Outline

Fostering the use of the Mediterranean e-Infrastructure with Science Gateways and Identity FederationsRiccardo BrunoINFN Catania & COMETA - Italy(riccardo.bruno@ct.infn.it)

Outline 1. The Mediterranean Grid Infrastructure 2. The Science Gateway 3. Identity Federations and Identity Providers 4. The Robot Certificates 5. The Grid Engine 6. AMediterranean use case: MrBayes 7. The future 2

1. The Mediterranean Grid Infrastructure 3

Mediterranean Grid Mediterranean GRID; Computational & storage resources Grid experts (Site Admin,SGMs) Many CAs Web space and Wiki Many tools (GOCDB, Nagios, XGUS, etc.) The middleware gLite [1] provides middleware services to access distributed computing and storage resources The awareness Training and dissemination (EUMEDGRID-Support and EPIKH) The User Community Difficulties to create human networks (VRCs) 4

Mediterranean Grid Infrastructure 38 Sites (Europe, Mediterranean, North/South Africa, West Asia) ~4000 Cores ~600 TB of Storage 5

Mediterranean community 3training events in collaboration with EPIKH project [2] Algeria (June/July 2010) Egypt (October/November 2010) Tunisia (Planned for Jan 2011 but postponed for political instability) Morocco (May/June 2011) Jordan (Planned for November/December 2011) 107 people formed (65 site admin, 42 application porting) Gender: F - 22% M – 78% 20 Applications registered [3] 6 applications.eumedgrid.eu/application-list

App and usage Statistics Statistics taken from the 1st of March 2011 for 2 months Overall Num Jobs CPUTime (s) WCTIME (s) 68,267 25,584,480 126,596,639 Applications stats: App. Country #Jobs CPUTime (s) WCTIME (s) GWSO DZ 171 28,981 31,612 TSDFEM SY 150 276,385 397,914 GATE DZ 52 276,454 295,540 SMOILP DZ 34 2,912 3,392 GFDTD EG 22 4,236 4,932 BPFS DZ 19 1,473 1,873 SBS DZ 4 516 594 7

2. The Science Gateway 8

Science Gateway Most common Grid users feedback Complex certificate handling and management Complex syntax in CLI, bounded to UIs Complex and no reusable use of APIs A Science Gateway is a community-developed set of tools, applications, and data that is integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community. Advantages of Science Gateways Immediately available for experiments No needs of certificates (just belong to a thrusted AAI) Easy to use (web front-end) Not bound to a single middleware technology 9

Reference model Embedded Applications Administrator Power User Basic User Appl 1 Appl N Appl 2 Science Gateway Grid Services Users from differentorganisationshavingdifferentroles and privileges Other Middleware

Identified Components Application front end (Liferay) Standard (JSR 168/286) Simplicity (Java/JSP/HTML/…) Easiness of use (High level GUIs and platform independent) Re-usability (JSR portlets can be re-used even on other frameworks) User Management (Shibbolet) Handle people from different organizations (Identity Federation based AuthN) Users can run applications only if authorized(LDAP based AuthZ) Grid services Certificate Management (Robot Certificates) High level tool for Grid service management (Grid Engine - JSAGA)

3. Identity Federations and Identity Providers 12

Shibboleth Sec Domain 1(Identiy Provider) • Many approaches are available to federate the authentication amongdifferent entities (SSO); • A standard provided by OASIS defines the:Security Assertion Markup Language (SAML); Assertions description in XML • Shibboleth [4]is one of the most famous SAML-based tools • Implement the SAML standard; • Allows different approaches to manage users: • LDAP, CAS, Plain text, etc.; • Deployed in many universities and research institutes; • Free and Open Source; • Easy to integrate with Liferay; • Shibboleth has been selected for the integration. Sec Domain n Sec Domain 2 SAML AuthN/AuthZ Service Provider

Authentication and Authorization Authorisation Science Gateway Authentication Y Not a member? 1. Access to a Service GrIDP (WAYF) (“catch-all”) N Register to IDPCT by default(“catch all” IDP) IDPCT IDP_x IDP_y (“catch-all”) LDAP CAS ......... Wait for registration

Identity provider: GARR IDEM e-identifiedstudents in EU 30Members (COMETAoneof them); 54IDentity Providers; 34 Service Providers (the EUMEDGRID-Support SG isone of them); >2,700,000 end users; ~50% of the Italian higher education & research community 15

Registration process 4. sign in 1. register User 2. y account granted 2. has to be member ? Admin 2.y 2.n 2.n account denied 2.y store credentials 16

Sign-In process GrIDP (catch all Id.Fed) IDPCT (INFN.CT and COMETA) INFN maatG GARR-IDEM 38 Organizations Authorization provided by Organizations Authentication managed by the portal queryng a LDAP database User based Authorization Organization User <-> Liferay Group/Roles Identity Federations’ discovery service

