400 likes | 490 Views
Leveraging Campus Authentication to Access the TeraGrid - OR - Partnering with Campuses to Broaden Participation in TeraGrid. Scott Lathrop TeraGrid Director Education, Outreach and Training lathrop@mcs.anl.gov Tom Barton University of Chicago tbarton@uchicago.edu www.teragrid.org.
E N D
Leveraging Campus Authentication to Access the TeraGrid- OR -Partnering with Campuses to Broaden Participation in TeraGrid Scott Lathrop TeraGrid Director Education, Outreach and Training lathrop@mcs.anl.gov Tom Barton University of Chicago tbarton@uchicago.edu www.teragrid.org
TeraGrid Vision TeraGrid will create integrated, persistent, and pioneering computational resources that will significantly improve our nation’s ability and capacity to gain new insights into our most challenging research questions and societal problems. This vision requires an integrated approach to the scientific workflow including obtaining access, application development and execution, data analysis, collaboration and data management.
TeraGrid Architectural Model POPS TeraGrid Infrastructure Network, Accounting, … Help Compute Service Viz Service Data Service
TeraGrid Resources • Computing - over 250 Tflops today and growing • 500 Tflop system comes on-line in January at TACC • U Tennessee system to come on-line in 2008 • Visualization - Remote visualization servers and software • Data • Allocation of data storage facilities • Over 100 Scientific Data Collections • Access • Over 20 Science Gateways • Shibboleth testbed to facilitate access • Central allocations mechanism • Support and Services • Centralized help desk for all resource providers • Advanced Support for TeraGrid Applications (ASTA) • Education and training events and resources
Requesting Allocations of Time • TeraGrid resources are provided for free to academic researchers and educators • Development Allocations Committee (DAC) for start-up accounts up to 30,000 hours of time are requests processed in two weeks - start-up and courses • Medium Resource Allocations Committee (MRAC) for requests of up to 500,000 hours of time are reviewed four times a year • Large Resource Allocations Committee (LRAC) for requests of over 500,000 hours of time are reviewed twice a year
TeraGrid Usage Specific Allocations Roaming Allocations 33% Annual Growth 200 Normalized Units (millions) 100 TeraGrid currently delivers an average of 420,000 cpu-hours per day -> ~21,000 CPUs DC Dave Hart (dhart@sdsc.edu)
Science GatewaysBroadening Participation in TeraGrid Workflow Composer • Increasing investment by communities in their own cyberinfrastructure, but heterogeneous: • Resources • Users – from expert to K-12 • Software stacks, policies • Science Gateways • Provide “TeraGrid Inside” capabilities • Leverage community investment • Three common forms: • Web-based Portals • Application programs running on users' machines but accessing services in TeraGrid • Coordinated access points enabling users to move seamlessly between TeraGrid and other grids. Source: Dennis Gannon (gannon@cs.indiana.edu)
“HPC University” • Advance researchers’ HPC skills • Catalog of live and self-paced training • Schedule series of training courses • Gap analysis of materials to drive development • Work with educators to enhance the curriculum • Search catalog of HPC resources • Schedule workshops for curricular development • Leverage good work of others • Offer Student Research Experiences • Enroll in HPC internship opportunities • Offer Student Competitions • Publish Science and Education Impact • Publish transformative Science Highlights • Publish education resources to NSDL-CSERD
CI Days • Working with campuses to take a leadership role applying CI to accelerate scientific discovery • Assist in catalyzing campus-wide discussions and planning • Collaboration of Open Science Grid, Internet 2, National Lamda Rail, EDUCAUSE, Minority Serving Institution Cyberinfrastructure Empowerment Coalition, TeraGrid, and local and regional organizations http://cidays.org
Campus Champions Program • Training program for campus representatives • Campus advocate for TeraGrid and CI resources • TeraGrid ombudsman for local users • Quick start-up accounts managed by campus representative • Direct contact with TeraGrid staff for quick problem resolution We’re looking for campuses interested in joining!
Scaling the TeraGrid Community project Science Gateway O(1000) PIs Resource Provider TGCDB O(10000) Users uid uid Grant Programs O(10) Resource Providers O(10) Gateways O(10) Programs
Q&A • What are campuses doing to provide Shibboleth access to the desktops of the users? • What are the needs of the user community? • How is the community benefiting from single sign-on capabilities today? • Anticipating TG putting the TGUP and POPs online as a Shibboleth SP, would campuses consider that a carrot that would help convince them to become IdPs? • Are campuses in a position to provide persistent identifiers and contact information about their faculty and grad students via Shibboleth?
For More Information www.teragrid.org www.computationalscience.org www.s-education.org www.nsdl.org cserd.nsdl.org www.nsf.gov/oci/ http://cidays.org lathrop@mcs.anl.gov
Account management • Central process for getting/managing allocation • NSF Allocations process • Central database keeps track of TeraGrid user accounts at all sites • no uid or username alignment across sites • Also keeps track of User’s Grid Identities • X.509 DNs • Both TG-issued and from external CAs • Pushes out to all sites • All users have a TG username and password • Exposed via Kerberos 5 domain and MyProxy online-CA • TeraGrid User Portal
TeraGrid Access • Traditional interactive SSH login via Site authn • Grid (PKI) SSO SSH interactive login • Short-lived PKI credentials issues via MyProxy and User’s TG username & password • Hides site-specific identity details from user • Grid Services • Globus job submission, GridFTP, etc. • Science Gateways/Web Portals • Have own user databases • Tied to community accounts and allocations on TG sites • Give constrained, domain-specific interface
Ultimate Id Federation Goals and Testbed • Allow scaling of TeraGrid to O(10k)+ users • Get TeraGrid out of identity management game to allow this • Leverage existing campus identity management • Allowing servicing of existing VO’s • Attribute-based authorization • Allow for incident response • Blocking and/or contacting problematic users • Testbed to evaluate how Shibboleth, GridShib and other tools can achieve this • NCSA, Purdue
Testbed Thrusts • Three thrusts… • One: Java-based Grid-enabled SSH and MyProxy client • Build on work from UK NGS • http://www.grid-support.ac.uk/files/gsissh/ • Allow user to do Grid-based SSH SSO with no Grid client installation • Just vanilla Java • Using TeraGrid username and password • This is working: • http://grid.ncsa.uiuc.edu/gsi-sshterm/
Testbed Thrusts • Two: Shibboleth-based TeraGrid Access • Using GridShib-CA to access existing TeraGrid account • In Shibboleth terms, a Shibboleth SP that issues short-lived Grid credentials • Allows user to connect to TeraGrid using their local campus authentication • Integrated with Java GSI-SSH client to allow for zero-client install SSH access • Currently doing bi-lateral Shibboleth peering • eventually InCommon • Requires ePPN from IdP • Friendly user mode • One time registration of Shibboleth-based X.509 DN • http://gridshib-ca.ncsa.uiuc.edu/
Testbed Thrusts • Three: Attribute-based authorization from Science Gateways • Allow Science Gateways to push VO attributes to TeraGrid sites • Could be passed from user’s Idp or generated locally • In development.
Overview of TG Allocations Process • Potential PI makes a proposal • Via Partnership Online Proposal System (POPS) • Can be for combination of compute, storage, and advanced consulting (ASTA) • Proposal is reviewed • Startup proposals (DACS) in real-time • Medium and Large by committees (MRAC, LRAC) • Successful PI gets login on one or more resource provider sites • TeraGrid User Portal provides means of administering allocation • http://portal.teragrid.org • Details: http://www.ci-partnership.org/Allocations/
PI Requirements • PI must be a researcher or educator at a U.S. academic or non-profit research institution • Students may not be PIs but can be added to PI’s allocation
TeraGrid User Portal SSO • TG User Portal is being integrated with back-end resources to provide single interface to resources
What Does the Community Need? • Do you have users currently using Shibboleth? • What are they using it for and what has been their experience? • How can Shibboleth access to TeraGrid resources bedst enhance their research and education efforts?
Next Steps and Issues • TeraGrid is applying for InCommon membership as a service provider • TeraGrid User Portal as Shibboleth SP • Open issues: • Level of Assurance for PIs/users • Incident Response: responsibilities of campuses when something goes wrong
TeraGrid User Community Gateways Growth Target Dave Hart (dhart@sdsc.edu)
TeraGrid Usage Modes in CY2006 500 Grid-y Users
Advanced Support for TeraGrid Applications Virtualized Resources, Ensembles:FOAM Climate Model Liu (UWisc) Coupled Simulation: Full Body Arterial Tree Simulation Karniadakis (Brown) Sources: Ian Foster (UC/ANL), Mike Papka (UC/ANL), George Karniadakis (Brown). Images by UC/ANL.
TeraGrid Wide Initiatives (2007-9) Science Gateways Completing first generation integrations Tutorials, Documentation, Services Develop “consulting” approach Software as Service/Service Oriented Architecture Capability Kits and Service Directory Investigate Service Hosting Capabilities/Need Operations Improved Instrumentation, monitoring, testing
TeraGrid Open Initiatives (2007-9) Campus Infrastructure Engagement HPC University & Institutional Ambassadors Client Software Kit/distribution Followup on Shibboleth/inCommon testbed Open Science Grid Partnership (& EGEE) Software stack alignment on Condor + Globus Training/Education/Outreach Grid Interoperation Now (GIN) Focus next on Information Services and joint use cases Demand growing, but still tentative Commercial Service Provision TG buys some internal project services now (e.g. Wiki, surveymonkey) Looking at Web, Mail, …
TeraGrid Identity Federation Testbed UpdateI2MMApril 25, 2007 VonWelch NCSA/U. of Illinois
TeraGrid Objectives • DEEP Science: Enabling Petascale Science • Make Science More Productive through an integrated set of very-high capability resources • Address key challenges prioritized by users • WIDE Impact: Empowering Communities • Bring TeraGrid capabilities to the broad science community • Partner with science community leaders - “Science Gateways” • OPEN Infrastructure, OPEN Partnership • Provide a coordinated, general purpose, reliable set of services and resources • Partner with campuses and facilities
Gateways are Expanding 10 initial projects as part of TG proposal >20 Gateway projects today No limit on how many gateways can use TG resources Prepare services and documentation so developers can work independently Open Science Grid (OSG) Special PRiority and Urgent Computing Environment (SPRUCE) National Virtual Observatory (NVO) Linked Environments for Atmospheric Discovery (LEAD) Computational Chemistry Grid (GridChem) Computational Science and Engineering Online (CSE-Online) GEON(GEOsciences Network) Network for Earthquake Engineering Simulation (NEES) SCEC Earthworks Project Network for Computational Nanotechnology and nanoHUB GIScience Gateway (GISolve) Biology and Biomedicine Science Gateway Open Life Sciences Gateway The Telescience Project Grid Analysis Environment (GAE) Neutron Science Instrument Gateway TeraGrid Visualization Gateway, ANL BIRN Gridblast Bioinformatics Gateway Earth Systems Grid Astrophysical Data Repository (Cornell)
Questions? • vwelch@ncsa.uiuc.edu
A Simple Use Case: TeraGrid Allocations Process Von Welch NCSA
TeraGrid Overview • Eleven site federation of Resource Providers • http://www.teragrid.org/ • Each with own accounts, processes, policies, etc. • There exist both TeraGrid users and local, site-specific users • O(4K) TeraGrid users from wide variety of different sites • Most users not from TeraGrid sites • Almost all from U.S. campuses • TeraGrid users have accounts on some/all sites • Each site has own local users as well • These are centrally managed