information about their status To retrieve their output
A configuration file on each UI node determines which WMS node(s) will be used
When a user submits a job, JDL options are to: Specify CE Allow RB to choose CE (using optional tags to define
requirements) Specify SE (then RB finds “nearest” appropriate CE,
after interrogating File catalogue service)
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Logging and Logging and BookkeepingBookkeeping
Who did what and when? What’s happening to my job? Usually runs on RB node
Information SystemInformation System Receives periodic (~5 min) updates from CE, SE Used by WMS (RB) node to determine resources
to be used by a job Currently BDII is used
Regional Grid Training, University of Belgrade, Serbia
A E G I S
June 24-25, 2008
Lessons learnedLessons learned
Grid structure is complicated but hidden from end-users, enabling all the comfort they need
Users just need to join the VO and obtain certificates: we already have the SEE-GRID VO!
Use of Grid is then just as easy as the use of a computer cluster