Computer Network Information Center, Chinese Academy of Sciences Resource Access System in High-performance Computing Environment on Third-party Application Platform Rong HE Computer Network Information Center, Chinese Academy of Sciences

Outline Introduction Resource Access System Implementation Conclusion & Future Work

China National High Performance Computing Environment 2 Operating Centers ( Beijing / Hefei ) 19 Sites ( 200PF + 200PB ) Portal SCEAPI-REST

SCE - Middleware for Science Cloud Scientific computing Lightweight Stable Diversity CLI Portal GUI API International Patent (PCT/CN2911/071640)

(multi-thread, automatic ) SCEAPI-REST Cross Platforms and Languages Windows、Linux、Android、iOS…… Java、C/C++、PHP…… Functions Computing Resources、Job、File Account、Statistics Client、 Web Application - HTML /AJAX SCEAPI-REST Authentication LDAP: User Info Persistent data : Application ID， session HTTP Request JSON Response SCEAPI Library (multi-thread, automatic ) SCE Software

Portal

Third-party Application Platform-CSTCloud China's Science and Technology Cloud CSTPassport to login the platform A lot of resources Advanced Network Science Data Software Community

Third-party Application Platform-EasyHPC Online Educational Practice Platform for High Performance Computing HPC-related courses from the online platform, submit course assignments, exchange discussions, and complete HPC programming exercises

High Performance Computing Environment Question CSTCloud EasyHPC Access System High Performance Computing Environment Account Resource

Access System-Account Account Grid Account Verify login message Get login message Create Grid account Implement account binding Record to the database

Access System-Resource Identify the Application Authorization Management API Gateway

Resource Access System Principal User Role Federated Application Authentication Request Actions/Operations ………… Resources Request Information Authorization API JSON Effect ……. Action …… Resource Account Identity-based policies Resource-based policies Create Account Get Account Account Mapping Create service Get Information Account Service Resource Service Software Job

OpenID Connect New federation protocol that builds on OAuth 2 Adds identity inputs/outputs to OAuth messages Related to prior OpenID versions in name only Compact messages for mobile scenarios RP/client can determine info about end user Tokens are JWTs UserInfo endpoint to get user data

JWT Lightweight tokens passed in HTTP headers & query strings Akin to SAML tokens Less expressive Less security options More compact Encoded with JSON not XML

Authorization Code Mode Flow

UserInfo Endpoint Get Information of User

Third-party Application Platform Apply for APPID and APPKey Get Authorization Access Resources by API

Implementation-Workflow

Implementation-Verify login message CSTCloud Simple JavaScript to judge the login message Callback to CSTCloud to get login user message EasyHPC Encode user data in the format of JWT Put user data in HTTP headers & query strings when get resources by API Access system decode JWT and get user message

CSTCloud Access

Conclusion & Future Work Third-party Application Platform can access resources conveniently by Resource Access System Federated Account can login the environmental platform and use it Future work API Gateway Access Management Supply personalized API according to application

Thank you~