Grid Dynamics

1
Grid Dynamics
Ian Foster Argonne National Laboratory University
of Chicago Univa Corporation
2
Acknowledgements

• Carl Kesselman, with whom I developed many ideas
  ( slides)
• Bill Allcock, Charlie Catlett, Kate Keahey,
  Jennifer Schopf, Frank Siebenlist, Mike Wilde _at_
  ANL/UC
• Ann Chervenak, Ewa Deelman, Laura Pearlman _at_
  USC/ISI
• Karl Czajkowski, Steve Tuecke _at_ Univa
• Numerous other fine colleagues in NESC, EGEE,
  OSG, TeraGrid, etc.
• NSF DOE for research support

3
What is the Grid?

• Resource sharing coordinated problem solving
  in dynamic, multi-institutional virtual
  organizations

When the network is as fast as the computer's
internal links, the machine disintegrates across
the net into a set of special purpose appliances
(George Gilder)
The Anatomy of the Grid, Foster, Kesselman,
Tuecke, 2001
4
System-Level Problem
Grid technology
5
Grid-enabled Business Intelligence Application
Provision New Worker Process
ManagedPool of Shared Resources
BI server applications started and
decommissioned by a Grid-enabled dispatcher
6
Grid DynamicsVision vs. Reality

• Vision On-demand access to computing
• New communities form easily
• On-demand resources from providers
• Adapt easily to new missions, requirements
• Reality Much manual configuration, e.g.
• Manually deployed services on dedicated hardware
• Manually maintained access control lists
• Sysadmin-maintained allocation policies
• Human-mediated resource reservation

7
Grid DynamicsA Two-Dimensional Problem
Function
Resource

• Decompose across network
• Clients integrate dynamically
• Select compose services
• Select best of breed providers
• Publish result as new services
• Decouple resource service providers

8
Service-Oriented SystemsThe Role of Grid
Infrastructure
Users

• Service-oriented applications
• Wrap applications as services
• Compose applicationsinto workflows

Composition
Workflows
Invocation
ApplnService
ApplnService

• Service-oriented Gridinfrastructure
• Provision physicalresources to support
  application workloads

The Many Faces of IT as Service, ACM Queue,
Foster, Tuecke, 2005
9
Grid DynamicsForming Operating Communities

• Define membership roles enforce laws
  community standards
• I.e., policy for service-oriented architecture
• Addressing dynamic membership policy
• Build, buy, operate, share infrastructure
• Decouple consumer provider
• For data, programs, services, computing, storage,
  instruments
• Address dynamics of community demand

10
Grid DynamicsForming Operating Communities

• Define membership roles enforce laws
  community standards
• I.e., policy for service-oriented architecture
• Addressing dynamic membership policy
• Build, buy, operate, share infrastructure
• Decouple consumer provider
• For data, programs, services, computing, storage,
  instruments
• Address dynamics of community demand

11
Defining Community Membership and Laws

• Identify VO participants and roles
• For people and services
• Specify and control actions of members
• Empower members ? delegation
• Enforce restrictions ? federate policy

Effective Access
Access granted by community to user
Policy of site to community
Site admission-control policies
12
Policy Challenges in VOs

• Restrict VO operations based on requestor
  characteristics
• VO dynamics create challenges
• Intra-VO
• VO-specific roles
• Mechanisms to specify/enforce VO-level policy
• Inter-VO
• Different VOs define different entities/roles
• Different sorts of policy need to be enforced
• Access, usage, accounting, audit,

13
Evolution of Grid Security Policy

• 1) Grid security infrastructure
• Public key authentication delegation
• Access control lists (gridmap files)
• ? Limited set of policies can be expressed
• 2) Utilities to simplify operational use, e.g.
• MyProxy online credential repository
• VOMS, ACL/gridmap management
• ? Broader set of policies, but still ad-hoc
• 3) General, standards-based framework for
  authorization attribute management

14
Core Security Mechanisms

• Attribute Assertions
• C asserts that S has attribute A with value V
• Authentication and digital signature
• Allows signer to assert attributes
• Delegation
• C asserts that S can perform O on behalf of C
• Attribute mapping
• A1, A2 Anvo1 ? A1, A2 Amvo2
• Policy
• Entity with attributes A asserted by C may
  perform operation O on resource R

15
Security Services for VO Policy

• Attribute Authority (ATA)
• Issue signed attribute assertions (incl.
  identity, delegation mapping)
• Authorization Authority (AZA)
• Decisions based on assertions policy

VOUser A
Delegation Assertion User B can use Service A
Resource Admin Attribute
VO AZA
VO ATA
VO-A Attr ? VO-B Attr
Mapping ATA
VO Member Attribute
VOUser B
VO Member Attribute
VO A Service
VO B Service
16
Trust in VOs

• Do I believe an attribute assertion?
• Used to evaluate cost vs. benefit of performing
  an operation
• E.g., perform untrusted operation with extra
  auditing
• Look at attributes of assertion signer
• Rooting trust
• Externally recognized source, e.g., CA
• Dynamically via VO structure ? delegation
• Dynamically via alternative sources, e.g.,
  reputation

17
Closing the LoopGT4 Security Toolkit
Users
MyProxy
KCA
Shib
18
Grid DynamicsForming Operating Communities

• Define membership roles enforce laws
  community standards
• I.e., policy for service-oriented architecture
• Addressing dynamics of membership policy
• Build, buy, operate, share infrastructure
• Decouple consumer provider
• For data, programs, services, computing, storage,
  instruments
• Address dynamics of community demand

19
Bootstrapping a VOby Assembling Services

• 1) Integrate services from other sources
• Virtualize external services as VO services
• 2) Coordinate compose
• Create new services from existing ones

Community
Content
Services Provider
Services
Capacity Provider
Capacity
Service-Oriented Science, Science, Foster, 2005
20
Providing VO Services(1) Integration from Other
Sources

• Negotiate servicelevel agreements
• Delegate and deploy capabilities/services
• Provision to deliver defined capability
• Configure environment
• Host layered functions

21
Virtualizing Existing Services into a VO

• Establish service agreement with service
• E.g., WS-Agreement
• Delegate use to VO user

User B
User A
VO User
VO Admin
Existing Services
22
Deploying New Services
Policy
Allocate/provision Configure Initiate
activity Monitor activity Control activity
Activity
Client
Environment
Resource provider
Interface
WSRF (or WS-Transfer/WS-Man, etc.), Globus GRAM,
Virtual Workspaces
23
Activities Can Be Nested
Client
Policy
Client

Client


Environment

Resource provider
Interface
24
Embedded Resource ManagementE.g., EGEE OSG
Client-side
VO Admin
Deleg
Deleg
GRAM
GRAM
Cluster Resource Manager
Headnode Resource Manager
VOUser
VOUser
Monitoring and control
VO Job
Deleg
GRAM
Cluster Resource Manager
Other Services
VO Scheduler
. . .

• VO admin delegates credentials to be used by
  downstream VO services.
• VO admin starts the required services.
• VO jobs comes in directly from the upstream VO
  Users
• VO job gets forwarded to the appropriate resource
  using the VO credentials
• Computational job started for VO

VO Job
25
Virtual Workspaces(Kate Keahey et al.)

• GT4 service for the creation, monitoring,
  management of virtual workspaces
• High-level workspace description
• WSRF mechanisms to monitor manage
• Multiple implementations
• Dynamic accounts
• Xen virtual machines
• (VMware virtual machines)
• Virtual clusters as a higher-level construct

26
How do Grids and VMs Play Together?
VM Factory
create new VM image
VM EPR
Create VM image
VM Repository
inspect manage
Client

Resource
VM Manager
VM
start program
27
Virtual OSG Clusters
OSG
Virtual Clusters for Grid Communities, Zhang
et al., CCGrid 2006
28
Providing VO Services(2) Coordination
Composition

• Take a set of provisioned services
• compose to synthesize new behaviors
• This is traditional service composition
• But must also be concerned with emergent
  behaviors, autonomous interactions
• See the work of the agent PlanetLab communities

Brain vs. Brawn Why Grids and Agents Need Each
Other," Foster, Kesselman, Jennings, 2004.
29
The Globus-BasedLIGO Data Grid
LIGO Gravitational Wave Observatory
Birmingham
Replicating gt1 Terabyte/day to 8 sites gt40
million replicas so far MTBF 1 month
www.globus.org/solutions
30
Data Replication Service

• Pull missing files to a storage system

Data Location
Data Movement
GridFTP
Local ReplicaCatalog
Replica LocationIndex
Reliable File Transfer Service
Local Replica Catalog
GridFTP
Replica LocationIndex
Data Replication
List of required Files
Data Replication Service
Design and Implementation of a Data Replication
Service Based on the Lightweight Data Replicator
System, Chervenak et al., 2005
31
Composing Resources Composing Services
GridFTP
LRC
GridFTP
Deploy service
DRS
Deploy container
VO Services
JVM
Deploy virtual machine
VM
VM
Procure hardware
Physical machine
State exposed access uniformly at all
levels Provisioning, management, and monitoring
at all levels
32
Dynamic Service Deployment(Argonne China Grid)

• Interface
• Upload-push
• Upload-pull
• Deploy
• Undeploy
• Reload

HAND Highly Available Dynamic Deployment
Infrastructure for GT4, Li Qi et al., 2006
33
Decomposition EnablesSeparation of Concerns
Roles
S1
User
S2
D
S3
34
Community Commons

• What capabilities are available to VO?
• Membership changes, state changes
• Require mechanisms to aggregate and update VO
  information

MORE
The age of information
A
A
A
VO-specific indexes
S
Information
FRESH
S
S
S
35
GT4 Monitoring and Discovery Services(Uniform
Treatment of State is Wonderful!)
Clients (e.g., WebMDS)
GT4 Container
WS-ServiceGroup
MDS-Index
Registration WSRF/WSN Access
GT4 Cont.
GT4 Container
MDS-Index
MDS-Index
RFT
36
System-Level Problem
Grid technology
37
Grid-enabled Business Intelligence Application
Provision New Worker Process
ManagedPool of Shared Resources
BI server applications started and
decommissioned by a Grid-enabled dispatcher
38
The Integrating Role of Grid Infrastructure
39
Summary Grid Dynamics and You

• Grid dynamic behaviors environments
• Dynamic communities activities
• Decoupling of service consumption from service
  production
• Dynamic provisioning of services
• We have tools to realize dynamic scenarios
• Uniform state representation access
• Flexible security policy framework
• Virtual machines, dynamic services, other
  building blocks
• We now need much experimentation

40
For More Information

• Globus Alliance
• www.globus.org
• Background
• www.mcs.anl.gov/foster
• Come to GT4 workshop,830-1200 Wednesday
• Overview of features
• User experiences
• Future directions

2nd Edition www.mkp.com/grid2
41
Available in High-Quality Open Source Software
Globus Toolkit v4 www.globus.org
Data Replication
Replica Location
Grid Telecontrol Protocol
CredentialMgmt
Data Access Integration
Community Scheduling Framework
Delegation
WebMDS
Reliable File Transfer
CommunityAuthorization
Trigger
Workspace Management
GridFTP
Authentication Authorization
Grid Resource Allocation Management
Index
Data Mgmt
Security
CommonRuntime
Execution Mgmt
Info Services
I. Foster, Globus Toolkit Version 4 Software
for Service-Oriented Systems, LNCS 3779, 2-13,
2005
42
GT4 Web ServicesUniform State, Security, Mgmt
Custom Services
Custom WSRF Services
GT4WSRF Web Services
Registry Admin
GT4 Container(e.g., Apache Axis)
WS-A, WSRF, WS-Notification
WSDL, SOAP, WS-Security
43
http//dev.globus.org
GlobDev
Guidelines(Apache) Infrastructure(CVS,
email,bugzilla, Wiki) Projects Include