MultiSite VOs - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

MultiSite VOs

Description:

... on Site boundary. Edge Services Framework (ES Wafers). User Workspace on WNs ... software in area that is read-only by all cmsgrid user jobs running on site/campus. ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 66
Provided by: abhis2
Category:
Tags: multisite | on | site | vos

less

Transcript and Presenter's Notes

Title: MultiSite VOs


1
Multi-Site VOs and Multi-VO Sites in Open
Science Grid
GridWorld/GGF15 October 3-6, 2005 Boston, MA,
USA Community Activity Leveraging Site
Infrastructute for Multi-Site Grids
Abhishek Singh Rana UC San Diego rana_at_fnal.gov
Frank Wuerthwein UC San Diego fkw_at_fnal.gov
2
Collaborative Effort
Technical Lead Ian Fisk, FNAL
Privilege Project
Brookhaven National Lab
USATLAS
Open Science Grid RBAC, Security and Policy
Frameworks
Fermi National Lab
USCMS
U California San Diego
PPDG Common
Virginia Tech
Technical Coordinator Dane Skow, FNAL
3
Outline
  • Concepts Goals.
  • Examples
  • Compute Element.
  • Storage Element.
  • Possible future examples
  • Dynamically provisioned environments/Workspaces.
  • VO Workspace on Site boundary.
  • Edge Services Framework (ES Wafers).
  • User Workspace on WNs
  • Resource Slices.

4
OSG Approach Concepts
  • VO-Global specification of privilege requirements
    per Role.
  • Site central mapping of Role to sites
    implementation of privilege requirements.
  • Local enforcement of privilege requirements.

5
Multi-Site VO
6
Multi-VO Site
7
A Multi-VO Multi-Site Grid
8
OSG Approach
  • VO defines Roles and associated privileges by
    specifying expected functionality.
  • E.g. cmssoft may install software in area that is
    read-only by all cmsgrid user jobs running on
    site/campus.
  • E.g. cmssvc may deploy DB cache available to all
    cmsgrid user jobs running on site/campus.
  • Site maps VO scope identities to local scope
    identities.
  • Site wide management of mapping.
  • Service level granularity of mapping.
  • Site enforces VO privilege policies within local
    scope identities.
  • Authorization !(Site-vetoed) (VO-allowed)

9
Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site

Host 1
Site-wide Mapping Service
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
Host 2
10
Local or Remote Client Proxy with VO Membership
Role Attributes
VO Attribute Repository
Site

Host 1
Site-wide Mapping Service
PEP
PDP
Service X
Authorization Service for Service X, Y, Z
Callout Module for X, Y
PDP
Service Y
Auxiliary Mapping Service
Auxiliary Authorization Service for Service Z
Service X
Service Z
Site-wide Assertion Service
Callout Module for Z
Service X Veto Service Y Veto Service Z Veto
PEP
Host 2
11
Example Compute Element
12
CE Globus and Condor
  • PRIMA and GUMS provide CE authz in OSG approach.

PRIMA authenticates. GUMS translates DN,
Membership, Role to Username. System translates
Username to site-wide UID.
13
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
GUMS
Site-wide Assertion Service
SAZ
Deployed at many sites/campuses with static UIDs
as well as UID pools.
14
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
CE
GUMS
Site-wide Assertion Service
SAZ
Deployed at many sites/campuses with static UIDs
as well as UID pools.
15
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
Site-wide Assertion Service
SAZ
Deployed at many sites/campuses with static UIDs
as well as UID pools.
16
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
PEP
Site-wide Assertion Service
SAZ
Deployed at many sites/campuses with static UIDs
as well as UID pools.
17
Example Storage Element
18
SE SRM-dCache
  • Different doors for different authz methods.
  • Same underlying local authz mechanism.
  • Can be mapped to sites UID/GID domain.
  • Or be restricted to SRM-dCache only.
  • Examples
  • USCMS-VO at FNAL Site UID domain.
  • CDF-VO at FNAL Site Kerberos domain.

