1 / 12

Virtual User System for Globus based grids

Virtual User System for Globus based grids. Norbert Meyer, Paweł Wolniewicz, Michał Jankowski - Poznan Supercomputing and Networking Center. Motivation. Ease management of user accounts in a Globus based grids We expect many virtual organizations with hundreds or even thousands of users

sandro
Download Presentation

Virtual User System for Globus based grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual User System for Globus based grids Norbert Meyer, Paweł Wolniewicz, Michał Jankowski - Poznan Supercomputing and Networking Center

  2. Motivation • Ease management of user accounts in a Globus based grids • We expect many virtual organizations with hundreds or even thousands of users • Maintaining personal user accounts on dozens of nodes becomes impossible • Grid-mapfile requires too much administration time • static accounts are not appropriate for dynamic VOs • Enable fine-grain and flexible authorization • Need for combining security policies of VO and resource owners • Reusing already implemented authorization services and mechanisms • Enable accounting and tracking user activities • This is crucial for production grids shared between many institutions • Guest or anonymous accounts are insufficient • No mechanism for gathering accounting data from multiple nodes

  3. Virtual User System • VUS is an extension of the system that runs users' jobs that allows running jobs without having an user account on a node. The user is authenticated, authorized and then logged on a 'virtual' account (one user per one account at the time). The history of user-account mapping is stored, so that accounting and tracking user activities is possible. • The first implementation was an extension to queuing systems and it was successfully exploited 3 years ago in the Polish national cluster • The current VUS adopts the above idea for grid environment and allows VO-based authorization. Technically it is a Globus 'gridmap callout' and it has been implemented from scratch.

  4. Architecture of the System

  5. VUS on Grid Node

  6. gridmap file banned file vo-prefix-map file Virtual Organization Information System (VOIS) Resource Access Decision (RAD) Grid Authorization Service (GAS) Authorization plugins

  7. Clusterix Clusterix TUC Cyfronet PSNC TUC Cyfronet PSNC scientists operators programmers staff Lab_users Scientists operators programmers staff Lab_users Grid Node guests common power login: login: login: login: login: login: login: login: login: login: login: VOIS Authorization - Example VO hierarchy VO admins security policy Account groups Node admin security policy

  8. VOIS Authorization -Advantages • Fine-grain: • combined security policies of VO and resource owner (grid node administrator) • VO may express differences by groups of its users by defining hierarchy of sub-VOs • the above differentiation may be reflected by the resource owner by mapping sub-VOs to different account groups with different rights • additional, resource-specific policies may be implemented as Globus GRAM callout that uses VUS database and mechanisms. • Effective: • distributed - scalable • caching mechanisms implemented • Little administrative support: • grid node administrator configures the access on VO level rather than on single user level • VO administrator manages his own users • in case of big VOs the user management may be delegated down the hierarchy

  9. Accounting -Functionality • Possibility of storing standard and non-standard resource usage information (resource types are user defined) • Standard resource usage stored automatically • Cost computing based on price list • Access to the accounting data in different roles: user, resource owner, organization manager • Information on single user available despite lack of (personal) user accounts on Grid Nodes • Cyclic summarizing atomic accounting data on the Grid Node

  10. Accounting Data Flow Schema

  11. References • K.Keahey, V.Welch, S.Lang, B.Liu, S.Meder Fine-Grain Authorization Policies in the GRID: Design and Implementation 1st International Workshop on Middleware for Grid Computing, 2003. • L.Pearlman, V.Welch, I.Foster, C.Kesselman, S.TueckeA Community Authorization Service for Group Collaboration, Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002. • K.Keahey, M.Ripeanu, K.Doering Dynamic Creation and Management of Runtime Environments in the Grid, Workshop on Designing and Building Grid Services, GGF-9, October 8, 2003. • W.Dymaczewski, N.Meyer, M.Stroiński, P.Wolniewicz Virtual User Account System for distributed batch processing • M.Lawenda, N.Meyer, M.Stroiński, P.Wolniewicz Managing User Accounts in an Open Network Environment

  12. Thank you! http://vus.psnc.pl jankowsk@man.poznan.pl pawelw@man.poznan.pl meyer@man.poznan.pl

More Related