grid computing globus toolkit: securityfarrell/grid06/lectures/grid14.pdf · 2006-09-28 ·...
TRANSCRIPT
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 11
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 1Paul A. Farrell 2006
Globus Toolkit 4.0 - Part 2
Paul A. FarrellFall 2006
Grid Computing
Based on
Ian Foster, Globus Toolkit version 4Tutorial, 1st Intl. Conf. on e-Science and Grid Computing, Melbourne, Australia, December 12, 2005
Grid Computing 2Paul A. Farrell 2006
Data Mgmt
Security CommonRuntime
Execution Mgmt
Info Services
GridFTPAuthenticationAuthorization
ReliableFile
Transfer
Data Access& Integration
Grid ResourceAllocation &Management
Index
CommunityAuthorization
DataReplication
CommunitySchedulingFramework
Delegation
ReplicaLocation
Trigger
Java Runtime
C Runtime
Python RuntimeWebMDS
WorkspaceManagement
Grid Telecontrol
Protocol
Globus Toolkit v4www.globus.org
CredentialMgmt
Globus Toolkit: Security
Grid Computing 3Paul A. Farrell 2006
Globus Security
• Control access to shared services– Address autonomous management, e.g., different policy in
different work-groups
• Support multi-user collaborations– Federate through mutually trusted services– Local policy authorities rule
• Allow users and application communities to set up dynamic trust domains– Personal/VO collection of resources working together based
on trust of user/VO
Grid Computing 4Paul A. Farrell 2006
Organization A Organization B
Compute Server C1Compute Server C2
Compute Server C3
File server F1 (disks A and B)
Person C(Student)
Person A(Faculty)
Person B(Staff) Person D
(Staff)Person F(Faculty)
Person E(Faculty)
Virtual Community C
Person A(Principal Investigator)
Compute Server C1'
Person B(Administrator)
File server F1 (disk A)
Person E(Researcher)
Person D(Researcher)
Virtual Organization (VO) Concept
• VO for each application or workload• Carve out and configure resources for a particular use
and set of users
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 22
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 5Paul A. Farrell 2006
GT4 Security
VO
RightsUsers
Rights’
ComputeCenter
Access
Services (runningon user’s behalf)
Rights
Local policyon VO identityor attributeauthority
CAS or VOMSissuing SAMLor X.509 ACs
SSL/WS-Securitywith ProxyCertificates
Authz Callout:SAML, XACML
KCA
MyProxy
Grid Computing 6Paul A. Farrell 2006
GT4 Security• Public-key-based authentication • Extensible authorization framework based on Web
services standards– Security Assertion Markup Language (SAML)-based
authorization callout• As specified in GGF OGSA-Authz WG
– Integrated policy decision engine• eXtensible Access Control Markup Language (XACML)
policy language, per-operation policies, pluggable
• Credential management service– MyProxy (One time password support)
• Community Authorization Service (CAS)• Standalone delegation service
Grid Computing 7Paul A. Farrell 2006
GT4’s Use of Security Standards
Supported, Supported, Fastest, but slow but insecure so default
Grid Computing 8Paul A. Farrell 2006
GT-XACML Integration
• eXtensible Access Control Markup Language– OASIS standard, open source implementations
• XACML: sophisticated policy language• Globus Toolkit ships with XACML runtime
– Included in every client and server built on GT– Turned-on through configuration
• … that can be called transparently from runtime and/or explicitly from application …
• … and we use the XACML-”model” for our Authz Processing Framework
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 33
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 9Paul A. Farrell 2006
GT Authorization Framework
Grid Computing 10Paul A. Farrell 2006
