FP6−2004−Infrastructures−6-SSA-026634 CNGrid Middleware GOSv2 Yongjian Wang BUAA – Beijing, China Interoperability workshop of euchinagrid Beijing, 12-14

FP6−2004−Infrastructures−6-SSA-026634

CNGrid Middleware GOSv2

Yongjian WangBUAA – Beijing, China

Interoperability workshop of euchinagridBeijing, 12-14 June 2006

Yongjian Wang BUAA Bejiing, 12-16 June 2006

Outline

Brief introduction to GOSv2 Overall architecture of GOSv2 Core Level Services System/Application Level Services


Brief introduction to GOSv2


Outline

Brief introduction of GOSv2 Background Goals Research


Backgrounds of GOSv2

Grid related research begins since 1999 in China Part of the Grid Software program supported by the

China Ministry of Science and Technology 863 program between 2002 and 2005


Goals of GOSv2

Support multiple geographical distributed grid nodes such as super computing centers across China

Sharing mechanism and framework on computing, data, software and combined resources

Provide secured, uniformed and friendly interfaces accessing the scientific computing and information services


Research

Focus on 4 key issues to satisfy common requirements: Naming mechanism Process or states maintain Virtual organization Programming model

Focus on implementing architecture, not protocols or services Use Computer System Approach, not middleware or

network Use Service Oriented Architecture concept


Overall Architecture of GOSv2


Outline

Overall architecture of GOSv2 GOSv2 architecture

GOSv2 architecture

EVP address spacesEffective address spacePhysical address spaceVirtual address space

Security mechanism


GOSv2 Overall Architecture


Agora Service

GOS Hosting

Env.

CoreLevel

Services

Authorization Engine

Grip Service

Servlet Based Scalable Grid Portal Engine

User CustomizedApplications

Grid Apps

Core APIs Core Libraries(Grip, Agora, Router, AC Handling, Core Exception Handling)

AgoraAA

Grip Container

Multi-GrainedResource AC Policy Mgmt.

User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile

Role Based Acct. Mgmt.

Resource Mgmt. Engine

Service Addr. and PortType

Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.

Grip Ctrl. Structure

User Interaction

Result Caching

Grip State Mgmt.

Service Locating(Global)Service Info. Mgmt. (Local)

Java J2SE, J2EE/Microsoft Windows

Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions

System and Application Libraries(Core Based Functional APIs and Exception Handling)

ExtendedSystem

Services

Information(MetaX) Services

MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.

MetaFile ServiceMeta Info

Mgmt. Quota Mgmt.

etc.

Batch Service Workflow Service etc.

User APIs

SystemLevel

Services

App Level Services

Proxy Cert.

Build-in Utility Collection Extended UtilitiesGrid Portal

Application Logic by Web Pages

CA&Certificates

Mgmt. Service

Base Services

Dymaic Deploy Service

SystemMonitoring

Service

Logging& Auditing Service

File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


EVP address space


EVP address spaces EVP provides three separate naming spaces

effective address space Effective address space is used to logically categorized services Examples of effective address: eres://agora1:metaservice All addresses in this space with a prefix eres which is short for effective address

physical address space Physical address space used to actually identify physical services Format of physical address is normal URL just as follows:

http://159.226.49.53:8080/axis/services/MonitorService virtual address space

Virtual address space used to map effective address to physical address Virtual address used inside GOSv2 environment and starts with prefix vres://

Physical resource can enter or exit dynamically because effective and virtual address can hides the differences.


EVP address spaces


Security Mechanism in GOSv2


Terms in use

User certificate X.509 certificate signed by CNGrid CA

User proxy certificate User proxy certificate is usually a session certificate with short

live time. X.509 proxy certificate signed by user, delegate all or part of its

owner’s authority Motivation of user proxy certificate is single login

SAML authorization token SAML Token contains attribute entries as description of

authorization GOSContext

Java Object contains user proxy certificate and assert token


Features of security mechanism

Transport layer SSL/TLS specification

Message layer WS-Security specification


Axis handler chains mechanism

Axis handler chains adopt the chains of responsibility design pattern. Divide whole function such as security into a chain of small

portions Every portion implements different sub-function Portions have no relationships among one another

Based on axis handler chains mechanism Add new function or remove old function are very easy Security mechanism doesn’t invade into concrete application Grip application can use or don’t use security mechanism just by

modifying the configuration file.


Security handlers in GOSv2 SignHandler

Sign body of soap message and add ws-security soap header AddHandler

Add GOSContext Object as soap attachment WSSecurityHandler

Verify ws-security soap header GetAttachmentsHandler

Get GOSContext Object from attachment of soap message VerifyCertsHandler

Verify user certificate contained in GOSContext VerifyTokenHandler

Verify token contained in GOSContext ACHandler

Access control operation based on different policies


WebService

WSClient

· SignHandler(with proxy or user cert)

· AddHandler

· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler

· WSSecurityHandler· GetAttachmentsHandler· VerifyCertsHandler· VerifyTokenHandler· ACHandler

· SignHandler (with service cert)

· AddHandler

SOAP MSG overSSL/TSL(HTTPS)

Client Side Server Siderequest flow

response flow

Security Handler Chain


Authentication & Authorization

Authentication Agora service

– Provide resource management, user management and so on– Convert username and password to corresponding proxy and

token Authorization

SAML Authorization Token– Subject

Requester Agora Information Requester Role Information on Agora Server DN of requester

– Action Operations of Requested Service


Security mechanism


Core Level Services of GOSv2


Outline

Core Level Services Agora Service

User Management Service Resource Management Service Security authentication and authorization

Grip Service Grip Container Grip Struct

Router Service Overlay network approach for resource management and

locating Resource discovery in GOSv2


Agora Service


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Functions of Agora Service

Role based grid user management Both external and internal user name Proxy certificates management

Service oriented resource management Mapping effective resource to virtual resource Currently using random resource selection algorithm

Token based authorization and access control management Multi-granularity SAML based and decoupled


Architecture of Agora Service


Grip Service


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Grip Service

Grip Service maintains state information for end user. Grip Container

Exposed as Web Service

Grip Struct is used to invoke different physical services on behalf of end user

Used to access underlying physical service


Grip Service


Router Service


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Router Service

Router Service is used to convert virtual address to physical address. Maintain local virtual resource to physical resource

mapping relationships Communicate with neighbor router to form global view of

all the deployed router services and service locating can achieved in this way.


Router Service

Different routers form an application-level virtual network to exchange V-P mapping information


Router Scenario- LinkGOS APIS(Client Side) source router neighbor router

link

link

ping

link response

link

result

link response link source

link neighbor


Router Scenario- Neighbor Update

NbUpdater Thread(rtA) RouterUpdator Thread(rtA)neighbor router B local router A

ping

sleep nbinterval

sleep interval

ping response

ping

ping response

ping

ping response

getalivenb

alive nb

refreshrouter

updated global router info

sleep intervalgetalivenb

alive nb

refreshrouter

updated global router info

update router table

update router table


Router Scenario- search

GOS APIS(Client Side)

search

default router remote router

responseresponse

link router

search

response

searchsearch


How to discovery resource in GOSv2

Resource discovery in GOSv2 consist of the following steps: Find effective address of resource Convert effective address into virtual address Convert virtual address into physical address


System/Application Level Services


Outline

GFI (Grid File Infrastructure) Meta service

Provide logically global user file space

Data Service Distributed file storage

File transferred using soap message

Grid Batch System Using Grip and GFI to support global file stagein/out

Using simple batch driver to connect to local batch systems, such as

OpenPBS, LSF etc.

Grid Batch Accounting System


Meta Service


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Functions of meta service

Name mapping on grid file• effective name virtual name physical name


Functions of Meta Service (cont.)

Maintain global file information Maintain file access permissions information Cooperate with Authorization Authority in agora

service for file access authorization User quota management


Meta Service - Operations

Category Service Operations

meta data query related

isFile 、 isDir 、 exist 、 info 、 getVirtualName 、 List 、 Search

file directory related createNewFile 、 delete 、 mkdir 、 rmdir 、 move 、 rename 、 upload

file access permissions related

getACLInfo 、 Auth 、 Revoke


Data Service


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Functions of Data Service

Map user identification to local file directory Different user correspond to different local file directory

Store user file in local file system Transfer file (download/upload) by servlet Form distributed, uniformed user file storage space


Data Service - Operations

Category Service Operations

file or directory operation related

mkdir 、 rmdir 、 creatNewFile 、 delete

file transfer related setUploadFileName 、 setDownloadFileName


Upload File Scenario


Grid Batch System


Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture


Batch System in GOSv2

Local batch system driver Hiding different local batch systems such as

OpenPBS 、 LSF and so on

Grid batch service Local batch system service wrapper

Grid batch system client side APIs Interact with batch service by grip Hiding details such as service invocation, file stagein /

stageout


Architecture of Batch Service


Batch Job Descriptor


Batch Service Scenario


Batch service in the future

GridSAM will act as batch service for different grid node Support JSDL specification Support plain ftp and GridFTP based stagein/stageout Maintain job states Extend GridSAM to support OpenPBS and LSF batch

system Replace GridSAM security mechanism with CNGrid

security mechanism




Agora Service

GOS Hosting

Env.

CoreLevel

Services


Grip Service



Grid Apps


AgoraAA

Grip Container


User Mgmt. Engine

Acct.Authentication

Acct.Approve

Profile




Mapping

ServiceInfo

Mgmt.

Service Invocation

Addr. Trans.


User Interaction

Result Caching

Grip State Mgmt.



Tomcat(Apache)

WebSphere(IBM)

WebLogic(BEA)

.NET(Microsoft)

GT4(Globus)

Core Exceptions


ExtendedSystem

Services


MetaDBService

MetaSysService

Naming

File AC Mgmt.

Replica Mgmt.


Mgmt. Quota Mgmt.

etc.


User APIs

SystemLevel

Services

App Level Services

Proxy Cert.



CA&Certificates

Mgmt. Service

Base Services


SystemMonitoring

Service


File Service

Database Service

Messaging Service

GIS Service

Router Service

OMII

•G

OS

v2 Architecture




Q&A

Documents

FP6−2004−Infrastructures−6-SSA-026634 CNGrid Middleware GOSv2 Yongjian Wang BUAA – Beijing, China Interoperability workshop of euchinagrid Beijing, 12-14