grid computing globus toolkit: securityfarrell/grid06/lectures/grid14.pdf · 2006-09-28 ·...

9/28/20069/28/2006

Dept of Computer ScienceDept of Computer ScienceKent State UniversityKent State University 11

Grid Computing Fall 2006Paul A. Farrell

Grid Computing 1Paul A. Farrell 2006

Globus Toolkit 4.0 - Part 2

Paul A. FarrellFall 2006

Grid Computing

Based on

Ian Foster, Globus Toolkit version 4Tutorial, 1st Intl. Conf. on e-Science and Grid Computing, Melbourne, Australia, December 12, 2005


Data Mgmt

Security CommonRuntime

Execution Mgmt

Info Services

GridFTPAuthenticationAuthorization

ReliableFile

Transfer

Data Access& Integration

Grid ResourceAllocation &Management

Index

CommunityAuthorization

DataReplication

CommunitySchedulingFramework

Delegation

ReplicaLocation

Trigger

Java Runtime

C Runtime

Python RuntimeWebMDS

WorkspaceManagement

Grid Telecontrol

Protocol

Globus Toolkit v4www.globus.org

CredentialMgmt

Globus Toolkit: Security


Globus Security

• Control access to shared services– Address autonomous management, e.g., different policy in

different work-groups

• Support multi-user collaborations– Federate through mutually trusted services– Local policy authorities rule

• Allow users and application communities to set up dynamic trust domains– Personal/VO collection of resources working together based

on trust of user/VO


Organization A Organization B

Compute Server C1Compute Server C2

Compute Server C3

File server F1 (disks A and B)

Person C(Student)

Person A(Faculty)

Person B(Staff) Person D

(Staff)Person F(Faculty)

Person E(Faculty)

Virtual Community C

Person A(Principal Investigator)

Compute Server C1'

Person B(Administrator)

File server F1 (disk A)

Person E(Researcher)

Person D(Researcher)

Virtual Organization (VO) Concept

• VO for each application or workload• Carve out and configure resources for a particular use

and set of users

9/28/20069/28/2006




GT4 Security

VO

RightsUsers

Rights’

ComputeCenter

Access

Services (runningon user’s behalf)

Rights

Local policyon VO identityor attributeauthority

CAS or VOMSissuing SAMLor X.509 ACs

SSL/WS-Securitywith ProxyCertificates

Authz Callout:SAML, XACML

KCA

MyProxy


GT4 Security• Public-key-based authentication • Extensible authorization framework based on Web

services standards– Security Assertion Markup Language (SAML)-based

authorization callout• As specified in GGF OGSA-Authz WG

– Integrated policy decision engine• eXtensible Access Control Markup Language (XACML)

policy language, per-operation policies, pluggable

• Credential management service– MyProxy (One time password support)

• Community Authorization Service (CAS)• Standalone delegation service


GT4’s Use of Security Standards

Supported, Supported, Fastest, but slow but insecure so default


GT-XACML Integration

• eXtensible Access Control Markup Language– OASIS standard, open source implementations

• XACML: sophisticated policy language• Globus Toolkit ships with XACML runtime

– Included in every client and server built on GT– Turned-on through configuration

• … that can be called transparently from runtime and/or explicitly from application …

• … and we use the XACML-”model” for our Authz Processing Framework

9/28/20069/28/2006




GT Authorization Framework


Other Security Services Include …

• MyProxy– Simplified credential management– Web portal integration– Single-sign-on support

• KCA & kx.509– Bridging into/out-of Kerberos domains

• SimpleCA– Online credential generation

• PERMIS– Authorization service callout


Data Mgmt


Execution Mgmt

Info Services


ReliableFile

Transfer



Index


DataReplication


Delegation

ReplicaLocation

Trigger

Java Runtime

C Runtime


WorkspaceManagement

Grid Telecontrol

Protocol


CredentialMgmt

Globus Toolkit: Data Management


GT4 Data Management

• Stage/move large data to/from nodes– GridFTP, Reliable File Transfer (RFT)– Alone, and integrated with GRAM

• Locate data of interest– Replica Location Service (RLS)

