140 likes | 249 Views
Coregrid Workpackage 5 Virtual Institute on G rid Information and Monitoring Services. Ji ř i Denemark, Michał Jankowski, Ale š K ř enek, Ludek Matyska, Norbert Meyer, Miroslav Ruda, Paweł Wolniewicz Best Practices for User Account Management with Virtual Organization Based Access to Grid
E N D
Coregrid Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Jiři Denemark, Michał Jankowski, Aleš Křenek, Ludek Matyska, Norbert Meyer, Miroslav Ruda, Paweł Wolniewicz Best Practices for User Account Management with Virtual Organization Based Access to Grid PPAM 2005, Poznan September 11-14 2005
Outline • Introduction • Goals • Example Approaches • Perun • VUS • Conclusions European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Introduction • Aims of User Management • Provide controlled and secure access to Grid resources • Accounting • Provide effective way of introducing/removing users and granting/revoking privileges European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Security • Authentication • single sign-on • credential delegation • integration with local security solutions • Fine grained authorization (maximum security for resources with minimum limitations to the users). • Membership to Virtual Organization • User role in VO • Capabilities • Combined security policies of VO and resource owner (delegation of some administrative privileges and work from node administrator to VO) • Possibility of logging user activities for audit European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Isolation of user works • Two different jobs should not interact in unwanted and unpredictable way, e.g. overwriting each other results. • It must be possible to identify WHO, WHEN and on WHOSE BEHALF (which VO) used specific resources, performed or attempted some actions. • Isolation means also limiting the environment in which the job is run. • In some cases (e.g. colaboration) the isolation rules could be weaken. • By the virtual environment we understand such encapsulation of user jobs that will both guarantee the limited set of privileges and also provides support for identification of user and organization on behalf he/she acts. Virtual accounts, sandboxes, and virtual machines are examples of different approaches to the creation of virtual environments. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Accounting • Essential for production grid, especially commercial one. • Needs collecting data from many locations and mapping the data to Grid users and VOs (instead of local identities). • Job isolation and history of mappings user - virtual environment must be stored. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Effective and scalable Management • The administrative burden must be divided between VO managers and resource managers. • Avoid duplication of administrative work (e.g. creating user accounts on each node). • Take into account very dynamic structure of the Grid, lots of administrative domains, heterogenity, different local policies. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual User System - Motivation • Ease management of user accounts in a Globus based grids • We expect many virtual organizations with hundreds or even thousands of users • Maintaining personal user accounts on dozens of nodes becomes impossible • Grid-mapfile requires too much administration time • static accounts are not appropriate for dynamic VOs • Enable fine-grain and flexible authorization • Need for combining security policies of VO and resource owners • Reusing already implemented authorization services and mechanisms • Enable accounting and tracking user activities • This is crucial for production grids shared between many institutions • Guest or anonymous accounts are insufficient • No mechanism for gathering accounting data from multiple nodes European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
VOIS – Virtual Organization Grid Node Information System SAIS- Site Accounting GAM – Globus Information System Webservice interface Authorisation Module Storage subsystem Plug-in Webservice interface Storage subsystem Grid Accounting Webservice interface VOIS – Virtual Storage subsystem Organization Information System Webservice interface Storage subsystem SAIS- Site Accounting Information System VOIS – Virtual Grid Node Webservice interface Organization GAM – Globus Information System Storage subsystem Authorisation Module Webservice interface Plug-in Storage subsystem Grid Accounting Webservice interface Storage subsystem Virtual User System - Architecture • VUS is an extension of the system that runs users' jobs that allows running jobs without having an user account on a node. The user is authenticated, authorized and then logged on a 'virtual' account (one user per one account at the time). The history of user-account mapping is stored, so that accounting and tracking user activities is possible. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Virtual User System – Implementation and Deployment • The first implementation was an extension to queuing systems and it was successfully exploited 3 years ago in the Polish national cluster • The current VUS adopts the above idea for grid environment and allows VO-based authorization. Technically it is a Globus ‘gridmap callout’ and it has been implemented from scratch. • VUS has been used or will be used in a number of national and international projects: European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Perun - Motivation • Manage user accounts on heterogeneous computing resources in the MetaCentre project. • Distinct administrative domains. • configure related services (Kerberos, AFS, LDAP, batch systems ...) • Be resistant to resource failures. • Do not introduce a single point of failure. • Be scalable, extensible, secure. • Many complicated constraints spanning multiple resources frequent changes. • Administrators' autonomy. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Perun - Architecture • Central Configuration Database (Relational database). • Primary repository of resource configuration information. • Application specific data model, no structure enforced. • Normalized data, integrity constraints enforced • Changes in database watched by database triggers, data change starts service update. • Service is aconfiguration unit, always changed atomically. (service PASSWD = changes in /etc/passwd,/etc/shadow,/etc/group,/etc/aliases). • „Configuration files/database" of managed services are changed, no run-time dependency on Perun. • Support for service dependencies, application-specific plugins. • Failures detected, services re-planned eventually. • Human actions - notification via email, changes via UI (web, command line). European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Perun - Deployment • MetaCentre project (since 1998) • 4 administratively independent institutes • Managing 4 SGI supercomputers, almost 200 PC cluster nodes, approx. 20 heterogeneous auxiliary machines • Higher level WWW interface integrated with project portal • 300 active users today • SITOLA (networking technologies laboratory) • Completely independent administration • Approx. 20 machines and 40 users • Gridlab • EU project, 20 sites across Europe+US, 80 users European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies
Conclusions • User management system must deal with large, dynamic set of users that belongs to different administrative domains, closely related to VOs, thus the problem is not trivial. • There is number of tools addressing the problem, but probably none of them solves it in complex and satisfactory way. • Possible approaches to the problem may be very different (by motivation, requirements, understanding of concepts, implementation, Grid environment) either if they cover similar or complementary issues, so there is no easy way to combine the solutions. • Common basis: precise definitions, common concepts, use cases may lead to designing new, more general architecture of ser account management system. We would like to deal with this within the Coregrid project. European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies