310 likes | 437 Views
Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre r.sinnott@nesc.gla.ac.uk 26 th October 2006. The Context. There are many Grids There are many ways to build Grids There are many different middleware competing in this space
E N D
Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre r.sinnott@nesc.gla.ac.uk 26th October 2006
The Context • There are many Grids • There are many ways to build Grids • There are many different middleware competing in this space • People say Grid in grants and then build web services because Grid middleware is too hard • There are many agendas • big business, academic, … • There are many moving targets • changing middleware, changing standards, changing sciences resources/questions/funding streams… • There is a lot of hype • There is a lot of money available • There are lots of projects and big scientific challenges • There is an urgent need to build user communities • There needs to have much more research pull than middleware push • … there are many more things that could go here!
Online System Tier2 Centre ~1 TIPS Caltech ~1 TIPS Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS Tier2 Centre ~1 TIPS HPSS HPSS HPSS HPSS HPSS 1 TIPS is approximately 25,000 SpecInt95 equivalents Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Pentium II 300 MHz Data Grids for High Energy Physics ~PBytes/sec ~100 MBytes/sec Offline Processor Farm ~20 TIPS There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size LCG/gLite middleware (Large scale data management, large scale compute resource management, resource broking…!!!) ~100 MBytes/sec Tier 0 CERN Computer Centre ~622 Mbits/sec Tier 1 France Regional Centre Germany Regional Centre Italy Regional Centre FermiLab ~4 TIPS ~622 Mbits/sec Tier 2 ~622 Mbits/sec Institute ~0.25TIPS Institute Institute Institute Physics data cache ~1 MBytes/sec Tier 4 Physicist workstations
Challenges of NanoCMOS Design OMII-UK middleware (workflows, security, data management, resource management, …) 3D + Statistical
The e-Health Future… Globus/WS- middleware (fine grained security, data access/integration, exponential data growth, keep it simple!) Tissues Cell Organs Protein functions Protein Structures Organisms Physiology Gene expressions Populations Nucleotide structures Cell signalling Nucleotide sequences Protein-protein interaction (pathways)
NeSC Research… • Most NeSC Glasgow research is on security and ease of use across various application domains • NeSC Edinburgh focus is on middleware development especially Grid data access/integration (OGSA-DAI, DAIT, OMII-UK, eDIKT), high performance networking, data curation ….
Ease of Use • (…and setting the scene for some of the later demonstrations) • For Grids/e-Research to be truly successful • have to be made as seamless to access and use as the internet • Forget training, education for some (most?) users! • have to be based on research pull and not middleware push • experiences in various projects have shown that users don’t like digital certificates • The majority most certainly won’t jump through hoops to get on the Grid
Single Sign-On • X.509 certificate based PKI common to many Grid efforts (including UK) • Step 1. • Get a certificate • Step 2. • Get your DN registered at places you expect to use • Step 3. • Read the manuals (Globus, gLite, …) for how to submit/run a job
Step 1 • In UK e-Science community X.509 PKI based on centralised CA with direct single hierarchy to users • Typical scenario for getting Grid certificate CA 2. Check detailsof request • Request certificate • (www.grid-support.ac.uk/ca) 4. Download and install certificate in browser 5. Download and install CRL RA 3. Ok? User ? 6. Export certificate to various formats e.g. as Grid certificate $> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!! This is off-putting for end users!!! Typically not available on Windows!!! Root access? Local sys-admin?
But… • Identity management issues • Certificate Revocation Lists • When revoked? By whom? How timely? • Strong passwords for private keys • Users write them down, share them, forget them • Privilege Management • Numerous domains where never get access to local account to “do stuff” • User classification • Tinkerers vs much larger e-Research Community • they want services to point their browser at and point click to run things on the Grid • I don’t want an account on a cluster to compile/run code, I’m a biologist who wants to run BLAST on a free National Grid resource
As a result… • ~3500 UK e-Science certs • 1000 for Manchester cluster • But over 3 Million Athens accounts in UK HE/FE • Iceberg is not to scale!!!!
How Can we Improve Things? • We don’t want each domain reinventing their own security solutions • Best to exploit local authentication • Sites know best if users still at institution and are best placed to state what their privileges are/should be
Introducing Shibboleth • Shibboleth (http://shibboleth.internet2.edu) Definition Shibboleth [Hebrew for an ear of corn, or a stream or flood] 1. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. 2. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. ] • Shibboleth will replace Athens as access mgt system across UK academia • Federations based on trust • or more accurately trust but verify • numerous international federations exist MAMS, SWITCH, HAKA, SDSS…
4. Home site authenticates user 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP • User points browser at Grid resource/portal (or non-Grid resource) Typical Shibboleth Scenario Identity Provider AuthN Home Institution Federation Service provider 5. User accesses resource W.A.Y.F. User Grid resource / portal
It’s a start, but… • Benefit from local authentication but really want finer grained control… • I know you have authenticated, but I need to know that you have sufficient/correct privileges to access my VO resources • can also return various other information needed to support authorisation decisions
Authorization Technologies • Various technologies for authorization including • PERMIS • PrivilEge and Role Management Infrastructure Standards Validation • http://www.permis.org • Community Authorisation Service • http://www.globus.org/security/CAS/ • AKENTI • http://www-itg.lbl.giv/security/akenti • CARDEA • http://www.nas.nasa.gov/Research/Reports/Techreports/2003/nas-03-020-abstract.html • VOMS • http://hep-project-grid-scg.web.cern.ch/hep-project-grid-scg/voms.html • At NeSC we have been working extensively with PERMIS
Role Based Access Controls • Basic idea is to define: • roles applicable to specific VO • roles often hierarchical • Role X ≥ Role Y ≥ Role Z • Manager can do everything (and more) than an employee can do who can do everything (and more) than a trainee can do • actions allowed/not allowed for VO members • resources comprising VO infrastructure (computers, data resources etc) • A policy then consists of sets of these rules • { Role x Action x Target } • Can user with VO role X invoke service Y on resource Z? • Policy itself can be represented in many ways, e.g. XML, XACML, … • Tools available for policy editing, associating users with roles, signing policies etc • Policies stored as attribute certificates in LDAP server • (New tools/wizards presented at OGF18 Washington)
4. Home site authenticates user and pushes attributes totheservice provider 3.User selects their home institution 2. Shibboleth redirects userto W.A.Y.F. service LDAP 1. User points browser at Grid resource/portal Finer Grained Shibboleth Scenario Identity Provider Service provider Shib Frontend AuthN Home Institution 6. Make final AuthZ decision Federation Grid Application 5. Pass authentication info and attributestoauthZ function W.A.Y.F. User Grid Portal
Ok, but… • I can do authorisation but I want single-sign on to lots of distributed resources across different organisations (aka Virtual Organisations in Grid speak) • Browser allows to keep session information so can access other resources without signing in again • Provided authorisation information valid for different service providers • Each service provider completely autonomous • Can configure attribute release/attribute acceptance policies per identity provider/service provider
BRIDGES Project • More later GEMEPS Project • More later VOTES Project • More later
DyVOSE Project • Dynamic Virtual Organisations for e-Science Education (DyVOSE) project • Two year project (£289k) started 1st May 2004 funded by JISC • Exploring advanced authorisation infrastructures for security • … in Grid Computing Module as part of advanced MSc at Glasgow • providing insight into rolling Grid out to the masses!
Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles Putting the “Dy” in DyVOSE • Dynamic PMI Case Study Glasgow Edinburgh LDAP LDAP Glasgow Education VO policies Edinburgh Education VO policies PERMIS based Authorisation checks/decisions Nucleotide + Protein Sequence DB Grid BLAST Service Grid BLAST Data Service data input Implemented by Students Protein/nucleotide data returned based on student team role Grid-data Client
Security Related Projects • GLASS • JISC funded started March 2006 • Exploring early adoption of Shibboleth • Working with Computer Services directly • Scenarios based upon teaching and access to NHS resources/data • Includes brain trauma (interest to neuro-folk/CARMEN?) • Builds upon university wide unified account management system being rolled out (based on Novell nSure technology) • ESP-Grid • JISC/Oxford University funded • Developed demonstrator to show how Grid resources can be accessed and used via Shibboleth technology • Grid Security Report • JISC/JCSR funded • Focus on Grid security practices, middleware and outlook • Grid meets Geographical Information Systems • JISC funded with focus on Shibboleth access to GIS data resources
Grid Enabled Occupational Data Environment (GEODE) • GEODE • Funded by ESRC lead by University of Stirling • Two year project aiming to develop Grid enabled portal for occupational data • includes integration of various existing classification schemes • More later!
Grid Enabling Biomedical Pathway Simulator • To extend software from DTI funding BPS project to benefit from the Grid • Biochemical differential equation solver • Parameter searches • Security aspects important
Scottish Bioinformatics Research Network • Four year proposal (£2.4M) started February 2006 • Funded by Scottish Enterprise, Scottish Higher Education Funding Council, Scottish Executive Environment and Rural Affairs Department • Involves Glasgow, Dundee, Edinburgh, Scottish Bioinformatics Forum • Aim to provide bioinformatics infrastructure for Scottish health, agriculture and industry • Infrastructure support at Dundee, Edinburgh and Glasgow to support first-rate research in bioinformatics at each academic institute • Infrastructure support at three institutes, to support inter-institutional sharing of compute and data resources through application of Grid computing • Outreach and training activities mediated by the Scottish Bioinformatics Forum
Scottish Family Health Study • Five (2+3) year proposal (£4.6M) started January 2006 • Funded by Health Department and Department for Enterprise and Lifelong Learning • Involves Glasgow, Dundee, Edinburgh, Aberdeen • focus of genetics as applied to healthcare • first two years emphasis on providing a platform for research into the genetic basis of common complex diseases in Scotland • Mental health, cardiovascular, … • Plan to establish 15,000 family-based intensively-phenotyped cohort recruited from the East and West of Scotland • basis for neutralising heritable (genetic) risk factors in disease surveillance, treatment optimisation, avoidance of adverse drug events and prediction of response to therapy, health care planning and drug discovery, …
Meeting the Design Challenge of nanoCMOS Electronics £5.3M EPSRC Pilot – kicks off next week Toshiba 04 Device diversification 90nm: HP, LOP, LSTP 45nm: UTB SOI 32nm: Double gate 4-year project with lots of international visibility
Current Efforts • AHRC Grant proposals • Performance Arts • Scottish Language and Literature • OMII proposals • Visualisation service • Scottish Enterprise • Production level clinical e-Infrastructure for Scotland • Wellcome Trust • Grid based biomedical visualisation infrastructure • EPSRC • Grid based brain trauma co-ordination with China • Links to CARMEN • Construction Industry and Grids • JISC • MANY bids on-going in e-Infrastructure, e-Repositories, … areas • And of course the Scottish Grid Service…
Opportunities • There are more opportunities than can be followed up • All funding councils, DTI, JISC, Europe FW7, international calls • How long for…? • Often difficult to get the first grant…? • More than happy to work with folk…?