19
SE SRM-dCache
  • gPLAZMA extends SRM-dCache separation of SE authz
    and CE authz to OSG approach.

gPLAZMA authenticates. Storage Authz Service
contacts GUMS and gPLAZMA Storage Metadata
Service. GUMS translates DN, Membership, Role
to Username. System optionally translates
Username to site-wide UID, GID. gPLAZMA Storage
Metadata Service translates Username to
Storage-privilege Set. Storage-privilege Set is
UID, GID, permitted storage area, R/W
permissions. Storage-privilege Set is User-level
ACL governed by DN, Membership, Role .
20
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
CE
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
21
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Site-wide Mapping Service
CE
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
22
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
23
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
PEP
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
24
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
CE
PRIMA C SAML libraries
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
Site-wide Assertion Service
SE
SAZ
25
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
26
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
PEP
gPLAZMALite Authorization Services suite
27
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
PRIMA C SAML libraries
CE
GUMS
OGSA AuthZ interface
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
SRM-GridFTP gPLAZMA callout
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
28
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS Virtual Organization Membership Service
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Grid User Management System
PRIMA C SAML libraries
CE
GUMS
PRIMA A System for Privilege Management and
Authorization in Grids
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA grid-aware Pluggable Authorization Managem
ent System
SRM-GridFTP gPLAZMA callout
SAZ Site Authorization Service
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
gPLAZMALite Authorization Services suite
29
Local or Remote Client Proxy with VO Membership
Role Attributes
VOMS
VOMS INFN teams, Italy
Site

Globus Gatekeeper PRIMA callout
Site-wide Mapping Service
GUMS Gabriele Carcassi, BNL
PRIMA C SAML libraries
CE
GUMS
PRIMA Markus Lorch, VT
PRIMA Authorization Service
Auxiliary Mapping Service
gPLAZMA Storage metadata
gPLAZMA Abhishek Singh Rana, UCSD Timur
Perelmutov, FNAL
SRM-GridFTP gPLAZMA callout
SAZ Vijay Sekhri, FNAL John Weigand, FNAL
Site-wide Assertion Service
SE
PRIMA Java SAML
gPLAZMA
SAZ
SRM-dCache DESY/FNAL teams
gPLAZMALite Authorization Services suite
30
SE ACLs VO versus Site Control
  • VO control of ACLs.
  • All files are owned by VO.
  • Simple solutions.
  • VO PDP, separated from Resource.
  • Site control of ACLs.
  • All files are owned by DN, Membership, Role of
    a User.
  • Site SE enforces global (VO) and local (site)
    policies.
  • Global local policies are used together to aid
    in isolation of privileges, grant privacy to
    user, and perform fine-grained security.
  • Demands sophisticated solutions.
  • Site PDP, closer to Resource.

31
Possible Future ExamplesDynamic Virtual
Environments/Workspaces 1. VO Workspace on Site
boundary - Edge Services Framework (ES
Wafers).2. User Workspace on WNs (Resource
Slices).
32
No ESF - Phase 0
SE
CE
Site
33
No ESF - Phase 0
Static deployment
SE
CE
CMS
ATLAS
CDF
Site
34
ESF?
SE
CE
Site
35
ESF - Phase 1
Snapshot of ES Wafers implemented as Virtual
Workspaces
ESF
ATLAS
CMS
SE
CE
CDF
Guest VO
Site
36
An attempt at ESF Terminology
  • Edge Services Wafer (ES Wafer)
  • A specific instance of a dynamically-created VM
    (workspace) is called an Edge Services Wafer.
  • An ES Wafer can have several Edge Services
    running.
  • A VO can have multiple ES Wafers up at a Site.
  • Edge Services Slot (ES Slot)
  • An ES Slot has hardware characteristics specified
    by the Site Admin.
  • An ES Slot can be leased by a VO to host an ES
    Wafer.
  • Edge Service (ES)
  • A VO-specific service instantiated by a VO in a
    Wafer.
  • Workspace Service (WS)
  • Service at a Site that allows VOs to instantiate
    ES Wafers in ES Slots.