Other Security Services Include …
• MyProxy– Simplified credential management– Web portal integration– Single-sign-on support
• KCA & kx.509– Bridging into/out-of Kerberos domains
• SimpleCA– Online credential generation
• PERMIS– Authorization service callout
Grid Computing 11Paul A. Farrell 2006
Data Mgmt
Security CommonRuntime
Execution Mgmt
Info Services
GridFTPAuthenticationAuthorization
ReliableFile
Transfer
Data Access& Integration
Grid ResourceAllocation &Management
Index
CommunityAuthorization
DataReplication
CommunitySchedulingFramework
Delegation
ReplicaLocation
Trigger
Java Runtime
C Runtime
Python RuntimeWebMDS
WorkspaceManagement
Grid Telecontrol
Protocol
Globus Toolkit v4www.globus.org
CredentialMgmt
Globus Toolkit: Data Management
Grid Computing 12Paul A. Farrell 2006
GT4 Data Management
• Stage/move large data to/from nodes– GridFTP, Reliable File Transfer (RFT)– Alone, and integrated with GRAM
• Locate data of interest– Replica Location Service (RLS)
• Replicate data for performance/reliability– Distributed Replication Service (DRS)
• Provide access to diverse data sources– File systems, parallel file systems, hierarchical storage:
GridFTP– Databases: OGSA DAI
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 44
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 13Paul A. Farrell 2006
GridFTP in GT4
• 100% Globus code– No licensing issues– Stable, extensible
• IPv6 Support• XIO for different transports• Striping multi-Gb/sec wide area transport
– 27 Gbit/s on 30 Gbit/s link
• Pluggable– Front-end: e.g., future WS control channel– Back-end: e.g., HPSS, cluster file systems– Transfer: e.g., UDP, NetBLT transport
p g
02000400060008000
100001200014000160001800020000
0 10 20 30 40 50 60 70
Degree of Striping
Ban
dwid
th (M
bps)
# Stream = 1 # Stream = 2 # Stream = 4# Stream = 8 # Stream = 16 # Stream = 32
Disk-to-disk onTeraGrid
Grid Computing 14Paul A. Farrell 2006
Reliable File Transfer: Third Party Transfer
RFT Service
RFT Client
SOAP Messages
Notifications(Optional)
DataChannel
Protocol Interpreter
MasterDSI
DataChannel
SlaveDSI
IPCReceiver
IPC Link
MasterDSI
Protocol Interpreter
Data Channel
IPCReceiver
SlaveDSI
Data Channel
IPC Link
GridFTP Server GridFTP Server
• Fire-and-forget transfer• Web services interface• Many files & directories• Integrated failure recovery• Has transferred 900K files
Grid Computing 15Paul A. Farrell 2006
Replica Location Service
• Identify location of files via logical to physical name map
• Distributed indexing of names, fault tolerant update protocols
• GT4 version scalable & stable• Managing ~40 million files
across ~10 sites
IndexIndex
50 M17575 M
10 M2421 M
1 M2<110K
Bloom filter (bits)
Bloom filter
(secs)
Update send
(secs)
Local DB
Grid Computing 16Paul A. Farrell 2006
Cardiff
AEI/Golm
Birmingham•
Reliable Wide Area Data Replication
Replicating >1 Terabyte/day to 8 sites>30 million replicas so farMTBF = 1 month
LIGO Gravitational Wave Observatory
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 55
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 17Paul A. Farrell 2006
OGSA-DAI
• Provide service-based access to structured data resources as part of Globus
• Specify a selection of interfaces tailored to various styles of data access—starting with relational and XML
Grid Computing 18Paul A. Farrell 2006
The OGSA-DAI Framework
MySQL
OGSA-DAI service
Engine
SQLQuery
JDBC Data Resources
Activities
DB2
GZip GridFTPXPath
XMLDB
XIndice
readFile
File
SWISSPROT
XSLT
SQLServer
Data-bases
ApplicationClient Toolkit
Grid Computing 19Paul A. Farrell 2006
MySQL
OGSA-DAI service
Engine
SQLQuery
JDBC
SQL
JDBC
SQL
JDBC
SQL
JDBC
SQL
JDBC
MultipleSQL GDS
SQLQuery
Extensibility Example
Grid Computing 20Paul A. Farrell 2006
OGSA-DAI: A Framework for Building Applications
• Supports data access, insert and update– Relational: MySQL, Oracle, DB2, SQL Server, Postgres– XML: Xindice, eXist– Files – CSV, BinX, EMBL, OMIM, SWISSPROT,…
• Supports data delivery– SOAP over HTTP– FTP; GridFTP– E-mail– Inter-service
• Supports data transformation– XSLT– ZIP; GZIP
• Supports security– X.509 certificate based security
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 66
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 21Paul A. Farrell 2006
OGSA-DAI: Other Features
• A framework for building data clients– Client toolkit library for application developers
• A framework for developing functionality– Extend existing activities, or implement your own– Mix and match activities to provide functionality you need
• Highly extensible– Customise our out-of-the-box product– Provide your own services, client-side support, and data-
related functionality
Grid Computing 22Paul A. Farrell 2006
Data Mgmt
Security CommonRuntime
Execution Mgmt
Info Services
GridFTPAuthenticationAuthorization
ReliableFile
Transfer
Data Access& Integration
Grid ResourceAllocation &Management
Index
CommunityAuthorization
DataReplication
CommunitySchedulingFramework
Delegation
ReplicaLocation
Trigger
Java Runtime
C Runtime
Python RuntimeWebMDS
WorkspaceManagement
Grid Telecontrol
Protocol
Globus Toolkit v4www.globus.org
CredentialMgmt
Globus Toolkit: Execution Management
Grid Computing 23Paul A. Farrell 2006
Execution Management (GRAM)
• Globus Resource Allocation Manager (GRAM) – lowest level of Globus resource management architecture– For stateful job control
• Common WS interface to schedulers– Unix, Condor, LSF, PBS, SGE, …
• More generally: interface for process execution management– Lay down execution environment – Stage data to/from environment– Monitor & manage lifecycle– Signal important state changes to client– Kill it, clean up
Grid Computing 24Paul A. Farrell 2006
GT4 WS GRAM
• 2nd-generation WS implementation optimized for performance, flexibility, stability, scalability
• Changed to be WSRF compliant– There is no backward compatibility between 4.0 and 3.2
• Streamlined critical path– Use only what you need
• Flexible credential management– Credential cache & delegation service
• GridFTP & RFT used for data operations– Data staging & streaming output– Eliminates redundant GASS code
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 77
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 25Paul A. Farrell 2006
GT WS GRAM
• Submit Job securely - PKI authorization• Execute job securely
– User account sandboxing– Initialization of credentials– Multiple levels of audit (container/ sudo/ local scheduler)
• Sudo/ auth_and_exec– Limit damage due to software failures– Improve audit capabilities
Grid Computing 26Paul A. Farrell 2006
GRAMservices
GT4 Java Container
GRAMservices
Delegation
RFT FileTransfer
Transferrequest
GridFTPRemote storage element(s)
Localscheduler
Userjob
Compute element
GridFTPsudo
GRAMadapter
FTPcontrol
Local job control
Delegate
FTP data
Clie
nt
Job
functions
Delegate
Service host(s) and compute element(s)
GT4 WS GRAM Architecture
SEGJob events
Grid Computing 27Paul A. Farrell 2006
GRAMservices
GT4 Java Container
GRAMservices
Delegation
RFT FileTransfer
Transferrequest
GridFTPRemote storage element(s)
Localscheduler
Userjob
Compute element
GridFTP
sudo
GRAMadapter
FTPcontrol
Local job control
Delegate
FTP data
Clie
nt
Job
functions
Delegate
Service host(s) and compute element(s)
GT4 WS GRAM Architecture
SEGJob events
Delegated credential can be:Made available to the application
