1 / 43

Introduction to gLite Middleware and Security Architecture

Learn about gLite Middleware deployment considerations, components of Information Systems, Data Services, Security Concerns, and Public Key Infrastructure in this comprehensive presentation.

ceceliat
Download Presentation

Introduction to gLite Middleware and Security Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of the gLite Middleware, Security and Site Architecture Presentation Title Muhammad Farhan Sjaugi, UPM farhansj@biruni.upm.my .KLACGRID 2009 November 2-14 2009, UM Malaysia Speaker Institution Event Name

  2. Introduction gLite Middleware gLite Security Site Architecture: Deployment Considerations BIRUNI Grid Center Outline

  3. Introduction gLite Middleware gLite Security Site Architecture: Deployment Considerations Outline 3

  4. Introduction • The Grid relies on advanced software, called middleware, which interfaces between resources and the applications • Stable version: gLite 3.1 • Scientific Linux 4 • gLite 3.2 based on SL5

  5. Introduction gLite Middleware gLite Security Site Architecture: Deployment Considerations Outline 5

  6. User Interface Resource Broker File and Replica Catalog Site X Computing Element Storage Element Basic Services of gLite Information System Submit job query Retrieve status & output create credential query publish state Submit job Retrieve output Job status Logging Job status process Authorization Service (VO Management Service)‏ Logging and bookkeeping

  7. Virtual Organisation (VO)‏ • gLite middleware runs on each shared resource to provide • Data services • Computation services • Security service • Resources and users form Virtual Organisations: basis for collaboration INTERNET

  8. How is Information Systems Used? Resource Discovery If you are a middleware developer Workload Management System: Matching job requirements and Grid resources Monitoring Services: Retrieving information about Grid Resources status and availability • What resources are available • to the Grid? • Computing resources • Storage resources • Site and Services • What is their current status? • If you are a user • Retrieve information about • resources • where you can run your job? • where you can copy your files? If you are site manager or service You “publish” the information about the services you provide.

  9. Components of Information System Top-level BDII: collects information from GIISs At each site: a site GIIS(site BDII): collects information from local GRISs On each resource a GRIS(resource-level BDII): Publishes dynamic and static information BDII: Berkeley DataBase Information Index GIIS: Grid Index Information Server GRIS: Grid Resource Information Server Information Flow

  10. GRISs, GIISs & BDII Relationship GOCDB User Application Resource Broker Monitoring Services BDII-B BDII-A CE Site GIIS Site A Site B Site C CE Site GIIS CE Site GIIS LFC Local GRIS CE Local GRIS SE Local GRIS SE Local GRIS RB Local GRIS CE Local GRIS CE Local GRIS SE Local GRIS MyProxy Local GRIS

  11. Workload Management System • The purpose of the Workload Management System (WMS): • - To accept user jobs - To assign them to the most appropriate Computing Element - To record their status - To retrieve their output .

  12. UI JDL Workload Management System File catalog UI WMS IS CE & WN SE

  13. Scope of Data Services • Simply, DMS provides all operation that all of us are used to performing • Uploading /downloading files • Creating file /directories • Renaming file /directories • Deleting file /directories • Moving file /directories • Listing directories • Creating symbolic links

  14. Data Services in gLite • 3 types of services for DM: • Storage (SE's): where files are “physically” located • Storage URL or SURL: • srm://castorsc.grid.sinica.edu.tw/data/dteam/mytest.dat • Catalogs: High level hierarchical namespace, maps the “physical” files to a virtual “logical” filename • Logical File Name or LFN: • lfn:/grid/dteam/mytest.dat • Movement: put/get files into grid SE's, move/replicate files between SE's. • File Transfer Service or FTS (Not covered in this tutorial)‏ • Transport URL or TURL: • gsiftp://sc003.grid.sinica.edu.tw:2811/data/dteam/mytest.dat

  15. File_on_se1 Myfile.dat GUID File_on_se2 Storage Element1 Storage Element 2 Data Management Example “User interface” “Myfile.dat” LCG File Catalogue (LFC)‏ Computing Element • File replicated onto 2 SEs

  16. Client User/Application Grid Middleware SRM SRM SRM Castor DPM dCache Storage Resource Manager • SRM (Storage Resource Manager) • Provides standardized Uniform Access to Storage and protocol negotiation.