• Replicate data for performance/reliability– Distributed Replication Service (DRS)

• Provide access to diverse data sources– File systems, parallel file systems, hierarchical storage:

GridFTP– Databases: OGSA DAI

9/28/20069/28/2006




GridFTP in GT4

• 100% Globus code– No licensing issues– Stable, extensible

• IPv6 Support• XIO for different transports• Striping multi-Gb/sec wide area transport

– 27 Gbit/s on 30 Gbit/s link

• Pluggable– Front-end: e.g., future WS control channel– Back-end: e.g., HPSS, cluster file systems– Transfer: e.g., UDP, NetBLT transport

p g

02000400060008000

100001200014000160001800020000

0 10 20 30 40 50 60 70

Degree of Striping

Ban

dwid

th (M

bps)

# Stream = 1 # Stream = 2 # Stream = 4# Stream = 8 # Stream = 16 # Stream = 32

Disk-to-disk onTeraGrid


Reliable File Transfer: Third Party Transfer

RFT Service

RFT Client

SOAP Messages

Notifications(Optional)

DataChannel

Protocol Interpreter

MasterDSI

DataChannel

SlaveDSI

IPCReceiver

IPC Link

MasterDSI

Protocol Interpreter

Data Channel

IPCReceiver

SlaveDSI

Data Channel

IPC Link

GridFTP Server GridFTP Server

• Fire-and-forget transfer• Web services interface• Many files & directories• Integrated failure recovery• Has transferred 900K files


Replica Location Service

• Identify location of files via logical to physical name map

• Distributed indexing of names, fault tolerant update protocols

• GT4 version scalable & stable• Managing ~40 million files

across ~10 sites

IndexIndex

50 M17575 M

10 M2421 M

1 M2<110K

Bloom filter (bits)

Bloom filter

(secs)

Update send

(secs)

Local DB


Cardiff

AEI/Golm

Birmingham•

Reliable Wide Area Data Replication

Replicating >1 Terabyte/day to 8 sites>30 million replicas so farMTBF = 1 month

LIGO Gravitational Wave Observatory

9/28/20069/28/2006




OGSA-DAI

• Provide service-based access to structured data resources as part of Globus

• Specify a selection of interfaces tailored to various styles of data access—starting with relational and XML


The OGSA-DAI Framework

MySQL

OGSA-DAI service

Engine

SQLQuery

JDBC Data Resources

Activities

DB2

GZip GridFTPXPath

XMLDB

XIndice

readFile

File

SWISSPROT

XSLT

SQLServer

Data-bases

ApplicationClient Toolkit


MySQL

OGSA-DAI service

Engine

SQLQuery

JDBC

SQL

JDBC

SQL

JDBC

SQL

JDBC

SQL

JDBC

MultipleSQL GDS

SQLQuery

Extensibility Example


OGSA-DAI: A Framework for Building Applications

• Supports data access, insert and update– Relational: MySQL, Oracle, DB2, SQL Server, Postgres– XML: Xindice, eXist– Files – CSV, BinX, EMBL, OMIM, SWISSPROT,…

• Supports data delivery– SOAP over HTTP– FTP; GridFTP– E-mail– Inter-service

• Supports data transformation– XSLT– ZIP; GZIP

• Supports security– X.509 certificate based security

9/28/20069/28/2006




OGSA-DAI: Other Features

• A framework for building data clients– Client toolkit library for application developers

• A framework for developing functionality– Extend existing activities, or implement your own– Mix and match activities to provide functionality you need

• Highly extensible– Customise our out-of-the-box product– Provide your own services, client-side support, and data-

related functionality


Data Mgmt


Execution Mgmt

Info Services


ReliableFile

Transfer



Index


DataReplication


Delegation

ReplicaLocation

Trigger

Java Runtime

C Runtime


WorkspaceManagement

Grid Telecontrol

Protocol


CredentialMgmt

Globus Toolkit: Execution Management


Execution Management (GRAM)

• Globus Resource Allocation Manager (GRAM) – lowest level of Globus resource management architecture– For stateful job control

• Common WS interface to schedulers– Unix, Condor, LSF, PBS, SGE, …

• More generally: interface for process execution management– Lay down execution environment – Stage data to/from environment– Monitor & manage lifecycle– Signal important state changes to client– Kill it, clean up


GT4 WS GRAM

• 2nd-generation WS implementation optimized for performance, flexibility, stability, scalability

• Changed to be WSRF compliant– There is no backward compatibility between 4.0 and 3.2

• Streamlined critical path– Use only what you need

• Flexible credential management– Credential cache & delegation service

• GridFTP & RFT used for data operations– Data staging & streaming output– Eliminates redundant GASS code

9/28/20069/28/2006




GT WS GRAM

• Submit Job securely - PKI authorization• Execute job securely

– User account sandboxing– Initialization of credentials– Multiple levels of audit (container/ sudo/ local scheduler)

• Sudo/ auth_and_exec– Limit damage due to software failures– Improve audit capabilities


GRAMservices

GT4 Java Container

GRAMservices

Delegation

RFT FileTransfer

Transferrequest

GridFTPRemote storage element(s)

Localscheduler

Userjob

Compute element

GridFTPsudo

GRAMadapter

FTPcontrol

Local job control

Delegate

FTP data

Clie

nt

Job

functions

Delegate

Service host(s) and compute element(s)

GT4 WS GRAM Architecture

SEGJob events


GRAMservices

GT4 Java Container

GRAMservices

Delegation

RFT FileTransfer

Transferrequest


Localscheduler

Userjob

Compute element

GridFTP

sudo

GRAMadapter

FTPcontrol

Local job control

Delegate

FTP data

Clie

nt

Job

functions

Delegate



SEGJob events

Delegated credential can be:Made available to the application


GRAMservices

GT4 Java Container

GRAMservices

Delegation

RFT FileTransfer

Transferrequest


Localscheduler

Userjob

Compute element

GridFTP

sudo

GRAMadapter

FTPcontrol

Local job control

Delegate

FTP data

Clie

nt

Job

functions

Delegate



SEGJob events

Delegated credential can be:Used to authenticate with RFT

9/28/20069/28/2006




GRAMservices

GT4 Java Container

GRAMservices

Delegation

RFT FileTransfer

Transferrequest


Localscheduler

Userjob

Compute element

GridFTP

sudo

GRAMadapter

FTPcontrol

Local job control

Delegate

FTP data

Clie

nt

Job

functions

Delegate



SEGJob events

Delegated credential can be:Used to authenticate with GridFTP


GRAM

• Client job invocation using GRAM– Uses set of WSDL documents and client interfaces for

submitting, monitoring, and terminating a job– Can use Resource Specification Language (RSL), marked

up in XML, to describe the job to be run e.g.• name of the executable,• the working directory, • input and output storage• queue to run in

• Can submit using command line or WDSL interface


GRAM (ctd.)• WSDL Interface

– Uses ManagedJobFactory portType– Creates

• Managed Executable Job Resource (MEJR) to execute single process specified in RSL

• Managed Multi Job Resource (MMJR) to execute multi-jobs specified in RSL

– variants of the Managed Job service (MJS)• Input is initial termination time, Job ID, possible

subscription to notifications, specification of single or multiple jobs

• output is managed job EPR, and notification EPR• MJS will handle notifications and cleanup on

termination/destroy


WS GRAM Performance

• Time to submit a basic GRAM job– Pre-WS GRAM: < 1 second– WS GRAM: 2 seconds

• Concurrent jobs– Pre-WS GRAM: 300 jobs– WS GRAM: 32,000 jobs

• Various studies are underway to test latest software

9/28/20069/28/2006




GT4 WS GRAM Performance

128

64

32

16

8

4

2

1

7163647280

6566707375

6764687576

502764757777

69276572777759

6952696877785829

6470707479582915

706969805729157

1286432168421

Number of Client Threads (M)

All numbers are simple jobs/minute, no delegation or staging

Su

stain

ed

Jo

b L

oad

P

er

Cli

en

t Th

read

(N

)


Workspace Service: The Hosted Activity

Policy

Client

Environment

Activity

Allocate/provisionConfigure

Initiate activityMonitor activityControl activity

Interface Resource provider


For Example …

Physical machineProcure hardware

Hypervisor/OS Deploy hypervisor/OS

VM VMDeploy virtual machine

Provisioning, management, and monitoring at all levels

JVMDeploy container

JVMDeploy service


Virtual Machine Costs

8

8

8

0.7

0.7 1.7

0.8

0.8

0 2 4 6 8 10 12

time (in seconds)

VM setupVM bootjob setupGRAM job

GRAM job

GRAM job in paused VM

Job in booted VM

9/28/20069/28/2006




Requirements:• Community

control• Persistence• Resource

guarantees• Non-

interference

Dynamic Service Deployment

CommunityA

CommunityZ

…

• Communityscheduling logic

• Data distribution• Community

management• Science services• ...


Activities Can Be Nested

Policy

Client

Environment

Interface Resource provider

ClientClient


Job in booted VM

GRAM job in paused VM

8

8

8

0.7

0.7 1.7

0.8

0.8

0 2 4 6 8 10 12

time (in seconds)

VM setupVM bootjob setupGRAM job

Virtual Machine Costs

GRAM job


Virtual OSG Clusters

OSG cluster

Xen hypervisors

TeraGrid cluster

OSG

9/28/20069/28/2006




Globus Toolkit: Info Services

Data Mgmt


Execution Mgmt

Info Services


ReliableFile

Transfer



Index


DataReplication


Delegation

ReplicaLocation

Trigger

Java Runtime

C Runtime

Python Runtime

WebMDS

WorkspaceManagement

Grid Telecontrol

Protocol


CredentialMgmt


Monitoring and Discovery

• “Every service should be monitorable and discoverable using common mechanisms”– WSRF/WSN provides those mechanisms

• A common aggregator framework for collecting information from services, thus:– MDS-Index: Xpath queries, with caching– MDS-Trigger: perform action on condition– (MDS-Archiver: Xpath on historical data)

• Deep integration with Globus containers & services: every GT4 service is discoverable– GRAM, RFT, GridFTP, CAS, …


GT4 Container

GT4 Monitoring & Discovery

GRAM User

MDS-Index

GT4 Cont.

RFT

MDS-Index

GT4 Container

MDS-Index

GridFTP

adapter

Registration &WSRF/WSN Access

Custom protocolsfor non-WSRF entities

Clients(e.g., WebMDS)

Automatedregistrationin container

WS-ServiceGroup


Index Server Performance

• As the MDS4 Index grows, query rate and response time both slow, although sublinearly

• Response time slows due to increasing data transfer size– Full Index is being returned– Response is re-built for every query

• Real question – how much over simple WS-N performance?

9/28/20069/28/2006




Information Providers

• GT4 information providers collect information from some system and make it accessible as WSRF resource properties

• Growing number of information providers– Ganglia, CluMon, Nagios– SGE, LSF, OpenPBS, PBSPro, Torque

• Many opportunities to build additional ones– E.g., network monitoring, storage systems, various sensors

Grid Computing 46Paul A. Farrell 2006Java Services in Apache Axis

Plus GT Libraries and Handlers

YourJava

Service

YourPythonService

YourJava

Service RFT

GR

AM

Del

egat

ion

Inde

xTr

igge

rA

rchi

ver

pyGlobusWS Core

YourC

Service

C WS Core

RLS

Pre

-WS

MD

S

CAS

Pre

-WS

GR

AM

Sim

pleC

A

MyP

roxy

OG

SA-D

AIG

TCP

Grid

FTP

C Services using GT Libraries and HandlersSERVER

CLIENT

InteroperableWS-I-compliant

SOAP messaging

YourJavaClient

YourC

Client

YourPythonClient

YourJavaClient

YourC

Client

YourPythonClient

YourJavaClient

YourC

Client

YourPythonClient

YourJavaClient

YourC

Client

YourPythonClient

X.509 credentials =common authentication

Python hosting, GT Libraries

GT4 Summary


GT4 Documentationis

Much Improvedhttp://www.globus.org/toolkit/docs/4.0/

grid computing globus toolkit: securityfarrell/grid06/lectures/grid14.pdf · 2006-09-28 ·...

Documents