Argonne National Laboratory Grid Dynamics Ian Foster Argonne National Laboratory University of Chicago Univa Corporation
Acknowledgements Carl Kesselman, with whom I developed many ideas (& slides) Bill Allcock, Charlie Catlett, Kate Keahey, Jennifer Schopf, Frank Siebenlist, Mike Wilde @ ANL/UC Ann Chervenak, Ewa Deelman, Laura Pearlman @ USC/ISI Karl Czajkowski, Steve Tuecke @ Univa Numerous other fine colleagues in NESC, EGEE, OSG, TeraGrid, etc. NSF & DOE for research support
“The Anatomy of the Grid”, Foster, Kesselman, Tuecke, 2001 What is the Grid? ? “Resource sharing & coordinated problem solving in dynamic, multi-institutional virtual organizations” “When the network is as fast as the computer's internal links, the machine disintegrates across the net into a set of special purpose appliances” (George Gilder) “The Anatomy of the Grid”, Foster, Kesselman, Tuecke, 2001
System-Level Decomposition Problem Implementation Grid technology Facilities Computers Storage Networks Services Software People Implementation U. Colorado Experimental Model NCSA Computational Model COORD. UIUC The ramp structure is quite large, about 400 ft in length, far longer than any laboratory testing bay, and far longer than the distance between any shaking tables even within the NEES sites. Add: “but” … Grid technology
Grid-enabled Business Intelligence Application Provision New Worker Process BI Server 2 Dispatcher Grid backend Managed Pool of Shared Resources BI server applications started and decommissioned by a Grid-enabled dispatcher
Grid Dynamics: Vision vs. Reality Vision: On-demand access to computing New communities form easily On-demand resources from providers Adapt easily to new missions, requirements Reality: Much manual configuration, e.g.: Manually deployed services on dedicated hardware Manually maintained access control lists Sysadmin-maintained allocation policies Human-mediated resource reservation
Grid Dynamics: A Two-Dimensional Problem Function Resource Decompose across network Clients integrate dynamically Select & compose services Select “best of breed” providers Publish result as new services Decouple resource & service providers Data Archives Analysis tools Discovery tools Users Fig: S. G. Djorgovski
Service-Oriented Systems: The Role of Grid Infrastructure Users Service-oriented applications Wrap applications as services Compose applications into workflows Composition Workflows Invocation Appln Service Appln Service Provisioning Service-oriented Grid infrastructure Provision physical resources to support application workloads “Provisioning” – reservation to configuration to … … make sure resource will do what I want it to do, with the right qualities of service Virtualization = separation of concerns between provider & consumer of “content” Client and service Service provider and resource provider Provisioning = assemble & configure resources to meet user needs Management = sustain desired qualities of service despite dynamic environment “The Many Faces of IT as Service”, ACM Queue, Foster, Tuecke, 2005
Grid Dynamics: Forming & Operating Communities Define membership & roles; enforce laws & community standards I.e., policy for service-oriented architecture Addressing dynamic membership & policy Build, buy, operate, & share infrastructure Decouple consumer & provider For data, programs, services, computing, storage, instruments Address dynamics of community demand
Grid Dynamics: Forming & Operating Communities Define membership & roles; enforce laws & community standards I.e., policy for service-oriented architecture Addressing dynamic membership & policy Build, buy, operate, & share infrastructure Decouple consumer & provider For data, programs, services, computing, storage, instruments Address dynamics of community demand
Defining Community: Membership and Laws Identify VO participants and roles For people and services Specify and control actions of members Empower members delegation Enforce restrictions federate policy Effective Access A 1 2 B 10 16 Policy of site to community Access granted by community to user Site admission-control policies
Policy Challenges in VOs Restrict VO operations based on requestor characteristics VO dynamics create challenges Intra-VO VO-specific roles Mechanisms to specify/enforce VO-level policy Inter-VO Different VOs define different entities/roles Different sorts of policy need to be enforced Access, usage, accounting, audit, …
