RI-222919 User Management in DEISA The DEISA VO view Jules Wolfrat SARA, HPDC’08 workshop June 24, 2008.

Slides:



Advertisements
Similar presentations
March 6 th, 2009 OGF 25 Unicore 6 and IPv6 readiness and IPv6 readiness
Advertisements

GT 4 Security Goals & Plans Sam Meder
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Ingrid Conferene, Ischia, April Stefan Heinzel, DEISA DEISA Towards a European HPC Infrastructure ( Topics Vision The DEISA/eDEISA.
Towards a European Training Network in Scientific Computing Pekka Manninen, PhD CSC – IT Center for Science Ltd.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The UNICORE GRID Project Karl Solchenbach Gesellschaft für Parallele Anwendungen und Systeme mbH Pallas GmbH Hermülheimer Straße 10 D Brühl, Germany.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
1 Ideas About the Future of HPC in Europe “The views expressed in this presentation are those of the author and do not necessarily reflect the views of.
Member of the ExperTeam Group Ralf Ratering Pallas GmbH Hermülheimer Straße Brühl, Germany
W w w. h p c - e u r o p a. o r g Single Point of Access to Resources of HPC-Europa Krzysztof Kurowski, Jarek Nabrzyski, Ariel Oleksiak, Dawid Szejnfeld.
Experiences with using UNICORE in Production Grid Infrastructures DEISA and D-Grid Michael Rambadt
EuroCAMP, Malaga, October 19, 2006 DEISA requirements for federations and AA Jules Wolfrat SARA
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Australian Access Federation and other Middleware Initiatives Presented at TF-EMC2, Prague 4 Sep 2007 Patty McMillan, The University of Queensland.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Results of the HPC in Europe Taskforce (HET) e-IRG Workshop Kimmo Koski CSC – The Finnish IT Center for Science April 19 th, 2007.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
© 2006 Open Grid Forum Enabling Pervasive Grids The OGF GIN Effort Erwin Laure GIN-CG co-chair, EGEE Technical Director
RI User Support in DEISA/PRACE EEF meeting 2 November 2010, Geneva Jules Wolfrat/Axel Berg SARA.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Grid Middleware Tutorial / Grid Technologies IntroSlide 1 /14 Grid Technologies Intro Ivan Degtyarenko ivan.degtyarenko dog csc dot fi CSC – The Finnish.
Leibniz Supercomputing Centre Garching/Munich Matthias Brehm HPC Group June 16.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
RI The DEISA Sustainability Model Wolfgang Gentzsch DEISA-2 and OGF rzg.mpg.de.
Research Infrastructures Information Day Brussels, March 25, 2003 Victor Alessandrini IDRIS - CNRS.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Fourth EGEE Conference Pise, October 23-28, 2005 DEISA Perspectives Towards cooperative extreme computing in Europe Victor Alessandrini IDRIS - CNRS
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
14, Chicago, IL, 2005 Science Gateways to DEISA Motivation, user requirements, and prototype example Thomas Soddemann, RZG, Germany.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Tutorial on Science Gateways, Roma, Riccardo Rotondo Introduction on Science Gateway Understanding access and functionalities.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EGEE Workshop on Management of Rights in Production Grids Paris, June 19th, 2006 Victor Alessandrini IDRIS - CNRS DEISA : status, strategies, perspectives.
Page : 1 SC2004 Pittsburgh, November 12, 2004 DEISA : integrating HPC infrastructures in Europe DEISA : integrating HPC infrastructures in Europe Victor.
Monterey HPDC Workshop Experiences with MC-GPFS in DEISA Andreas Schott
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
1 MSWG, Amsterdam, December 15, 2005 DEISA security Jules Wolfrat SARA.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Bob Jones EGEE Technical Director
AAI for a Collaborative Data Infrastructure
DEISA : integrating HPC infrastructures in Europe Prof
Presentation transcript:

RI User Management in DEISA The DEISA VO view Jules Wolfrat SARA, HPDC’08 workshop June 24, 2008

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 2

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 3

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 4

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 5 Outline Introduction to DEISA Management of users in DEISA Interoperability VO view DEISA

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 6 Vision of a European HPC Ecosystem in FP7 T-0: future shared European PetaFLOP systems T-1: leading national supercomputing systems PRACE Building a world-class pan-European High Performance HPC Ecosystem which is operated under the umbrella of an European Legal Entity adopting operational and technological concepts and services designed and approved by DEISA2. Enhancing the performance DEISA2 - The Infrastructure for the European HPC Ecosystem Deep operational and technological integration of European HPC (T-0 and T-1) centres and systems providing efficient seamless access to shared HPC resources and large data repositories designing and approving an operational model for a large European Virtual HPC Centre. Providing scientists access to a large distributed HPC environment via integrated services. … T-1 T-0 T-1 DEISA is paving the way to the efficient operation of the T-0 and T-1 ecosystem

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 7 Towards a European HPC Infrastructure – DEISA2 Objectives Enhancing the existing distributed European HPC environment (DEISA) to a turnkey operational infrastructure National HPC Center (T1) National HPC Center (T1) National HPC Center (T1) National Data Center (T1) National Data Center National HPC Center (T1) National HPC Center (T1) Advancing the computational sciences in Europe by supporting user communities and extreme computing projects Enhancing the service provision by offering a complete variety of options of interaction with computational resources Fusion Community Cosmology Community Climate Community Material Sciences Community Weather forecast Communities Industry Communities European Petascale Center (T0) European Petascale Center (T0) European Petascale Center (T0) Integration of T1 and T0 centres The Petascale Systems need a transparent access from and into the national data repositories DEISA2 – The Virtual European HPC Center Operation - Technology - Application USA TeraGrid,DoE Japan NAREGI Chinese Academy Russian Academy DEISA2 Bridging worldwide HPC projects

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 8 DEISA Partners DEISA2:May 1st, 2008 – April 30th, 2011 with additional associated partners Three new partners joined June 2005 (eDEISA) DEISA:May 1st, 2004 – April 30th, 2008

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 9 Partners/ Associate Partners BSCBarcelona Supercomputing Centre Spain CINECAConsortio Interuniversitario per il Calcolo Automatico Italy CSC Finnish Information Technology Centre for Science Finland EPCCUniversity of Edinburgh and CCLRC UK ECMWFEuropean Centre for Medium-Range Weather ForecastUK (int) FZJResearch Centre Juelich Germany HLRS High Performance Computing Centre Stuttgart Germany IDRIS Institut du Développement et des Ressources France en Informatique Scientifique - CNRS LRZ Leibniz Rechenzentrum Munich Germany RZG Rechenzentrum Garching of the Max Planck SocietyGermany SARA Dutch National High Performance Computing Netherlands KTH Kungliga Tekniska Högskolan Sweden CSCSSwiss National Supercomputing Centre Switzerland JSCCJoint Supercomputer Center of the Russian Russia Academy of Sciences

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 10 The basic DEISA infrastructures and services Dedicated high speed network infrastructure Common AAA infrastructure Global data management infrastructure –Integrating distributed data with distributed computing platforms, including hierarchical storage management and databases. Major highlights are: High performace remote I/O and data sharing with global file systems, using full network bandwidth High performance tranfers of large data sets, using full network bandwidth DCPE (DEISA Common Production Environment) –The job management service –The science gateways (portals) to supercomputing resources Common Operation Environment –Common monitoring and Information systems –Common system operation –Common help desk Global Application Support

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 11 DEISA network infrastructure RENATER FUNET SURFnet GÉANT DFN GARR UKERNA RedIris 1 Gb/s GRE tunnel 10 Gb/s wavelength 10 Gb/s routed 10 Gb/s switched

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 12 DEISA Extreme Computing Initiative DECI call proposals, 12 European countries involved 30 mio cpu-h requested 29 proposals accepted, 12 mio cpu-h (standardized to P4+ at FZJ) DECI call proposals, 12 European countries involved 28 mio cpu-h requested 23 proposals accepted, 12 mio cpu-h DECI call proposals, 14 European countries involved (US, Canada, Brazil, Israel) 70 mio cpu-h requested 45 proposals accepted, 30 mio cpu-h

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 13 Management of users in DEISA For the administration of DEISA users a dedicated distributed repository is built based on LDAP Only trusted servers are authorized to access each other (based on X.509 certs) and encrypted communication is used to maintain confidentiality (TLS based) BSCCINECACSCECMWFEPCCFZJ HLRSIDRISLRZRZG SARA

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 14 User Administration System (1) Each partner is responsible for the registration of users affiliated to the partner (home organization) Other partners update local user administration (LDAP, NIS, /etc/passwd) with data from other sites on a daily basis. Based on trust between partners! LDAP server Site A user added to LDAP server at site A Administrators at site B, C … create local accounts based on ldap query HPC system at Site B

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 15 User Administration System (2) Some 20 attributes used for the registration of users using existing object classes and a DEISA specific defined schema Information is used for – Providing authorization information (UNIX accounts, X.509 certs for UNICORE UUDB, grid-mapfile for GT4). –Additional information to comply with requirements of partners: –Phone number, address, Science field, Nationality, Status, Project –e.g. Nationality because of export regulations for some of the systems in use To avoid overlap between DEISA uid numbers and local numbers each site uses reserved ranges –GPFS authorization based on uids, so must be the same at each site Policies for administrators defined, e.g. what to do if user account has to be deactivated.

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 16 Monitoring the Administration service Service is not critical as n/a doesn’t impact production service directly But important that failing servers are detected in time (order of hours) and that registrations are conform to the policies defined Every two hours check of availability of LDAP servers implemented (just see if there is a response on a simple query) –Not responding site is notified through a message using the INCA framework Audit of all registrations is performed on a daily basis, also using the INCA framework –Not all partners ok, but no critical errors (e.g. errors in optional attributes)

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 17 UNICORE AuthN & AuthZ (1) IDB TSI UUDB Certificate 2 Certificate 3 Certificate 4 Certificate 5 Certificate 1 Login B Login C Login D Login E Login A Typical UNICORE User User Certificate User Login Client NJS Gateway User Certificate AJO

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 18 Config for DEISA FZJ users DEISA FZJ gateway DMZ FZJ NJS intranet CNE users DEISA CNE gateway DMZ CNE NJS intranet RZG users DEISA RZG gateway DMZ RZG NJS intranet IDR users DEISA IDR gateway DMZ IDR NJS intranet CSC users DEISA CSC gateway DMZ CSC NJS intranet SARA users DEISA SARA gateway DMZ SARA NJS intranet BSC users DEISA BSC gateway DMZ BSC NJS intranet LRZ users DEISA LRZ gateway DMZ LRZ NJS intranet RZG users

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 19 UNICORE AuthN & AuthZ (2) UNICORE AuthN and AuthZ is based on X.509 certificates –AuthZ based on Subject Name mapping to uids in UUDB (like the gridmapfile) –UUDB is maintained at each site. So sites can decide if user can get access through UNICORE, e.g. based on the project the user is working on. Subject names are distributed using the LDAP system. –Subject name can be mapped to more than one uid, the user can specify with UNICORE which uid to use

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 20 Portal : EnginFrame Architecture

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 21 Portal: Deployment on the DEISA grid Portal Applications –BLAST –NAMD –RAXML –PHYML –DOCK

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 22 Mgmt of Portal users Creation of Accounts –Each user must sign a form (that mentions the DEISA AUP) –The project manager sends to the site managing the portal server (e.g. IDRIS) the list of its client IPs –IDRIS checks that the nationality of the users are accepted by the site(s) that will host the project application. –IDRIS registers the project and users in LDAP –IDRIS registers the project and the users on the portal

RI Interoperability

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 24 Authentication DEISA vision is one global federated namespace, enabling Single Sign-on facilities. –Direct (interactive) access to systems required for Testing/debugging of code on specific architectures Submission and checking of production jobs DEISA AuthN is X.509 based PKI –DEISA trusts IGTF accredited CAs –Relying party of EUGridPMA –SSH functionality based on X.509 certificates required –Handling of X.509 certs cumbersome for users, should be hided, e.g. using Shibboleth technology No interoperability issues for AuthN

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 25 Authorization (1) Authorization information from LDAP service not directly usable by other projects because most use VOMS based information –But both systems give attribute information about users, used differently VOMS information used dynamically to add information to certificates LDAP information used to update authorization DBs (UNICORE UUDB and GT4 grid-mapfile) –DEISA can operate a VOMS server feeding the information from the LDAP system –DEISA can import VOMS information into LDAP system, but currently VOMS based system doesn’t supply all needed information

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 26 DEISA view on VOs Within HPC/DEISA accounts are managed by sites. LDAP repository managed by sites, not by VOs! –Partners/sites are the VOs. From the AUP (Acceptable Use Policy): “the Virtual Organization is defined as the DEISA partner that registers you as a DEISA user”. Users are associated through a partner (site). –But we also have application communities, where scientists from different regions collaborate and where the Principal Investigator authorizes the members of the project –Who to trust and how? Important to build a trust basis for authorization information providers, like for the CAs -Agreement on policies for management of AuthZ information providers (the LDAP and VOMS servers) needed – at least information on operational model must be available -Policies for DEISA are described in User Administration guide -Within the IGTF community an AuthZ WG has been formed to investigate this

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 27 Accounting Usage information published using OGF UR-WG format recommendation Developed our own system for publishing usage records –Each site publishes data locally in DB (eXist) –Access based on role – user, PI (principal investigator), site admin Based on X.509 SubjectName –GUI for producing reports (DART) –Conversion (comparison) between systems based on CPU performance

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 28 Conclusion For interoperability technical problems must be solved, but no fundamental barriers Middleware must be able to deal with information from Identity Providers (IdPs) –E.g. UNICORE 6 can use Shibboleth issued attribute assertions Trust building between IdPs important

RI Thank you!

RI June 24, 2008, HPDC'08 workshop Jules Wolfrat, DEISA 30