  17. Introduction gLite Middleware gLite Security Site Architecture: Deployment Considerations Outline 17

  18. Security Concerns Grid service User • Authentication • How can communication endpoints be identified? • Authorization • Who is allowed to access a Virtual Organisation's resources • What are VO members allowed to do? 18

  19. Public Key Infrastructure in action John Paul ciao 3$r 3$r ciao Paul’s keys public private • Encryption • Encryption with recipient’s public key • Only recipient can decrypt the message 19

  20. PKI in action – the big picture message Digital Signature message = ? Digital Signature Paul Paul’skeys message Hash A private public Digital Signature Mutual authentication and exchanging public keys: SSL protocol John message John’skeys Hash B 20 private public Hash A

  21. Entity Identity • Anyone can create a key pair. • How can I trust the public key is yours? ? 21

  22. Certificate Authority • Public key is wrapped into a “certificate file” • Certificate files are created by trusted third parties: Grid Certification Authorities (CA)‏ • Certificates recognized by Grids • www.gridpma.org • Private key is stored in encrypted file – protected by a passphrase Certificate Public key Subject:/C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/Email=sipos@sztaki.hu Issuer: C=CH, O=CERN, OU=GRID, CN=CERN CA Expiration date: Aug 26 08:08:14 2008 GMT Serial number: 625 (0x271)‏ Optional Extensions 1. Hash of Public key & metadata, 2. Encrypt hash with CA’s private key 22 CA Digital signature

  23. User’s private key and certificate • Private key and certificate can: • Stored in your browser • Stored in files using different file format (PEM, P12, …)‏ • Typical situation on Globus, gLite, ARC middleware based grids: [sipos@glite-tutor sipos]$ ls -l .globus/ total 8 -rw-r--r-- 1 sipos users 1761 Oct 25 2006 usercert.pem -r-------- 1 sipos users 951 Oct 24 2006 userkey.pem If your certificate is used by someone other than you, it cannot be proven that it was not you. 23

  24. Delegation of user identiesby limited proxies • Delegation - allows remote process and services to authenticate on behalf of the user • Achieved by creation of next-level private key–certificate pair from the user’s private key–certificate. • New key-pair is a single file: Proxy credential • Proxy private key is not protected by password • Proxy may be valid for limited operations • Proxy has limited lifetime • The client can delegate proxies to services, processes • Each service decides whether it accepts proxies for authentication 24

  25. Proxy in action Broker Proxy credential Remote process creation requests* Authorize Map to a local id Create process Generate credentials Ditto Remote process creation requests* Process Process Proxycredential Remote file access request* Proxycredential GSI-enabled Storage Element Authorize Map to local id Access file Single sign-on via “grid-id” & generation of proxy cred. User GSI-enabled server GSI-enabled server Site A Site B Computing Element Computing Element Site C * With mutual authentication Storage Element 25

  26. % voms-proxy-init  login to the Grid • Enter PEM pass phrase: ******  private key is protected by a password • Options for voms-proxy-init: • VO name • -hours <lifetime of new credential> • -bits <length of key> • -help • % voms-proxy-destroy  logout from the grid Logging into the Grid:Creating a proxy credential [sipos@glite-tutor sipos]$ voms-proxy-init --voms gilda Enter GRID pass phrase: *********** Your identity: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/Email=sipos@sztaki.hu Creating temporary proxy ............................................................ Done Contacting voms.ct.infn.it:15001 [/C=IT/O=INFN/OU=Host/L=Catania/CN=voms.ct.infn.it] "gilda" Done Creating proxy ................................ Done Your proxy is valid until Sat Jun 23 04:55:19 2007 26

  27. Joining a Virtual Organisation Obtaining certificate:Annually • Users (and machines) are identified by certificates. • Steps • User obtains certificate from Certification Authority • User registers at the VO • usually via a web form • VO manager authorizes the user • VO DB updated • User information is replicated onto VO resources within 24 hours CA List of EGEE VOs: On CIC Operations Portal Joining VO:Once VO manager VO Membership Service Replicating VOMS DBonce a day VOMS database Grid sites User’s identity in the Grid = Subject of certificate: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/Email=sipos@sztaki.hu 27

