GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006 GAMA 1 in a nutshell A system for creating and managing Grid accounts for portal and application users Provides dedicated server installation consisting of Grid software (CACL, MyProxy, CAS) wrapped in web services Provides management portlets for easy integration into GridSphere portal framework –User account request form –Administrative account management console –User login through GAMA - retrieves GSI credential

GEON meeting - May 22, 2006 GAMA 1 architecture Portal server 2 Portal server 1 GAMA server CACL MyProxyCAS AXIS Web Services wrapper … Servlet container import user retrieve credential Stand-alone applications retrieve credential DB gridportlets Java keystore gama GridSphere Servlet container create user

GEON meeting - May 22, 2006 GAMA 1 ideal environment New portal/Grid project No existing users/credentials Single administrator Globus Grid GridSphere portal Authorization through grid-mapfile

GEON meeting - May 22, 2006 GAMA 1 weaknesses Hard to incorporate existing user accounts and Grid credentials Hard to use existing infrastructure –MyProxy server –Other CA packages Hard to expand core GAMA functions –SRB account creation –Authorization - CAS not so useful? –Unix accounts –grid-mapfile updates

GEON meeting - May 22, 2006 Back to the drawing board…

GEON meeting - May 22, 2006 GAMA 2 features Implementation agnostic Extensible through a plug-in architecture Workflow system for multi-step operations Supports VOs with many sites and independent site administrators Provides cluster account management

GEON meeting - May 22, 2006 Implementation agnostic No explicit reliance on MyProxy, CACL, CAS. Accomplished through a plug-in architecture on GAMA server: use whatever CA you want, whatever credential storage, whatever authorization service, etc. GAMA 2 includes CACL, Naregi and MyProxy plugins out of the box May also include SRB account management, and other plugins

GEON meeting - May 22, 2006 Extensible GAMA admin can write task plugins to accomplish novel tasks: –Interface with existing infrastructure (authentication/authorization mechanisms, databases, CA packages, etc.) – Manage Unix / Windows / physical accounts –etc.

GEON meeting - May 22, 2006 Extensible All GAMA tasks extend GAMATask class: abstract public class GAMATask { … abstract public void doTask() throws GAMATaskException; abstract public void rollbackTask() throws GAMATaskRollbackException {}; … }

GEON meeting - May 22, 2006 username java.lang.String true password java.lang.String true … credentialobject org.globus.gsi.GlobusCredential credentialstring java.lang.String Extensible - MyProxyAuthNTask.xml

GEON meeting - May 22, 2006 Extensible - MyProxyAuthNTask.java public class MyProxyAuthNTask extends GAMATask { public void doTask() throws GAMATaskException { String username = (String) getParamObjectByName("username"); String passwd = (String) getParamObjectByName("password"); … cred = (GSSCredential) myproxy.get(username, passwd, myProxyLifetime.intValue()); … getOutputByName("credentialobject").setOutputObject(cred); getOutputByName("credentialstring"). setOutputObject(cred.toString()); }

GEON meeting - May 22, 2006 Workflow system Server operations are customizable and expandable. Uses a workflow system that can execute arbitrary sequences of tasks for any operation, such as “login.” –GAMA 1 login does one thing: tries to retrieve a credential from MyProxy. –GAMA 2 login could do a sequence of things: retrieve credential from MyProxy, open an SRB socket connection, write a message to a logfile, etc.

GEON meeting - May 22, 2006 Workflow system - MyProxyAuthNSequence.xml GAMA's default MyProxy authentication sequence authenticate true false edu.sdsc.gama.server.services.task.auth. authn.MyProxyAuthNTask 0 simple MyProxy authentication with username and password false true

GEON meeting - May 22, 2006 Workflow system - NewUserSetupSequence.xml GAMA's default CACL and MyProxy new user sequence … edu.sdsc.gama.server.services.task.ca.newuser. CACLNewUserTask Create a new user in CACL true false true edu.sdsc.gama.server.services.task.myproxy.newuser. MyProxyLoadCredentialsFromCATask Load a user's credentials from CA into MyProxy true false true

GEON meeting - May 22, 2006 GridSphere PortalGAMA 1 Server Naregi MyProxy CAS Account request portlet (GridSphere) Account admin portlet (GridSphere) Create user Task engine SRB … NewUserSequence Account admin GUI (GridSphere portal) AuthNSequence Login portlet (GridSphere) Login user GEMSTONEKepler Login web service client GAMA 2 Server

GEON meeting - May 22, 2006 Multi-site support GAMA 2 server supports multiple sites, each with its own local site administrator Site admin logs in to GAMA server and manages accounts for just their site; other sites’ users are not visible. Primary GAMA admin can manage all users. GAMA can be configured to perform different sequences of actions for different sites: –Site A -> login sequence A –Site B -> login sequence B

GEON meeting - May 22, 2006 Cluster account management GAMA knows about resources such as clusters –A resource belongs to a site Site admin can specify access permissions for each user on each resource in their site Resources can poll GAMA server for list of valid users, and manage individual user accounts and/or grid-mapfile entries accordingly. Provides a critical step in cluster management: Rocks for OS/software install, GAMA for users

GEON meeting - May 22, 2006 GAMA 2 web services Provide a simple API that duplicates GAMA 1 API: authenticateUser() authorizeUser() requestNewUser() … Plus new methods for site/resource management: createSite() addNewResource() getResourceUsers() addUserToResource() …

GEON meeting - May 22, 2006 GAMA 2 web services All web services take as inputs a set of key-value pairs, and produce as outputs another set of key- value pairs Allows flexibility for task/sequence writers, at the expense of explicitness: String authenticateUser(String username, String password, String lifetime) {…} vs. HashMap authenticateUser(HashMap inputs) {…}

GEON meeting - May 22, 2006 GAMA server admin GUI demo

GEON meeting - May 22, 2006 GAMA 2.0: Steps to completion Finish tying in web service interface to task engine Complete the administrative GUI –Group management –Task and sequence management Refactor account request and login portlets Provide client tools for cluster user management Construct server Rocks roll with Naregi, MyProxy and GAMA

GEON meeting - May 22, 2006 GAMA: the future Explore authentication technologies –CAS still useful? –Shibboleth / GridShib –etc. More complete end-to-end user management: –grid-mapfile updates on end resources, for instance Synchronization / cooperation between multiple GAMA servers across VOs

GEON meeting - May 22, 2006 References GAMA: GridSphere: CACL: Naregi CA: MyProxy: CAS: GEON project: Telescience project: NBCR:

GEON meeting - May 22, 2006 Credits SDSC/GEON: Kurt Mueller, Sandeep Chandra, Karan Bhatia UCSD/NCMIR: Abel Lin, Khim Ung, Lu Dai UCSD/BIRN: Jason Novotny, Ramil Manansala, Jana Nguyen