Sign-In process «catch-all» Identity Provider IDPCT GrIDP

Sign-In process GARR GARRIdem

4. The Robot Certificates 20

Robot certificates • Robot certificates [5] have been introduced to allow non-users to experience the Grid paradigm for research activity; • They are extremely useful, for instance, to automate Grid service monitoring, data processing production, distributed data collection systems; • Basically, these certificates can be used to identify a person responsible for an unattended service or process acting as client and/or server.(ServiceChallenge [10])

e-Token • In order to strong reduce the risks to have the robot certificate compromised, the INFN CA decided to store this new certificate on board of the SafeNeteTokensmart cards [6]; • The AeTokensmart card can support many certificates; • A token PIN is prompted every time the user needs to interact with the smart card;

e-Token Server Grid Portals / Science Gateways Client Applications Users Host based mutual authentication (See) User Support in IGI: Related Tools and Services in Italy; EGI Technical Forum 2011

5. The GridEngine 25

SAGA • SAGA [8]is an API that provides the basic functionality required to build distributed applications, tools and frameworks; • It is independent of the details of the underlying infrastructure (e.g., the middleware); • SAGA is an OGF specification: http://www.gridforum.org/documents/GFD.90.pdf • Several Implementations are available: • A C++ and a Java implementation developed at the Louisiana State University / CCT and VrijeUniversiteit Amsterdam (http://saga.cct.lsu.edu); • A Java implementation developed at CCIN2P3 (http://grid.in2p3.fr/jsaga/); • A Python implementation based on those above.

JSAGA • JSAGA is a Java implementation of SAGA developed at CCIN2P3; • JSAGA: • Enables uniform data and job management across different grid infrastructures/middleware; • Makes extensions easy: adaptor interfaces are designed to minimize coding effort for integrating support of new technologies/middleware; • OS indenpendent: most of the provided adaptors are written in full Java and they are tested both on Windows and Linux.

JSAGA plugins JSAGA supports gLite, Globus, ARC, UNICORE, etc.

The GridEngine architecture

7. The Mediterranean use case: MrBayes 30

Phylogenetics as pilot application 32 Dedicated section into the Meditterranean Application support web space List of runnable applications goes here

Phylogenetics as pilot application 33 You need to be Registered or Signed in before run

Sign in to run 35 IDP’ Login Window Select your IDP Select your Federation

Running an application 36 You can now RUN the application • User’ Workspace • Applications • Executed Jobs • User’ Files

Application’s job submission 37 Fill Input Form Human readdablejob identifier Submit Job

Job submitted! 38 User’s Jobs Area

Register/Sign In 39 Check Status Get Output

The future • MrBayes use case ready to be re-used for other Applications • Dramatic impact of e-Infrastructure awareness and usage through the involvement of Med users into GrIP and/or other identity federations • New EPIKH training events targeted to promote the Science Gateway (Next in Jordan Nov/Dec 2011) • The Mediterranean Scientific Gateway ready to be adopted; just register and sign-in • https://applications.eumedgrid.eu/science-gateway

References [1] The gLitemiddleware: www.glite.org [2] The EPIKH project: www.epikh.eu [3] The Application Registry: http://applications.eumedgrid.eu/application-list [4] Shibboleth: http://shibboleth.internet2.edu [5] Robot certificates: https://security.fi.infn.it/CA/mgt/restricted/ucert_robot.php [6] SafeNeteToken: http://www2.safenet-inc.com [7] eToken Server: https://myproxy.ct.infn.it:8443/eTokenServer [8] SAGA: http://saga.cct.lsu.edu [9] JSAGA: http://grid.in2p3.fr/jsaga [10] Service Challenge: http://jessica.trigrid.it/eumedgrid/service_challenge_history.php

Credits & Acknowledgments Acknowledgments Credits • Valeria Ardizzone (COMETA); • Roberto Barbera (UNICT & INFN); • Antonio Calanducci (COMETA); • Marco Fargetta (COMETA) • Elisa Ingrà (GARR); • Giuseppe La Rocca (INFN) • Salvatore Monforte (INFN); • FabrizioPistagna (INFN); • Rita Ricceri (INFN); • Riccardo Rotondo (INFN); • Diego Scardaci (INFN) • Enrico Fasanelli (INFN); • Maria Laura Mantovani (GARR); • Barbara Monticini (GARR); • SimonaVenuti (GARR)

Outline

Outline

Presentation Transcript

Outline

Outline

Outline

Outline

Outline

Outline

Outline

outline

outline

OUTLINE

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline

Outline:

Outline

Outline

OUTLINE: