1 / 10

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4. f or Gridification Task : David Groep hep-proj-grid-fabric -gridify @cern.ch. WP4 Gridification components. External (“Grid”) components issues relating to the three core Grid protocols (GRAM, GSIFTP,GRIP)

acreed
Download Presentation

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WP4 GridificationSubsystem overlapGlobus & existing systemsLCAS and AAA in WP4 for Gridification Task: David Groep hep-proj-grid-fabric-gridify@cern.ch

  2. WP4 Gridification components • External (“Grid”) components • issues relating to the three core Grid protocols (GRAM, GSIFTP,GRIP) • network issues (firewall admin, NAT) • fabric authorization interoperability (multi-domain, AAA, co-allocing) • Internal components • authenticated installation services • secure bootstrapping services

  3. WP4 Subsystems and relationships (D4.2)

  4. Job submission protocol & interface • Current Globus design • Client tools connect to gatekeeper • GRAM (attributes over HTTPS) • Gatekeeper does authentication, authorization and user mapping • RSL passed to JobManager • Identified design differences • authorization and user mapping done quite early in the process • Identical components • Protocol must stay the same (GRAM) • Separation of JobManager (closer to RMS) and GateKeeper will remain • Issues: scalability problems with many jobs within one centre (N jobmanagers) authorization cannot take into account RMS state (budget, etc.)

  5. Current Globus design: Authorization and user mapping are combined in one No dynamic per-site Authorization decisions Identified design points new design, taking concepts from generic AAA architectures coordinate with AuthZ group and GGF Identical components towards generic AAA architectures/servers distributed AAA decisions/brokering concepts from new SciDAC/SecureGRID/AAAARCH Authorization and AAA Accounting framework yet to be considered…

  6. Local Centre AuthZ Service (LCAS) future • Integrate in generic AAA ARCH • being developed in IRTF(experimental) • co-allocation of resources • incorporates site-local policies • use existing policy languages • Ponder, AAAARCH language, …? • complementary to CAS AAA AAA ASM

  7. Credential Mapping • Current Globus design: • Authorization and user mapping are combined • Currently by GateKeeper/GridMapDir (on connection establishment) • Kerberos by external service (sslk5) • Identified design points • Extend for multiple credential types • move to later in the process (after AAA decision) • Identical components • gridmapdir patch by Andrew McNab • sslk5/k5cert service • Issues in current design • mapping may be expensive (updating password files, NIS, LDAP, etc.)

  8. Information Services (GriFIS) • Current design: • MDS2.1(or compat):LDAP with back-ends • Modular information providers • Identified design points • NO fundamental changes • More information providers (CDB) • Correlators between RMS, Monitoring and CDB (internal WP4 components) • Identical components • MDS2.1, F-tree and/or GMA/R-GMA • Some of the information providers • Issues in current design • Evaluation of WP3 framework still in progress • Wide variety of frameworks in general, but all seem currently interchangeable

  9. Network access to large fabrics • Current Globus design • Is not in scope of Globus toolkit • Identified design differences • Needed component for large farms • Needed for bandwidth provisioning/brokerage • Farm nodes not visible from outside! • Identical components • 0st order: no functionality • 1st order: IP Masquerading routers • 2nd order: IP Masq & protocol translation (IPv6 → IPv4 and v.v.) • later: use of intelligent edge devices, managed bandwidth (and connections) per job, AAA interaction (with LCAS)

  10. Key overlaps & differences • Globus provides adequate components for much of the functionality • Lacking components • Generic and distributed AAA • too-early relinquishing of credential mapping capabilities in gatekeeper • does not address intra-fabric security concerns (FLIdS) • information providers for whatever the framework will be • managed network access • Key components to stay compatible • GRAM protocol & RSL forwarding [Globus,GGF] • Information framework (GIS, GMA, R-GMA, …) [Globus,GGF and EDG WP3] • Security methods and protocols (X.509, SSL, …)

More Related