Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diego The Open Science

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005

Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org

The Open Science Grid Consortium

Multi-Site VOs and Multi-VO Sites in Open Science Grid

Abhishek Singh RanaUC San Diego

[email protected]

Frank WuerthweinUC San [email protected]

GridWorld/GGF15October 3-6, 2005Boston, MA, USA

Community Activity: Leveraging Site Infrastructute for Multi-Site Grids

2




Collaborative Effort

Open Science GridRBAC, Security and Policy Frameworks

Privilege Project

PPDG Common

USATLAS

USCMSFermi National Lab

Brookhaven National Lab

U California San Diego

Virginia Tech

Technical Lead:Ian Fisk, FNAL

Technical Coordinator:Dane Skow, FNAL

3




Outline

• Concepts & Goals.• Examples

– Compute Element.– Storage Element.

• Possible future examples– Dynamically provisioned environments/Workspaces.

• VO Workspace on Site boundary.– Edge Services Framework (ES Wafers).

• User Workspace on WNs – Resource Slices.

4




OSG Approach: Concepts

• VO-Global specification of privilege requirements per Role.

• Site central mapping of Role to site’s implementation of privilege requirements.

• Local enforcement of privilege requirements.

5




Multi-Site VO

CESE

Site

CE

SE

Site CESE

Site

CESE

Site

CESE

Site

6




Multi-VO Site

CE

SE

Site

7




A Multi-VO Multi-Site Grid

CESE

Site

CE

SE

SiteCE

SE

Site

CESE

Site

CESE

Site

CE

SE

Site

CESE

Site

CESE

Site

8




OSG Approach

• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus.

– E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus.

• Site maps VO scope identities to local scope identities.– Site wide management of mapping.– Service level granularity of mapping.

• Site enforces VO privilege policies within local scope identities.

• Authorization = !(Site-vetoed) && (VO-allowed)

9




VO Attribute Repository

Service X

Service Y

Service X

Service Z

Service X VetoService Y VetoService Z Veto

Site-wide Assertion Service

Host 1

Host 2

Site

Authorization Service for

Service X, Y, Z

Site-wide Mapping Service

Auxiliary Authorization

Service for Service Z

Auxiliary Mapping Service

Callout Module for X, Y

Callout Module

for Z

Local or Remote ClientProxy with VO Membership | Role Attributes

10




VO Attribute Repository

Service X

Service Y

Service X

Service Z

Service X VetoService Y VetoService Z Veto


Host 1

Host 2

Site

Authorization Service for

Service X, Y, Z


Auxiliary Authorization

Service for Service Z


Callout Module for X, Y

Callout Module

for Z


PDPPEP

PEP

PDP

11




Example: Compute Element

12




CE: Globus and Condor

• PRIMA and GUMS provide CE authz in OSG approach.

PRIMA authenticates.GUMS translates {DN, Membership, Role} to Username.System translates Username to site-wide {UID}.

13




GUMS



Site

SAZ

VOMS


Deployed at many sites/campuses with static UIDs as well as UID pools.

14




GUMS



Site

SAZ

VOMS


CE


15




GUMS



Site

SAZ

VOMS


PRIMAC SAMLlibraries

CE

Globus Gatekeeper PRIMAcallout


16




GUMS



Site

SAZ

VOMS



CE



PEP

17




Example: Storage Element

18




SE: SRM-dCache

• Different doors for different authz methods.

• Same underlying local authz mechanism.

• Can be mapped to site’s UID/GID domain.

• Or be restricted to SRM-dCache only.

• Examples:– USCMS-VO at FNAL: Site UID domain.– CDF-VO at FNAL: Site Kerberos domain.

19




SE: SRM-dCache

• gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach.

gPLAZMA authenticates.Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service.GUMS translates {DN, Membership, Role} to Username.System optionally translates Username to site-wide {UID, GID}.gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role} .

20




GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAAuthorization

Service

21




GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAAuthorization

Service

22




GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAAuthorization

Service



23




GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAAuthorization

Service



PEP

24




GUMS



Site

SAZ

VOMS



CE

SE

gPLAZMAStorage

metadata

PRIMAAuthorization

Service



25




GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata

PRIMAJava SAMLgPLAZMA

PRIMAAuthorization

Service


SRM-GridFTP gPLAZMA callout

gPLAZMALiteAuthorizationServices suite

26




GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata


PRIMAAuthorization

Service




PEP

27




GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata


PRIMAAuthorization

Service



OGSAAuthZ

interface


28




GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata


PRIMAAuthorization

Service



PRIMAA System for

Privilege Management and Authorization in Grids

gPLAZMAgrid-aware Pluggable

AuthorizationManagement System

GUMSGrid User Management

System

SAZSite Authorization Service

VOMSVirtual Organization Membership Service


29




GUMS



Site

SAZ

VOMS




CE

SE

gPLAZMAStorage

metadata


PRIMAAuthorization

Service



PRIMAMarkus Lorch, VT

gPLAZMAAbhishek Singh Rana, UCSD

Timur Perelmutov, FNAL

GUMSGabriele Carcassi, BNL

SAZVijay Sekhri, FNAL

John Weigand, FNAL

SRM-dCacheDESY/FNAL teams

VOMSINFN teams, Italy


30




• VO control of ACLs.– All files are owned by VO.– Simple solutions.– VO PDP, separated from Resource.

• Site control of ACLs.– All files are owned by {DN, Membership, Role} of a User.– Site SE enforces global (VO) and local (site) policies.– Global & local policies are used together to aid in isolation of

privileges, grant privacy to user, and perform fine-grained security.

– Demands sophisticated solutions.– Site PDP, closer to Resource.

SE ACLs: VO versus Site Control

31




Possible Future Examples:Dynamic Virtual Environments/Workspaces 1. VO Workspace on Site boundary - Edge Services Framework (ES Wafers).2. User Workspace on WNs (Resource Slices).

32




No ESF - Phase 0

SECE

Site

33




No ESF - Phase 0

Site

SECE

Static deployment

CMS ATLAS CDF

34




ESF?

SECE

Site

35




ESF - Phase 1

ESF

SE

Site

Snapshot ofES Wafers

implemented asVirtual Workspaces

CE CDFCMS ATLAS

GuestVO

36




An attempt at ESF Terminology

• Edge Services Wafer (ES Wafer)– A specific instance of a dynamically-created VM (workspace) is called

an Edge Services Wafer. – An ES Wafer can have several Edge Services running. – A VO can have multiple ES Wafers up at a Site.

• Edge Services Slot (ES Slot) – An ES Slot has hardware characteristics specified by the Site Admin.– An ES Slot can be leased by a VO to host an ES Wafer.

• Edge Service (ES) – A VO-specific service instantiated by a VO in a Wafer.

• Workspace Service (WS)– Service at a Site that allows VOs to instantiate ES Wafers in ES Slots.

37




ESF - Phase 1

CDFCMS ATLAS

GuestVO

ESF

SECE

Site

GT4 Workspace Service & VMM

Dynamically deployed ES Wafers for each VO

Wafer imagesstored in SE

Compute nodes and Storage nodes

38




ESF - Phase 1

CDFCMS ATLAS

GuestVO

ESF

SECE

Site

GT4 Workspace Service & VMM

Dynamically deployed ES Wafers for each VO

Wafer imagesstored in SE

Compute nodes and Storage nodes

Globus Workspace ServiceKate Keahey, ANL/Globus

Timothy Freeman, ANL/Globus

Edge Services SuiteCMS and ATLAS Collaborations

Xen VMMCambridge University, UK

XenSource Inc.

39




User jobs at Compute nodes using ES Wafers for VO Edge Services

ESF

SECE

Site

CDFCMS ATLAS

GuestVO

40




VO Admin transporting/storing ES image to a remote Site..

..Deploying ES using image stored in Site’s local repository

41




VO Workspaces (Edge Services)

• Concepts– TID (Transactional Identity) = {DN, Membership

Profile, Set of Roles}– Thus, TID is VO & “VO-Site agreement” specific.– TID functions as a tag for VO Workspace

characteristics.– Site central mapping service translates TID into VO

Workspace characteristics.– ESF provisions VO Workspace according to

characteristics.

42




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

43




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

PEP

44




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

45




ESF - Phase 1

ESF

SECE

Site

Role=VO Admin

46




ESF - Phase 1

ESF

SECE

Site

Role=VO Admin

PEP

47




ESF - Phase 1

ESF

SECE

Site

Role=VO Admin

48




ESF - Phase 1

ESF

SECE

Site

Role=VO Admin

PEP

49




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

50




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

51




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

52




ESF - Phase 1

ESF

SECE

Site

CMS

Role=VO Admin

ES Wafer (Multiple VO Services at a Site’s Edge)

53




A VO User using ESF....Executing at a User Workspace

54




User Workspace

• User Workspace– Slicing of a Resource, on demand.– PEP closer to such finer slices of a Resource.– Customized (possibly transient) slices.– Isolation of environment of such a slice.

• A resource slice and VO/User environment make a User Workspace.

55




User Workspace

• Concepts– TID (Transactional Identity) = {DN, Membership

Profile, Set of Roles}– Thus, TID is VO & “application type” specific.– TID functions as a tag for Workspace characteristics.– Site central mapping service translates TID into User

Workspace characteristics.– Compute node local service provisions User

Workspace according to characteristics.

56




User Workspace

ESF

SECE

Site

CMS

Role=VO User

57




User Workspace

ESF

SECE

Site

CMS

Role=VO User

PEP

58




User Workspace

ESF

SE

Site

CMS

Role=VO User

CE

59




User Workspace

ESF

SE

Site

CMS

Role=VO User

CE

PEP

60




User Workspace

ESF

SE

Site

CMS

Role=VO User

CE

Resource Slice (User execution environment at a WN)

61




User Workspace

ESF

SECE

Site

CMS

Role=VO User

62




User Workspace

ESF

SECE

Site

CMS

Role=VO User

PEP

63




User Workspace

ESF

SECE

Site

CMS

Role=VO User

64




Summary of OSG Approach

• VO-Global specification of privilege requirements per role.– Means to do so are lacking today!– Making progress.

• Site central mapping of role to implementation of privilege requirements.– Simple solutions in production usage.

• Local enforcement of privilege requirements.– Simple solutions in production usage.– Moving forward to designing more advanced

solutions.

65




Thank You.

Documents

Global Grid Forum GridWorld GGF15 Boston USA October 03 2005 Abhishek Singh Rana and Frank Wuerthwein UC San Diego The Open Science