EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve.

Slides:

Advertisements

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

Advertisements

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans GridPP18, Glasgow, Mar 2007.

INFSO-RI Enabling Grids for E-sciencE Building a robust distributed system: some lessons from R-GMA CHEP-07, Victoria,

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans GridPP16, QMUL, 29 Jun 2006 Steve.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.

ISOM Distributed Databases Arijit Sengupta. ISOM Learning Objectives Understand the concept and necessity of distributed databases Understand the types.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Database Systems More SQL Database Design -- More SQL1.

Distributed Databases

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.

CSE314 Database Systems More SQL: Complex Queries, Triggers, Views, and Schema Modification Doç. Dr. Mehmet Göktürk src: Elmasri & Navanthe 6E Pearson.

Introduction on R-GMA Shi Jingyan Computing Center IHEP.

DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Information System (IS) Valeria Ardizzone.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Information System on gLite middleware Vincent.

Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.

EGEE is a project funded by the European Union under contract IST Outstanding design issues Stephen Hicks 23/06/04

Registry Replication Registry calls are forwarded by a registry Service to a single registry instance (i.e. replica) per VDB. If a replica cannot be contacted.

WP3 Information and Monitoring Steve Fisher / RAL 23/9/2003.

An information and monitoring system for static and dynamic information about grid resources, applications, networks … RDBMS Servlet aware of API during.

WP3 Authorization and R-GMA Linda Cornwall WP3 workshop 2-4 April 2003.

EGEE is a project funded by the European Union under contract IST R-GMA: Production Services for Information and Monitoring in the Grid John.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans Plzeň, 10 July 2006 Steve Fisher/RAL.

WP3 RGMA Deployment Laurence Field / RAL Steve Fisher / RAL.

INFSO-RI Enabling Grids for E-sciencE

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA gLite Information System Pedro Rausch IF.

Website: Answering Continuous Queries Using Views Over Data Streams Alasdair J G Gray Werner.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Implementation and performance analysis of.

A Data Stream Publish/Subscribe Architecture with Self-adapting Queries Alasdair J G Gray and Werner Nutt School of Mathematical and Computer Sciences,

INFSO-RI Enabling Grids for E-sciencE Building a robust distributed system: some lessons from R-GMA WLCG Service Reliability.

Constraints Lesson 8. Skills Matrix Constraints Domain Integrity: A domain refers to a column in a table. Domain integrity includes data types, rules,

INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.

Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 

Enabling Grids for E-sciencE EGEE-II INFSO-RI Medical Data Manager 1 Dicom retrieval : overview of the DPM One command line to retrieve a file:

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks APEL CPU Accounting in the EGEE/WLCG infrastructure.

INFSO-RI Enabling Grids for E-sciencE Information System Valeria Ardizzone INFN EGEE NA4 Generic Applications Meeting Catania,

EGEE is a project funded by the European Union under contract IST Information and Monitoring Services within a Grid R-GMA (Relational Grid.

FESR Trinacria Grid Virtual Laboratory Relational Grid Monitoring Architecture (R-GMA) Valeria Ardizzone INFN Catania Tutorial per Insegnanti.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks InGRID: A Generic Autonomous Expert System.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite configuration (plans) Robert Harakaly.

INFSO-RI Enabling Grids for E-sciencE R-GMA Gergely Sipos and Péter Kacsuk MTA SZTAKI Credit to Valeria Ardizzone.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using R-GMA.

INFSO-RI Enabling Grids for E-sciencE gLite Information System: R-GMA Tony Calanducci INFN Catania gLite tutorial at the EGEE User.

CERN 21 January 2005Piotr Nyczyk, CERN1 R-GMA Basics and key concepts Monitoring framework for computing Grids – developed by EGEE-JRA1-UK, currently used.

EGEE is a project funded by the European Union under contract IST R-GMA Security Stephen Hicks UK Cluster Security Middleware Security Group.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans GridPP-DB, IC London, 12 July, 2007.

The Mediator: What Next? Talk by: Andy Cooke Collaborators: Alasdair Gray, Lisha Ma, and Werner Nutt Heriot-Watt University.

Relational Grid Monitoring Architecture (R-GMA)

More SQL: Complex Queries, Triggers, Views, and Schema Modification

Practical Database Design and Tuning

More SQL: Complex Queries,

Grid Event Management Using R-GMA Monitoring Framework

Information System Valeria Ardizzone INFN

Hands-on on R-GMA Tony Calanducci INFN Catania

Prepared by : Moshira M. Ali CS490 Coordinator Arab Open University

gLite Information System(s)

R-GMA as an example of a generic framework for information exchange

Practicals on R-GMA Valeria Ardizzone INFN

gLite Information System(s)

More SQL: Complex Queries, Triggers, Views, and Schema Modification

R-GMA (Relational Grid Monitoring Architecture) for monitoring applications “s” gLite and LCG.

Information and Monitoring System

RELATIONAL GRID MONITORING ARCHITECHTURE

Canonical Producer CP API CP Servlet User Code Files

Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve Fisher on behalf of the R-GMA team 3 rd EGEE Users Forum Le Polydôme, Clermont-Ferrand, France

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 2 What it is New Design –Engineered for robustness and scalability New Features –Orthogonality of producer type and of storage mechanism –Fine grained authorization –Multiple virtual databases Status Summary Overview

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 3 R-GMA – what it is R-GMA is a distributed system for information and monitoring (following OGF’s GMA) Users define their own data structures along with the fine grained authorization rules specifying who can write and read the data Users publish data via a producer API without knowledge of potential consumers A consumer API is used to retrieve the permitted view of information published by the producers Producer Registry & Schema Consumer Register/ Locate Register/ Locate Query Data

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 4 New Design New design was motivated by: –Problems seen in production –Need to add new features

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 5 New Design: Real SPs Primary – source of data Secondary – republish data –Co-locate information to speed up queries –Reduce network traffic SP is no longer constructed from a PP and multiple consumers but is a self-contained service – so now much more efficient Local calls on a MON box do not go through https returning XML then parsing it PP SP PP – Primary Producer SP – Secondary Producer

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 6 New Design: Managing Memory Usage May share servlet container (Tomcat) with other servlets JVM may be badly configured Use JDK 5’s MXBeans to detect the low memory condition –Solution should be portable across JVMs When memory is low an RGMABusyException is returned for user calls that may take extra memory –Inserting data into the system –Creating new producer or consumer resources

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 7 New Design: Control Messages For a producer a register message returns the consumers of interest and vice versa. Registration messages are re- sent periodically Reliance on the delivery of individual control messages has been removed Messages to other servers are wrapped in a task handled by our new Task Manager New messages supersede old ones –No build-up of queues Autonomy of services

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 8 New Design: Schema and Registry Replication Schema –Each server has full schema information –There is a master schema and all updates are first done on the master –Failure of the master would prevent schema updates but would have no impact upon producers or consumers Registry –We anticipate 2 or 3 registry instances –Server chooses registry instance to use based on response time –Server makes a new choice if existing instance does not respond

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 9 New Features Orthogonality of producer type and of storage mechanism Fine grained authorization Multiple virtual databases

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 10 New Features: Orthogonality of producer type and of storage mechanism Previously: –Memory  Continuous –Database  Latest or History Now: –Memory  Any combination of Continuous Latest and History –Database  Any combination of Continuous Latest and History

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 11 New Features: Fine Grained Authorization Users can define their own fine grained authorization rules specifying who can write and read the data in each table element Rules stored in the schema – and can only be modified by the person creating and therefore owning the table Authorization is done using SQL views of tables constructed dynamically from: –User defined rules –VOMS attributes

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 12 New Features: Fine Grained Authorization Rules are added to grant access only (not to deny it) and they are cumulative - default is no access Rules have the form “predicate : credentials : action” –The predicate defines the subset of rows of the table or view to which this rule grants access –The credentials define the set of credentials required for a user to be granted access to the subset of rows defined by this rule –The action defines what any matching user is allowed to do to the subset of rows defined by this rule (R, W or RW) –For example:  ::RW grants full access to any authenticated user, to all rows in the specified table

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 13 Authorization Rules - Predicate Predicate is an SQL WHERE clause comparing the values in specified columns with constants, other columns or credential parameters (credential name in square brackets, such as [DN]) that are replaced by the corresponding credentials from the user’s certificate This clause may be empty, in which case the rule applies to all rows in the table For example: –WHERE Owner = [DN] Selects rows where the “Owner” column matches the DN on the certificate

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 14 Authorization Rules - Credentials Credentials is a boolean combination of equality constraints of the form [credential] = constant May be empty, in which case the rule applies to all authenticated users For example: –[GROUP] = ’Marketing’ OR [GROUP] = ’Management’ states to which VOMS groups the rule applies

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 15 Authorization Examples WHERE Section = ’Marketing’:[GROUP] = ’Marketing’ OR [GROUP] = ’Management’:RW Grants read-write access to any authenticated user with a GROUP credential of ’Marketing’ or ’Management’, to those rows that contain the value ’Marketing’ in the ’Section’ column WHERE Owner = [DN]::R Grants read-only access to any authenticated user, to those rows that contain the value of their DN credential in the ’Owner’ column WHERE Group = [GROUP] OR Public = ’true’::R Grants read-only access to any authenticated user, to those rows that contains one of their GROUP credential values in the ’Group’ column, or have a value of ’true’ in the ’Public’ column ::R Grants read-only access to any authenticated user, to all rows in the table

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 16 New Features: Virtual Databases One R-GMA schema for the whole world is not scalable Introduce VDB as a namespace mechanism We expect that a VO will define one or more VDBs –Will phase out the “default” VDB Each VDB will have: –Several registry replicas –A schema replica at each site supporting that VDB –One schema defined as the master schema for each VDB

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 17 Publishing to Multiple VDBs When data are inserted into a producer, the data are published into a specific VDB It is possible for a producer service to publish to more than one VDB Virtual Database 1 declare VDB2.T1 Producer Registry Schema declare VDB1.T2 Producer declare VDB1.T1 declare VDB2.T1 declare VDB2.T3 Virtual Database 2 Registry Schema

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 18 Querying Multiple VDBs Queries may be evaluated over several VDBs Normal SQL syntax of a database prefix before the table name is used to specify the VDB SQL joins across tables in multiple VDBs are supported A special union syntax has been defined: "SELECT * FROM {VDB1,VDB2}.T" to indicate that the query should be evaluated over the union of the tuples from table T in VDB1 and VDB2 –It requires that the tables T from the two VDBs are identical from {VDB1,VDB2}.T1 Virtual Database 1 Registry Schema Virtual Database 2 Registry Schema find producers for T1 Consumer find producers for T1

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 19 Status All components written and a lot of testing has already been done More testing being done Expected to be offered to certification around end of the month This will give us a highly reliable, functional and scalable R-GMA

Enabling Grids for E-sciencE EGEE-II INFSO-RI R-GMA: Now with added authorization 20 Summary From the existing deployment we learned: –Firewalls do get reconfigured –Users do the most unexpected things New design: –We have tried to think of everything that can go wrong –Made the system self correcting and avoided critical messages –Have introduced the task manager –Have provided schema and registry replication New Features: –Multiple virtual databases (VDBs) to partition the data –Users can define their own fine grained authorization With thanks to: