June 24-25, 2008

Regional Grid Training, University of Belgrade, Serbia

Acad

em

ic a

nd E

ducat ional Gr id Init iat ive o

f Serbia

A E G I S

Introduction to gLiteIntroduction to gLite

gLite Basic ServicesgLite Basic Services

Antun BalažSCL, Institute of Physics Belgrade

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Set of basic Grid Set of basic Grid servicesservices

Job submission/management File transfer (individual, queued) Database access Data management (replication,

metadata) Monitoring/Indexing system

information

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Multi-institution Multi-institution issuesissues

Trust Mismatch

Mechanism Mismatch

CertificationAuthority

CertificationAuthority

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

Task

Domain B

Sub-Domain A1 Sub-Domain B1

No Cross-

Domain Trust

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Why Grid security is hardWhy Grid security is hard

Resources being used may be valuable & the problems being solved sensitive- Both users and resources need to be careful

Dynamic formation and management of virtual organizations- Large, dynamic, unpredictable…

VO Resources and users are often located in distinct administrative domains- Can’t assume cross-organizational trust agreements- Different mechanisms & credentials

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Why Grid security is hard Why Grid security is hard 22 Interactions are not just client/server,

but service-to-service on behalf of the user- Requires delegation of rights by user to service- Services may be dynamically instantiated

Standardization of interfaces to allow for discovery, negotiation and use

Implementation must be broadly available & applicable- Standard, well-tested, well-understood protocols; integrated with wide variety of tools

Policy from sites, VO, users need to be combined- Varying formats

Want to hide as much as possible from applications!

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Grid solution: use of VOsGrid solution: use of VOs

Certification

Domain A

Server X Server Y

PolicyAuthority

PolicyAuthority

TaskDomain B

Sub-Domain A1

GSI

CertificationAuthority

Sub-Domain B1

Authority

FederationService

VirtualOrganization

Domain

No Cross-

Domain Trust

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Effective policy governing Effective policy governing access within a access within a collaborationcollaboration

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Use delegation to establish Use delegation to establish dynamic distributed systemdynamic distributed system

ComputingCenter

VO

Rights

ComputingCenter

Service

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

GSI implementationGSI implementation

ComputeCenter

SSL/WS-Securitywith ProxyCertificates

VO

RightsVO

Users

Services (runningon user’s behalf)

Rights’’

Rights’

Access

Local Policyon VO identityor attributeauthority

CAS or VOMSissuing SAMLor X.509 ACs

Authz Callout

KCA

MyProxy

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

““Logging on” to the GridLogging on” to the Grid

To run programs, authenticate to Grid:voms-proxy-init –voms VONAMEEnter PEM pass phrase: ***************

Creates a temporary, local, short-lived proxy credential for use by our computations

Delegation = remote creation of a (second level) proxy credential, which allows remote process to authenticate on behalf of the user

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

User view of the GridUser view of the Grid

User Interface

Grid services

User Interface

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

What really happensWhat really happensFileFilecataloguecatalogue

Logging &Logging &Book-keepingBook-keeping

WMSWMS

StorageStorageElementElement

ComputingComputingElementElement

Information Information ServiceService

Job Status

DataSets info

Auth.&Auth.

Job

Su

bm

it Even

t

Job

Q

uery

Job S

tatu

s

Input“sandbox”

Input “sand

box”

+Broker Info

Outp

ut “san

dbox”

Output“sandbox”

Pu

blis

h

SE & CE info

User User interfaceinterface

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Workload Management Workload Management System (WMS)System (WMS)

Distributed scheduling multiple UIs where you can submit your job multiple WMSs from where the job can be

sent to a CE multiple CEs where the job can be put in a

queuing system

Distributed resource management multiple information systems that monitor the

state of the grid Information from SE, CE, sites

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Authentication and Authentication and AuthorizationAuthorization Authentication

User obtains certificate from CA Connects to UI by ssh Downloads certificate Invokes Proxy certificate Single logon – to UI - then Secure Socket

Layer with proxy identifies user to other nodes

Authorization - currently User joins Virtual Organisation VO negotiates access to Grid nodes and

resources (CE, SE) Authorization tested by CE, SE: VOMS (or

grid-mapfile) maps user to local accounts

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

User Interface (UI)User Interface (UI) UI is the user’s interface to the Grid -

Command-line interface to Proxy certificate Job operations

To submit a job Monitor its status Retrieve output

Data operations Upload file to SE Create replica Discover replicas

Other grid services To run a job user creates a JDL (Job

Description Language) file

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Computing Element Computing Element (CE)(CE)

Homogeneous set of worker nodes

Grid gate node

Local resource management system:Condor / PBS / LSF master

Gatekeeper

Job request

Loc. Info system

Logging

A&A

Information system

L&B

A CE is a grid batch queuewith a “grid gate” front-end:

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Storage Element (SE)Storage Element (SE) Storage elements hold files: write once, read many Replica files can be held on different SE:

“close” to CE; share load on SE File Catalogue - what replicas exist for a file and where

are they?

Loc. InfoSystem

EventLogging

A&A

GridFTP

Disk arrays or tapesDisk arrays or tapes

Info system

L&B

Gatekeeper

File transfer Requests

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

WMS (RB)WMS (RB) Run the Workload Management System

To accept job submissions Dispatch jobs to appropriate Compute Element (CE) Allow users

To get information about their status To retrieve their output

A configuration file on each UI node determines which WMS node(s) will be used

When a user submits a job, JDL options are to: Specify CE Allow RB to choose CE (using optional tags to define

requirements) Specify SE (then RB finds “nearest” appropriate CE,

after interrogating File catalogue service)

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Logging and Logging and BookkeepingBookkeeping

Who did what and when? What’s happening to my job? Usually runs on RB node

Information SystemInformation System Receives periodic (~5 min) updates from CE, SE Used by WMS (RB) node to determine resources

to be used by a job Currently BDII is used

Regional Grid Training, University of Belgrade, Serbia

A E G I S

June 24-25, 2008

Lessons learnedLessons learned

Grid structure is complicated but hidden from end-users, enabling all the comfort they need

Users just need to join the VO and obtain certificates: we already have the SEE-GRID VO!

Use of Grid is then just as easy as the use of a computer cluster