Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

GAMA: Grid Account Management Architecture

advertisement 
GAMA:
Grid Account Management
Architecture
Kurt Mueller
Grid Middleware Development Group
San Diego Supercomputer Center
University of California, San Diego
Portals and Portlets 2006 - July 17, 2006
GAMA 1 in a nutshell
• A system for creating and managing Grid accounts
for portal and application users
• Provides dedicated server installation consisting
of Grid software (CACL, MyProxy, CAS) wrapped
in web services
• Provides management portlets for easy integration
into GridSphere portal framework
– User account request form
– Administrative account management console
– User login through GAMA - retrieves GSI credential
Portals and Portlets 2006 - July 17, 2006
GAMA 1 architecture
create user
gridportlets
DB
GridSphere
import user
Servlet container
retrieve
credential
Java keystore
Portal server 1
Portal server 2
retrieve
credential
AXIS Web Services
wrapper
gama
CACL
MyProxy
CAS
…
Servlet container
Java keystore
GAMA server
Stand-alone applications
Portals and Portlets 2006 - July 17, 2006
GAMA 1 ideal environment
•
•
•
•
•
•
New portal/Grid project
No existing users/credentials
Single administrator
Globus Grid
GridSphere portal
Authorization through grid-mapfile
Portals and Portlets 2006 - July 17, 2006
GAMA 1 weaknesses
• Hard to incorporate existing user accounts and
Grid credentials
• Hard to use existing infrastructure
– MyProxy server
– Other CA packages
• Hard to expand core GAMA functions
–
–
–
–
SRB account creation
Authorization - CAS not so useful?
Unix accounts
grid-mapfile updates
Portals and Portlets 2006 - July 17, 2006
Back to the drawing board…
Portals and Portlets 2006 - July 17, 2006
GAMA 2 features
•
•
•
•
Implementation agnostic
Extensible through a plug-in architecture
Workflow system for multi-step operations
Supports VOs with many sites and independent
site administrators
• Provides cluster account management
Portals and Portlets 2006 - July 17, 2006
Implementation agnostic
• No explicit reliance on MyProxy, CACL, CAS.
Accomplished through a plug-in architecture on
GAMA server: use whatever CA you want,
whatever credential storage, whatever
authorization service, etc.
• GAMA 2 includes CACL, Naregi and MyProxy plugins out
of the box
• May also include SRB account management, and other
plugins
Portals and Portlets 2006 - July 17, 2006
Extensible
• GAMA admin can write task plugins to accomplish
novel tasks:
– Interface with existing infrastructure
(authentication/authorization mechanisms, databases, CA
packages, etc.)
– Manage Unix / Windows / physical accounts
– etc.
Portals and Portlets 2006 - July 17, 2006
Extensible
All GAMA tasks extend GAMATask class:
abstract public class GAMATask {
…
abstract public void doTask() throws GAMATaskException;
abstract public void rollbackTask() throws
GAMATaskRollbackException {};
…
}
Portals and Portlets 2006 - July 17, 2006
Extensible -
MyProxyAuthNTask.xml
<task-def>
<task-param>
<param-name>username</param-name>
<param-class>java.lang.String</param-class>
<param-required>true</param-required>
</task-param>
<task-param>
<param-name>password</param-name>
<param-class>java.lang.String</param-class>
<param-required>true</param-required>
<param-nopersist>true</param-nopersist>
</task-param>
…
<task-output>
<output-name>credentialobject</output-name>
<output-class>org.globus.gsi.GlobusCredential</output-class>
</task-output>
<task-output>
<output-name>credentialstring</output-name>
<output-class>java.lang.String</output-class>
</task-output>
</task-def>
Portals and Portlets 2006 - July 17, 2006
Extensible - MyProxyAuthNTask.java
public class MyProxyAuthNTask extends GAMATask {
public void doTask() throws GAMATaskException {
String username = (String)
getParamObjectByName("username");
String passwd = (String)
getParamObjectByName("password");
…
cred = (GSSCredential) myproxy.get(username, passwd,
myProxyLifetime.intValue());
…
getOutputByName("credentialobject").setOutputObject(cred);
getOutputByName("credentialstring").
setOutputObject(cred.toString());
}
}
Portals and Portlets 2006 - July 17, 2006
Workflow system
• Server operations are customizable and
expandable. Uses a workflow system that can
execute arbitrary sequences of tasks for any
operation, such as “login.”
– GAMA 1 login does one thing: tries to retrieve a
credential from MyProxy.
– GAMA 2 login could do a sequence of things: retrieve
credential from MyProxy, open an SRB socket connection,
write a message to a logfile, etc.
Portals and Portlets 2006 - July 17, 2006
Workflow system -
MyProxyAuthNSequence.xml
<sequence-def>
<sequence-description>GAMA's default MyProxy authentication
sequence</sequence-description>
<sequence-type>authenticate</sequence-type>
<sequence-type-default>true</sequence-type-default>
<sequence-rollbackallonfailure>false</sequencerollbackallonfailure>
<sequence-item>
<item-class>edu.sdsc.gama.server.services.task.auth.
authn.MyProxyAuthNTask</item-class>
<item-class-config-id>0</item-class-config-id>
<item-description>simple MyProxy authentication with username
and password</item-description>
<item-rollbackonfailure>false</item-rollbackonfailure>
<item-stopsequenceonsuccess>false</item-stopsequenceonsuccess>
<item-stopsequenceonfailure>true</item-stopsequenceonfailure>
</sequence-item>
</sequence-def>
Portals and Portlets 2006 - July 17, 2006
Workflow system -
NewUserSetupSequence.xml
<sequence-def>
<sequence-description>GAMA's default CACL and MyProxy new user
sequence</sequence-description>
…
<sequence-item>
<item-class>edu.sdsc.gama.server.services.task.ca.newuser.
CACLNewUserTask</item-class>
<item-description>Create a new user in CACL</item-description>
<item-rollbackonfailure>true</item-rollbackonfailure>
<item-stopsequenceonsuccess>false</item-stopsequenceonsuccess>
<item-stopsequenceonfailure>true</item-stopsequenceonfailure>
</sequence-item>
<sequence-item>
<item-class>edu.sdsc.gama.server.services.task.myproxy.newuser.
MyProxyLoadCredentialsFromCATask</item-class>
<item-description>Load a user's credentials from CA into MyProxy</itemdescription>
<item-rollbackonfailure>true</item-rollbackonfailure>
<item-stopsequenceonsuccess>false</item-stopsequenceonsuccess>
<item-stopsequenceonfailure>true</item-stopsequenceonfailure>
</sequence-item>
</sequence-def>
Portals and Portlets 2006 - July 17, 2006
GridSphere Portal
Login user
Task engine
Account request portlet
(GridSphere)
Account admin portlet
(GridSphere)
Create user
GEMSTONE
Login web service client
AuthNSequence
NewUserSequence
Login portlet (GridSphere)
GAMA 2
1 Server
CACL
MyProxy
CAS
SRB
…
Kepler
Login web service client
Account admin GUI
(GridSphere portal)
Portals and Portlets 2006 - July 17, 2006
Multi-site support
• GAMA 2 server supports multiple sites, each with
its own local site administrator
• Site admin logs in to GAMA server and manages
accounts for just their site; other sites’ users are
not visible. Primary GAMA admin can manage all
users.
• GAMA can be configured to perform different
sequences of actions for different sites:
– Site A -> login sequence A
– Site B -> login sequence B
Portals and Portlets 2006 - July 17, 2006
Cluster account management
• GAMA knows about resources such as clusters
– A resource belongs to a site
• Site admin can specify access permissions for
each user on each resource in their site
• Resources can poll GAMA server for list of valid
users, and manage individual user accounts and/or
grid-mapfile entries accordingly.
• Provides a critical step in cluster management:
Rocks for OS/software install, GAMA for users
Portals and Portlets 2006 - July 17, 2006
GAMA 2 web services
• Provide a simple API that duplicates GAMA 1 API:
authenticateUser()
authorizeUser()
requestNewUser()
…
• Plus new methods for site/resource management:
createSite()
addNewResource()
getResourceUsers()
addUserToResource()
…
Portals and Portlets 2006 - July 17, 2006
GAMA 2 web services
• All web services take as inputs a set of key-value
pairs, and produce as outputs another set of keyvalue pairs
• Allows flexibility for task/sequence writers, at
the expense of explicitness:
String authenticateUser(String username, String
password, String lifetime) {…}
vs.
HashMap authenticateUser(HashMap inputs) {…}
Portals and Portlets 2006 - July 17, 2006
GAMA server admin GUI demo
Portals and Portlets 2006 - July 17, 2006
GAMA 2.0: Steps to completion
• Finish tying in web service interface to task
engine
• Complete the administrative GUI
– Group management
– Task and sequence management
• Refactor account request and login portlets
• Provide client tools for cluster user management
• Construct server Rocks roll with Naregi, MyProxy
and GAMA
Portals and Portlets 2006 - July 17, 2006
GAMA: the future
• Explore authentication technologies
– CAS still useful?
– Shibboleth / GridShib
– etc.
• More complete end-to-end user management:
– grid-mapfile updates on end resources, for instance
• Synchronization / cooperation between multiple
GAMA servers across VOs
Portals and Portlets 2006 - July 17, 2006
References
•
•
•
•
•
•
•
•
•
GAMA: http://grid-devel.sdsc.edu/gama
GridSphere: http://www.gridsphere.org
CACL: http://www.sdsc.edu/CA
Naregi CA: https://www.naregi.org/ca
MyProxy: http://grid.ncsa.uiuc.edu/myproxy
CAS: http://www.globus.org/security/CAS
GEON project: http://www.geongrid.org
Telescience project: http://telescience.ucsd.edu
NBCR: http://nbcr.sdsc.edu
Portals and Portlets 2006 - July 17, 2006
Credits
SDSC/GEON:
Kurt Mueller, Sandeep Chandra, Karan Bhatia
UCSD/NCMIR:
Abel Lin, Khim Ung, Lu Dai
UCSD/BIRN:
Jason Novotny, Ramil Manansala, Jana Nguyen
Portals and Portlets 2006 - July 17, 2006
Related documents
GAMA_Build A Plane 2015 Aviation Design Challenge_Final
GAMA_Build A Plane 2015 Aviation Design Challenge_Final
Vasco de Gama
Vasco de Gama
VASCO DA GAMA
VASCO DA GAMA
UNIT IV – Global Interactions, 1450CE to 1750CE Chapter 17
UNIT IV – Global Interactions, 1450CE to 1750CE Chapter 17
Click to add title
Click to add title
Vasco da Gama powerpoint
Vasco da Gama powerpoint
Download
advertisement