37
ESF - Phase 1
GT4 Workspace Service VMM
Dynamically deployed ES Wafers for each VO
ESF
Wafer images stored in SE
ATLAS
CMS
SE
CE
CDF
Guest VO
Site
Compute nodes and Storage nodes
38
ESF - Phase 1
Globus Workspace Service Kate Keahey,
ANL/Globus Timothy Freeman, ANL/Globus
GT4 Workspace Service VMM
Dynamically deployed ES Wafers for each VO
ESF
Xen VMM Cambridge University, UK XenSource Inc.
Edge Services Suite CMS and ATLAS Collaborations
Wafer images stored in SE
ATLAS
CMS
SE
CE
CDF
Guest VO
Site
Compute nodes and Storage nodes
39
User jobs at Compute nodes using ES Wafers for
VO Edge Services
ESF
ATLAS
CMS
SE
CE
CDF
Guest VO
Site
40
VO Admin transporting/storing ES image to a
remote Site....Deploying ES using image stored
in Sites local repository
41
VO Workspaces (Edge Services)
  • Concepts
  • TID (Transactional Identity) DN, Membership
    Profile, Set of Roles
  • Thus, TID is VO VO-Site agreement specific.
  • TID functions as a tag for VO Workspace
    characteristics.
  • Site central mapping service translates TID into
    VO Workspace characteristics.
  • ESF provisions VO Workspace according to
    characteristics.

42
ESF - Phase 1
RoleVO Admin
CMS
ESF
SE
CE
Site
43
ESF - Phase 1
RoleVO Admin
CMS
ESF
PEP
SE
CE
Site
44
ESF - Phase 1
RoleVO Admin
CMS
ESF
SE
CE
Site
45
ESF - Phase 1
RoleVO Admin
ESF
SE
CE
Site
46
ESF - Phase 1
RoleVO Admin
PEP
ESF
SE
CE
Site
47
ESF - Phase 1
RoleVO Admin
ESF
SE
CE
Site
48
ESF - Phase 1
RoleVO Admin
ESF
PEP
SE
CE
Site
49
ESF - Phase 1
RoleVO Admin
ESF
CMS
SE
CE
Site
50
ESF - Phase 1
RoleVO Admin
ESF
CMS
SE
CE
Site
51
ESF - Phase 1
RoleVO Admin
ESF
CMS
SE
CE
Site
52
ESF - Phase 1
RoleVO Admin
ESF
CMS
SE
CE
ES Wafer (Multiple VO Services at a Sites Edge)
Site
53
A VO User using ESF....Executing at a User
Workspace
54
User Workspace
  • User Workspace
  • Slicing of a Resource, on demand.
  • PEP closer to such finer slices of a Resource.
  • Customized (possibly transient) slices.
  • Isolation of environment of such a slice.
  • A resource slice and VO/User environment make a
    User Workspace.

55
User Workspace
  • Concepts
  • TID (Transactional Identity) DN, Membership
    Profile, Set of Roles
  • Thus, TID is VO application type specific.
  • TID functions as a tag for Workspace
    characteristics.
  • Site central mapping service translates TID into
    User Workspace characteristics.
  • Compute node local service provisions User
    Workspace according to characteristics.

56
User Workspace
RoleVO User
ESF
CMS
SE
CE
Site
57
User Workspace
RoleVO User
ESF
CMS
PEP
SE
CE
Site
58
User Workspace
RoleVO User
ESF
CMS
SE
CE
Site
59
User Workspace
RoleVO User
ESF
CMS
SE
CE
PEP
Site
60
User Workspace
RoleVO User
ESF
CMS
SE
CE
Resource Slice (User execution environment at a
WN)
Site
61
User Workspace
RoleVO User
ESF
CMS
SE
CE
Site
62
User Workspace
RoleVO User
ESF
CMS
SE
CE
PEP
Site
63
User Workspace
RoleVO User
ESF
CMS
SE
CE
Site
64
Summary of OSG Approach
  • VO-Global specification of privilege requirements
    per role.
  • Means to do so are lacking today!
  • Making progress.
  • Site central mapping of role to implementation of
    privilege requirements.
  • Simple solutions in production usage.
  • Local enforcement of privilege requirements.
  • Simple solutions in production usage.
  • Moving forward to designing more advanced
    solutions.

65
Thank You.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "MultiSite VOs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!