– n° 1 Review resources access policy, procedures, rules and challenges: The Italian experience and future challenges Antonia Ghiselli INFN-CNAF Workshop on eInfrastructures (Internet and Grids) The new foundation for knowledge-base Societies Roma, Accademia Nazionale dei Lincei 9 December 2003

– n° 2 Outline u Introduction: n INFN resource sharing experience in the past u INFN-Grid and the national research grid n Goals and Results u Italian-Grid present status n Resource access mechanism and management tools n production service :Management, operations and support organization u International Grid scenario: LCG and EGEE n Challenges: Multi-grids for multi-VOs n Multi–grids :definitions and issues u Conclusions

– n° 3 INFN Computing Resource sharing in the past u 80th u RJE to INFN resources by INFN users u Resource sharing within a single distributed community (agreement between sites based on common convenience ) u Access policy agreement: n low priority queues during the night n Proxy logins mechanism TORINO PADOVA BARI PALERMO FIRENZE PAVIA GENOVA NAPOLI CAGLIARI TRIESTE ROMA PISA LAQUILA CATANIA BOLOGNA UDINE TRENTO PERUGIA LNF LNGS SASSARI LECCE LNS LNL SALERNO COSENZA S.Piero FERRARA PARMA CNAF ROMA2 MILANO Network user VAX/VMS cluster

– n° 4 INFN Computing Resource sharing in the past u 90th : Condor – INFN collaboration u Condor submit to INFN desktops and workstations u Users Resource sharing by INFN users u Access policy agreement: transparent access through CPU cycle stealing u ~300 machines, still up. TORINO PADOVA BARI PALERMO FIRENZE PAVIA GENOVA NAPOLI CAGLIARI TRIESTE ROMA PISA LAQUILA CATANIA BOLOGNA UDINE TRENTO PERUGIA LNF LNGS SASSARI LECCE LNS LNL SALERNO COSENZA S.Piero FERRARA PARMA CNAF ROMA2 MILANO Condor on WAN user

– n° 5 INFN Computing Resource sharing in the past u 1999 u Globus evaluation on WAN u Preliminary grid tests to the INFN-Grid project. TORINO PADOVA BARI PALERMO FIRENZE PAVIA GENOVA NAPOLI CAGLIARI TRIESTE ROMA PISA LAQUILA CATANIA BOLOGNA UDINE TRENTO PERUGIA LNF LNGS SASSARI LECCE LNS LNL SALERNO COSENZA S.Piero FERRARA PARMA CNAF ROMA2 MILANO Globus test user

– n° 6 INFN-Grid – goals (started at 2000) 1.To promote computational grid technologies research & development: Middleware 1.Through european and international projects 1. DataGrid, DataTAG, GLUE 2.Internal R&D activities 2.To implement the INFN grid infrastructure 1.National layout: 20 sites 3.To set up the national Grid Infrastructure for the national research community 1.FIRB: Grid.it 4.To participate to the implementation of the global Grid infrastructure for the LHC community 1.LCG: Tier1 and n*Tier2 5.To set up the eInfrastructure for the European Research Area 1.EU FP6: EGEE, IG-BIGEST

– n° 7 INFN-Grid – collaborations and results u EU - Datagrid : middleware development n WMS = job submission to the Grid, s CE and SE selection on the basis of job requirements specification, CPU load, CE-SE network conditions….. s Support for interactive jobs s Job checkpointing s Support for parallel jobs n Virtual Organization authentication and authorization service: VOMS (VO Membership Service, EDG/EDT) u EU – DataTAG : inter-grid Interoperability; EU-US collaboration within the GLUE framework n Grid Resources Information modeling: GLUE schema for Computing and Storage Element n Authorization/authentication service : VOMS-VOX integration (EDT-Fnal/CMS coll.) n First WorldGrid demo by nov.2002 within IST2002 and SC2002 events n Grid monitoring system based on GLUE schemas extension u Italian Grid.it : Grid management and support infrastructure n First tools in production n R&D on Resource Utilization Policies

– n° 8 TORINO PADOVA BARI PALERMO FIRENZE PAVIA GENOVA NAPOLI CAGLIARI TRIESTE ROMA PISA LAQUILA CATANIA BOLOGNA UDINE TRENTO PERUGIA LNF LNGS SASSARI LECCE LNS LNL SALERNO COSENZA S.Piero FERRARA PARMA CNAF ROMA2 INFN CMS T2 T2/3 Atlas T2 T2/3 Alice T2 T2/3 LHCb T2 T2/3 Babar VIRGO T2 (50-80 nodes) T3 (10-15 nodes) T1 Cnaf (~200) grid.it resources INFN (15-25 nodes) INAF (5-10 nodes) INGV (NEC computers), BIO (tbd) general purpose resources (8-15 nodes) Italian – Grid now ( Site/resource map) MILANO National Grid (Internet) Tot. ~ 600 nodes, next year ~ 1000

– n° 9 Resource access policies: Basic grid Authorization, authentication mechanisms Security characteristics: u Login via X.509 certificates from PKI/Certificate Authorities (CA) u Single sign-on. n The user is not required to repeat login procedures on the grid more than once. u Delegation. n Once a user has successfully identified himself with the Grid, it is possible for grid services to act on the behalf of the user as if they were the user himself. u User-based trust relationship. n All trust mechanism have the users credential at their core. s If a user wants to access farms A and B, there should be no need for farms A and B to trust each other. u Integrated with local systems. n The grid security mechanism does not supplant the local authorization mechanism, but instead work on top of it. u New membership concept: user belongs to a Virtual Organization

– n° 10 User: CA, VO and Resource Providers u Certificates are issued by a set of well-defined Certification Authorities (CAs). u Grant authorization at the VO level. n Each VO has its own VOMS server. n Contains (group / role / capabilities) triples for each member of the VO. u RPs evaluate authorization granted by VO to a user and map into local credentials to access resources Authentication Request C=IT/O=INFN /L=CNAF /CN=Pinco Palla /CN=proxy VOMS pseudo -cert CAs CERN CESNET CNRS GermanGrid Grid-Ireland INFN NIKHEF NorduGrid LIP Russian DataGrid DATAGRID-ES GridPP US–DOE Root CA US-DOE Sub CA CrossGrid cert-request cert signing cert/crl update Service VO-Manager (administer user membership, roles and Capabilities) Resource provider (map into Local credential) CAs: Policies and procedures mutual thrust agreement

– n° 11 Resource access policies u Authentication/ authorization: coded and tested procedures and tools u New issue : resource sharing according to Service Level Agreement n first trials based on grid level priority queues n ongoing research on more sophisticated mechanisms based on accounting + resource utilization Policies management Grid management organization VO-users (Requirements Support) Resource providers / AA/SLA VO-managers (VOMS and SLA Control) Certificate Authorities Grid deployment planning Grid operations / support Grid release

– n° 12 Italian Grid organization : integrates all the actors to provide flexible and efficient grid computing service Experiments (VOs) GRID resources Projects/owners Coordination Committee Management coordination Operations coordination VO representatives, Grid technical coord., Operations resp. grid experts Deployment Planning resource Policy application ……. Central management Team Site-man Resource admin GridService support VO admin New VO admin & support VO User support User Application Grid Resource Coordination Experimemt or research org. support release Configuration management Release distribution, documentation and porting Grid Technical coordination Service level Agreement Resource availability Shared resources VO admin Support for New VO-users

– n° 13 Tools for Operations u Software repository : release maintenance and distribution u Installation and configuration: n Configuration and automatic installation tools for the production infrastructure sites u Release validation: n Integration/customization of middleware release with application specific software u GRID Site and GRID service validation n Testing programs to verify and validate site and services installation u Site manager support u Grid services, VO services support and User support u Monitoring: GridICE s Based on automatic resource discovery from Grid Information System s Dynamic monitoring of Grid services, Grid resources and Jobs s Customized view for n Grid Operation Center operators, and site managers n VO-managers and Grid Users

– n° 14 0perations Portal u User documentation u site managers documentation u Software repository u Monitoring u Trouble tickets system u Knowledge base

– n° 15 Get your personal certificate

– n° 16 How to register to a VO

– n° 17 Monitoring tool

– n° 18 VO server atlas VO server atlas Grid services INGV-Bologna Computing Element Storage Element GIIS GRIS1 GRIS Information IndexResource Broker User Interface GRAM BDII VO server ingv WorkerNode...WorkerNode INFN-Padova Computing Element Storage Element GIIS GRIS1 GRIS GRAM WorkerNode...WorkerNode Grid Monitoring (GridICE) RLS

– n° 19 Grid Service monitoring

– n° 20 Outline u Introduction: n INFN resource sharing experience in the past u INFN-Grid and the national research grid n Goals and Results u Italian-Grid present status n Resource access mechanism and management tools n production service :Management, operations and support organization u International Grid scenario: LCG and EGEE n Challenges: Multi-grids for multi-VOs n Multi-grids: definitions and issues u Conclusions

– n° 21 International Grids scenario u LCG : First international experience on sharing resources between national grids n Grid Resource sharing issues : s how to guarantee the committed CPU power and satisfy local needs s How to guarantee priorities on VO-owned resources n Different needs for different VOs (HEP experiments plans) n Management coordination n Support coordination u EGEE : project based on national grids interconnection for an increased number of VOs n Not only middleware but mainly policies, service level agreement and management coordination issues n Need to find a model …..

– n° 22 Grid access challenge: Grid and Virtual Organisations u The real problem at the basis of the grid idea is how to implement a coordinated resource sharing on a large scale for a multi-institutional and dynamic virtual organisation. - u From computer sharing to grid sharing u From multiple users to multiple VOs (INFN experiments + others research organizations)

– n° 23 Challenges: Capability to provide multi- Grid computing service to Multi-VO Shared Resources and Services VO services and private resources VO services and private resources VO services Shared Resources and Services VO services and private resources Shared Resources and Services General scenario

– n° 24 u International VO is a multi-institutional distributed user community u Etherogeneous grid environment n Dedicated VO services n Dedicated resources n Shared resources with different policies EGEE Italian-Grid US-Grid same middleware shared resources VO-User VO-Virtual Grid on top of Multi-Grids same core services RB VOMS VO-monitoring Vo-RLS VO - Virtual Grid RB National and International Grids Coordinated Vo-support

– n° 25 multi - grids : definitions and issues u National grid identity and authority boundaries n A coordinated set of shared resources and services providing defined SLAs. n A single management and operations organization n Specific authorization, accounting and monitoring tools n A collection of user communities (VOs) u Federation of grids, what doest mean? n Cooperating grids to provide services to the common VOs? s Which level of transparency to VO-users? n Which Interoperability Requirements: s common core services? s common or interoperable collective services? (level of service interoperability) s Common Resource sharing policies? n What level of management/operations/support coordinations?

– n° 26 Conclusions u Production grid does not mean only efficient, stable services but also: n A topology/organizational model capable to provide the most flexible and efficient computing service to VO-users across multiple grids n Sufficient level of service quality (SLA) n Operations and support coordination n the minimum level of interoperability in order to allow VO virtual grid configuration across multiple grids