Grid Computing 28Paul A. Farrell 2006
GRAMservices
GT4 Java Container
GRAMservices
Delegation
RFT FileTransfer
Transferrequest
GridFTPRemote storage element(s)
Localscheduler
Userjob
Compute element
GridFTP
sudo
GRAMadapter
FTPcontrol
Local job control
Delegate
FTP data
Clie
nt
Job
functions
Delegate
Service host(s) and compute element(s)
GT4 WS GRAM Architecture
SEGJob events
Delegated credential can be:Used to authenticate with RFT
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 88
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 29Paul A. Farrell 2006
GRAMservices
GT4 Java Container
GRAMservices
Delegation
RFT FileTransfer
Transferrequest
GridFTPRemote storage element(s)
Localscheduler
Userjob
Compute element
GridFTP
sudo
GRAMadapter
FTPcontrol
Local job control
Delegate
FTP data
Clie
nt
Job
functions
Delegate
Service host(s) and compute element(s)
GT4 WS GRAM Architecture
SEGJob events
Delegated credential can be:Used to authenticate with GridFTP
Grid Computing 30Paul A. Farrell 2006
GRAM
• Client job invocation using GRAM– Uses set of WSDL documents and client interfaces for
submitting, monitoring, and terminating a job– Can use Resource Specification Language (RSL), marked
up in XML, to describe the job to be run e.g.• name of the executable,• the working directory, • input and output storage• queue to run in
• Can submit using command line or WDSL interface
Grid Computing 31Paul A. Farrell 2006
GRAM (ctd.)• WSDL Interface
– Uses ManagedJobFactory portType– Creates
• Managed Executable Job Resource (MEJR) to execute single process specified in RSL
• Managed Multi Job Resource (MMJR) to execute multi-jobs specified in RSL
– variants of the Managed Job service (MJS)• Input is initial termination time, Job ID, possible
subscription to notifications, specification of single or multiple jobs
• output is managed job EPR, and notification EPR• MJS will handle notifications and cleanup on
termination/destroy
Grid Computing 32Paul A. Farrell 2006
WS GRAM Performance
• Time to submit a basic GRAM job– Pre-WS GRAM: < 1 second– WS GRAM: 2 seconds
• Concurrent jobs– Pre-WS GRAM: 300 jobs– WS GRAM: 32,000 jobs
• Various studies are underway to test latest software
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 99
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 33Paul A. Farrell 2006
GT4 WS GRAM Performance
128
64
32
16
8
4
2
1
7163647280
6566707375
6764687576
502764757777
69276572777759
6952696877785829
6470707479582915
706969805729157
1286432168421
Number of Client Threads (M)
All numbers are simple jobs/minute, no delegation or staging
Su
stain
ed
Jo
b L
oad
P
er
Cli
en
t Th
read
(N
)
Grid Computing 34Paul A. Farrell 2006
Workspace Service: The Hosted Activity
Policy
Client
Environment
Activity
Allocate/provisionConfigure
Initiate activityMonitor activityControl activity
Interface Resource provider
Grid Computing 35Paul A. Farrell 2006
For Example …
Physical machineProcure hardware
Hypervisor/OS Deploy hypervisor/OS
VM VMDeploy virtual machine
Provisioning, management, and monitoring at all levels
JVMDeploy container
JVMDeploy service
Grid Computing 36Paul A. Farrell 2006
Virtual Machine Costs
8
8
8
0.7
0.7 1.7
0.8
0.8
0 2 4 6 8 10 12
time (in seconds)
VM setupVM bootjob setupGRAM job
GRAM job
GRAM job in paused VM
Job in booted VM
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 1010
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 37Paul A. Farrell 2006
Requirements:• Community
control• Persistence• Resource
guarantees• Non-
interference
Dynamic Service Deployment
CommunityA
CommunityZ
…
• Communityscheduling logic
• Data distribution• Community
management• Science services• ...
Grid Computing 38Paul A. Farrell 2006
Activities Can Be Nested
Policy
Client
Environment
Interface Resource provider
ClientClient
Grid Computing 39Paul A. Farrell 2006
Job in booted VM
GRAM job in paused VM
8
8
8
0.7
0.7 1.7
0.8
0.8
0 2 4 6 8 10 12
time (in seconds)
VM setupVM bootjob setupGRAM job
Virtual Machine Costs
GRAM job
Grid Computing 40Paul A. Farrell 2006
Virtual OSG Clusters
OSG cluster
Xen hypervisors
TeraGrid cluster
OSG
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 1111
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 41Paul A. Farrell 2006
Globus Toolkit: Info Services
Data Mgmt
Security CommonRuntime
Execution Mgmt
Info Services
GridFTPAuthenticationAuthorization
ReliableFile
Transfer
Data Access& Integration
Grid ResourceAllocation &Management
Index
CommunityAuthorization
DataReplication
CommunitySchedulingFramework
Delegation
ReplicaLocation
Trigger
Java Runtime
C Runtime
Python Runtime
WebMDS
WorkspaceManagement
Grid Telecontrol
Protocol
Globus Toolkit v4www.globus.org
CredentialMgmt
Grid Computing 42Paul A. Farrell 2006
Monitoring and Discovery
• “Every service should be monitorable and discoverable using common mechanisms”– WSRF/WSN provides those mechanisms
• A common aggregator framework for collecting information from services, thus:– MDS-Index: Xpath queries, with caching– MDS-Trigger: perform action on condition– (MDS-Archiver: Xpath on historical data)
• Deep integration with Globus containers & services: every GT4 service is discoverable– GRAM, RFT, GridFTP, CAS, …
Grid Computing 43Paul A. Farrell 2006
GT4 Container
GT4 Monitoring & Discovery
GRAM User
MDS-Index
GT4 Cont.
RFT
MDS-Index
GT4 Container
MDS-Index
GridFTP
adapter
Registration &WSRF/WSN Access
Custom protocolsfor non-WSRF entities
Clients(e.g., WebMDS)
Automatedregistrationin container
WS-ServiceGroup
Grid Computing 44Paul A. Farrell 2006
Index Server Performance
• As the MDS4 Index grows, query rate and response time both slow, although sublinearly
• Response time slows due to increasing data transfer size– Full Index is being returned– Response is re-built for every query
• Real question – how much over simple WS-N performance?
9/28/20069/28/2006
Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 1212
Grid Computing Fall 2006Paul A. Farrell
Grid Computing 45Paul A. Farrell 2006
Information Providers
• GT4 information providers collect information from some system and make it accessible as WSRF resource properties
• Growing number of information providers– Ganglia, CluMon, Nagios– SGE, LSF, OpenPBS, PBSPro, Torque
• Many opportunities to build additional ones– E.g., network monitoring, storage systems, various sensors
Grid Computing 46Paul A. Farrell 2006Java Services in Apache Axis
Plus GT Libraries and Handlers
YourJava
Service
YourPythonService
YourJava
Service RFT
GR
AM
Del
egat
ion
Inde
xTr
igge
rA
rchi
ver
pyGlobusWS Core
YourC
Service
C WS Core
RLS
Pre
-WS
MD
S
CAS
Pre
-WS
GR
AM
Sim
pleC
A
MyP
roxy
OG
SA-D
AIG
TCP
Grid
FTP
C Services using GT Libraries and HandlersSERVER
CLIENT
InteroperableWS-I-compliant
SOAP messaging
YourJavaClient
YourC
Client
YourPythonClient
YourJavaClient
YourC
Client
YourPythonClient
YourJavaClient
YourC
Client
YourPythonClient
YourJavaClient
YourC
Client
YourPythonClient
X.509 credentials =common authentication
Python hosting, GT Libraries
GT4 Summary
Grid Computing 47Paul A. Farrell 2006
GT4 Documentationis
Much Improvedhttp://www.globus.org/toolkit/docs/4.0/