Evolution of Grid Security & Policy 1) Grid security infrastructure Public key authentication & delegation Access control lists (“gridmap” files) Limited set of policies can be expressed 2) Utilities to simplify operational use, e.g. MyProxy: online credential repository VOMS, ACL/gridmap management Broader set of policies, but still ad-hoc 3) General, standards-based framework for authorization & attribute management
Core Security Mechanisms Attribute Assertions C asserts that S has attribute A with value V Authentication and digital signature Allows signer to assert attributes Delegation C asserts that S can perform O on behalf of C Attribute mapping {A1, A2… An}vo1 {A’1, A’2… A’m}vo2 Policy Entity with attributes A asserted by C may perform operation O on resource R
Security Services for VO Policy Attribute Authority (ATA) Issue signed attribute assertions (incl. identity, delegation & mapping) Authorization Authority (AZA) Decisions based on assertions & policy VO User A Resource Admin Attribute Delegation Assertion User B can use Service A VO AZA Can use with message-level or transport-level security. VO ATA Mapping ATA VO-A Attr VO-B Attr VO Member Attribute VO User B VO Member Attribute VO A Service VO B Service
Closing the Loop: GT4 Security Toolkit Authz Callout: SAML, XACML SSL/WS-Security with Proxy Certificates Services (running on user’s behalf) Rights Compute Center Access CAS or VOMS issuing SAML or X.509 ACs Local policy on VO identity or attribute authority VO Rights Users Rights’ MyProxy KCA Shib
Grid Dynamics: Forming & Operating Communities Define membership & roles; enforce laws & community standards I.e., policy for service-oriented architecture Addressing dynamics of membership & policy Build, buy, operate, & share infrastructure Decouple consumer & provider For data, programs, services, computing, storage, instruments Address dynamics of community demand
Bootstrapping a VO by Assembling Services 1) Integrate services from other sources Virtualize external services as VO services 2) Coordinate & compose Create new services from existing ones Community Content Services Provider Services Capacity Provider Capacity “Service-Oriented Science”, Science, Foster, 2005
Providing VO Services: (1) Integration from Other Sources Negotiate service level agreements Delegate and deploy capabilities/services Provision to deliver defined capability Configure environment Host layered functions Community A Z …
Virtualizing Existing Services into a VO Establish service agreement with service E.g., WS-Agreement Delegate use to VO user User B User A VO User Virtual Clusters for Grid Communities VO Admin Existing Services
Deploying New Services Policy Allocate/provision Configure Initiate activity Monitor activity Control activity Activity Client Environment Resource provider Interface WSRF (or WS-Transfer/WS-Man, etc.), Globus GRAM, Virtual Workspaces
Activities Can Be Nested Client Policy Client Client Environment Resource provider Interface
Embedded Resource Management: E.g., EGEE & OSG Client-side VO Admin Deleg Deleg GRAM GRAM Cluster Resource Manager Headnode Resource Manager VO User VO User Monitoring and control VO Job Deleg GRAM Cluster Resource Manager VO Scheduler . . . Other Services VO admin delegates credentials to be used by downstream VO services. VO admin starts the required services. VO jobs comes in directly from the upstream VO Users VO job gets forwarded to the appropriate resource using the VO credentials Computational job started for VO VO Job
Virtual Workspaces (Kate Keahey et al.) GT4 service for the creation, monitoring, & management of virtual workspaces High-level workspace description WSRF mechanisms to monitor & manage Multiple implementations Dynamic accounts Xen virtual machines (VMware virtual machines) … Virtual clusters as a higher-level construct
How do Grids and VMs Play Together? request VM Factory create new VM image VM EPR use existing VM image Create VM image VM Repository inspect & manage Client Resource deploy, suspend VM Manager VM start program
“Virtual Clusters for Grid Communities,” Zhang et al., CCGrid 2006 Virtual OSG Clusters OSG OSG cluster Xen hypervisors TeraGrid cluster “Virtual Clusters for Grid Communities,” Zhang et al., CCGrid 2006
Providing VO Services: (2) Coordination & Composition Take a set of provisioned services … … & compose to synthesize new behaviors This is traditional service composition But must also be concerned with emergent behaviors, autonomous interactions See the work of the agent & PlanetLab communities “Brain vs. Brawn: Why Grids and Agents Need Each Other," Foster, Kesselman, Jennings, 2004.
The Globus-Based LIGO Data Grid LIGO Gravitational Wave Observatory Cardiff AEI/Golm Birmingham• Replicating >1 Terabyte/day to 8 sites >40 million replicas so far MTBF = 1 month www.globus.org/solutions
Data Replication Service Pull “missing” files to a storage system Data Location Data Movement GridFTP Local Replica Catalog Replica Location Index Reliable File Transfer Service GridFTP Local Replica Catalog Replica Location Index Data Replication List of required Files Data Replication Service “Design and Implementation of a Data Replication Service Based on the Lightweight Data Replicator System,” Chervenak et al., 2005
Composing Resources … Composing Services Deploy service GridFTP LRC GridFTP DRS Deploy container VO Services JVM Deploy virtual machine VM VM Hypervisor/OS Deploy hypervisor/OS Procure hardware Physical machine State exposed & access uniformly at all levels Provisioning, management, and monitoring at all levels
Dynamic Service Deployment (Argonne + China Grid) Interface Upload-push Upload-pull Deploy Undeploy Reload “HAND: Highly Available Dynamic Deployment Infrastructure for GT4,” Li Qi et al., 2006
Decomposition Enables Separation of Concerns & Roles User S2 D S3 Service Provider “Provide access to data D at S1, S2, S3 with performance P” D S1 S2 S3 Replica catalog, User-level multicast, … Resource Provider “Provide storage with performance P1, network with P2, …” D S1 S2 S3
Community Commons What capabilities are available to VO? Membership changes, state changes Require mechanisms to aggregate and update VO information MORE The age of information A WebMDS: configurable via XSLT style sheets A A VO-specific indexes S Information S S S FRESH
GT4 Monitoring and Discovery Services (Uniform Treatment of State is Wonderful!) Clients (e.g., WebMDS) GT4 Container WS-ServiceGroup MDS- Index Registration & WSRF/WSN Access GridFTP adapter Custom protocols for non-WSRF entities GT4 Cont. GT4 Container WebMDS: configurable via XSLT style sheets MDS- Index MDS- Index GRAM User Automated registration in container RFT
System-Level Decomposition Problem Implementation Grid technology Facilities Computers Storage Networks Services Software People Implementation U. Colorado Experimental Model NCSA Computational Model COORD. UIUC The ramp structure is quite large, about 400 ft in length, far longer than any laboratory testing bay, and far longer than the distance between any shaking tables even within the NEES sites. Add: “but” … Grid technology
Grid-enabled Business Intelligence Application Provision New Worker Process BI Server 2 Dispatcher Grid backend Managed Pool of Shared Resources BI server applications started and decommissioned by a Grid-enabled dispatcher
The Integrating Role of Grid Infrastructure Coarse Grained Dev / Test Grid Infrastructure Multiple applications and workload types Multiple resource types and instances Consistent & open management interface Consistent & open enactment interface End-to-end Quality of Service Fine Data Driven Workflow
Summary: Grid Dynamics and You Grid = dynamic behaviors & environments Dynamic communities & activities Decoupling of service consumption from service production Dynamic provisioning of services We have tools to realize dynamic scenarios Uniform state representation & access Flexible security & policy framework Virtual machines, dynamic services, & other building blocks We now need much experimentation
For More Information Globus Alliance Background www.globus.org Background www.mcs.anl.gov/~foster Come to GT4 workshop, 8:30-12:00 Wednesday Overview of features User experiences Future directions 2nd Edition www.mkp.com/grid2
Available in High-Quality Open Source Software … Globus Toolkit v4 www.globus.org Data Replication Credential Mgmt Replica Location Grid Telecontrol Protocol Delegation Data Access & Integration Community Scheduling Framework WebMDS Java Runtime C Runtime Python Runtime Community Authorization Reliable File Transfer Workspace Management Trigger Authentication Authorization GridFTP Grid Resource Allocation & Management Index Security Data Mgmt Execution Mgmt Info Services Common Runtime I. Foster, Globus Toolkit Version 4: Software for Service-Oriented Systems, LNCS 3779, 2-13, 2005
GT4 & Web Services: Uniform State, Security, Mgmt User Applications Custom Services Custom WSRF Services GT4 WSRF Web Services Registry & Admin GT4 Container (e.g., Apache Axis) WS-A, WSRF, WS-Notification WSDL, SOAP, WS-Security
Infrastructure (CVS, email, bugzilla, Wiki) GlobDev http://dev.globus.org Guidelines (Apache) Infrastructure (CVS, email, bugzilla, Wiki) Projects Include …