  28. voms-proxy-init: what really happens in the background • voms-proxy-init • Creates a proxy locally • Contacts the VOMS server and extends the proxy with a role • VOMS server signs the proxy voms-proxy-init –voms gilda • Allows VOs to centrally manage user roles Proxy + VOMSroles Proxy 28

  29. Summary of Authentication / Authorization 29

  30. Introduction gLite Middleware gLite Security Site Architecture: Deployment Considerations Outline 30

  31. Deployment Considerations • Basic Site Architecture • User Interface (UI): User login environment • MON: R-GMA Server for accounting • SE (Disk Pool Manager): Storage resource services • Computing Element (CE): Gateway to computing resources • Small sites will also install: • Site-BDII • Batch system manager • NFS file system for VO software • Worker Node (WN): Job execution machine 31

  32. Deployment Considerations • Central Services • BDII: Top level information system service • Available regionally • Resource Broker (RB): Job management • RB or WMS • VO Services • LCG File Catalogue • Maps VO’s logical file names to physical file names • VO Management Service • Manages list of VO members 32

  33. Network Considerations • Grid Services • Public IP Required by each Grid service • Forward and reverse DNS configuration • Worker Node • Public IP for parallel stream file transfer • Private IP is possible • Single stream transfer for WNs to SE • Storage Elements • Bandwidth to and from Worker Nodes • Bandwidth to WAN Network • Firewall requirements • https://twiki.cern.ch/twiki/bin/view/LCG/LCGPortTable 33

  34. Hardware Requirements • Minimum: only for very small sites • Worker Node • Depends on applications • X GB scratch space for each job • X MB Memory per job • Large sites: +100 WNs • SMP or multi-core servers for CE and BDII • Install Site-BDII, Batch server and NFS server on dedicated node 34

  35. OS and Middleware Installation • gLite is certified on Scientific Linux CERN • But should work on RHEL binary compatible distributions • Include SLC yum/apt repository • Mirror SLC and gLite repository for faster Installation • Current support for SLC4/i386 • SL4/gLite 3.1: BDII, lcgCE, WN, UI, MON, DPM, etc. • SL5/x86_64 gLite 3.2 35

  36. Additional Requirements • Installation of Java SDK • Installed separately due to licensing restrictions • RPMs packages required to resolve dependencies of Middleware • Java SDK 1.5 for glite 3.1 • Synchronize server time • Configure Network Time Protocol (NTP) for every server • Required by GSI security • Configure time zone and hardware clock to UTC • Troubleshooting and comparing log files across time zones • Host certificates are required on all services • Except for UI, WN and BDII 36

  37. BGC Infrastructure • BIRUNI GRID has: • 50 IBM Blade HS21 Servers (2x Intel Xeon Quad Core 2 Ghz, with 8 GB rams). • 3 IBM x3650 servers, one as Head Node and two as Storage Nodes. • 2 IBM DS3000 series SAN with 24 Terabytes of storage capacity. • BIRUNI GRID consists of three clusters: • Khaldun Sandbox Cluster (7 worker nodes) • Razi Cluster (28 worker nodes) • Haitham Cluster (10 worker nodes)

  38. Domestic Network Support

  39. International Network Support

  40. BGC Services • Genius Grid Portal • Registration Authority for Academia Sinica Grid Computing Certification Authority • High Perfomance Computing • Support for gLite Middleware • gLite Services (SE,WMS) • Mirror for Scientific Linux and gLite Middleware • Grid Application: • MrBayes • Autodock • Gromacs • NS2 • POVRAY • Etc…

  41. Summary • EGEE is running the largest multi-VO grid in the world! • For both industry and science • EGEE III – transition to long term sustainability • EGEE’s middleware consist of: • Information system • Workload management system • Data management system • gLite Security • Authentication depends on: • x509 certificates and Public Key Infrastructure • Authorization 42

  42. Questions ? 43

More Related