1. EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Overview of gLite grid middleware Gergely Sipos MTA SZTAKI sipos@sztaki.hu

2. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 2 Outline Basic features of gLite middleware gLite services Security in gLite External services

3. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 3 Grid vision GRIDMIDDLEWAREGRIDMIDDLEWARE Visualising Workstation Mobile Access Supercomputer, PC-Cluster Data-storage, Sensors, Experiments Internet, networks

4. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 4 Problems to solve Standardised access to resources –Computers –Storages –Special equipments –Software services Access policy Load balancing Monitoring resources and services Monitoring applications Fault management Programming contepts, level of abstraction User interfaces...

5. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 5 EGEE grid, gLite middleware gLite middleware services EGEE is establishing a production grid infrastructure with gLite middleware Application specific grid services

6. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 6 INTERNET gLite middleware runs on each shared resource to provide –Data services –Computation services –Security service Resources and users form Virtual organisations: basis for collaboration Distributed services (both people and middleware) enable the grid VO concept

7. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 7 Grid Middleware When using a PC or workstation you –Login with a username and password (“Authentication”) –Use rights given to you (“Authorisation”) –Run jobs –Manage files: create them, read/write, list directories Components are linked by a bus Operating system One admin. domain When using a Grid you –Login with digital credentials – single sign- on (“Authentication”) –Use rights given you (“Authorisation”) –Run jobs –Manage files: create them, read/write, list directories Services are linked by the Internet Middleware Many admin. domains

8. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 8 EGEE Middleware: gLite gLite 3.0, gLite 3.1 ⇨ M erger of LCG 2.7 and gLite 1.5  Scientific Linux v3 and v4  Ongoing efforts to port to other OS –Exploit experience and existing components from VDT (Condor, Globus), EDG/LCG, and others –Develop a lightweight stack of generic middleware useful to EGEE applications (HEP and Biomedics are pilot applications). –Focus is on providing a stable and basic infrastructure LCG-2 prototyping product 2004 2005 product gLite 2006 gLite 3.0

9. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 9 Basic services of gLite Computing Element Storage Element Site X Information System Submit job query Retrieve output Resource Broker User Interface publish state File and Replica Catalog Authorization Service (VO Management Service) query create proxy process Retrieve status & output Logging and bookkeeping Job status Logging

10. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 10 What is happening now? Real Time Monitor –Java tool –Displays jobs running (submitted through RBs) –Shows jobs moving around world map in real time, along with changes in status http://gridportal.hep.ph.ic.ac.uk/rtm/ (snapshot 16 January 2007)

11. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 11 User Interface (UI) User Interface (UI): The place where users logon to the Grid Computing Element (CE) Computing Element (CE): A batch queue on a site’s computers where the user’s job is executed Storage Element (SE) Storage Element (SE): provides (large-scale) storage for files Resource Broker (RB) (Workload Management System (WMS) Resource Broker (RB) (Workload Management System (WMS): Matches the user requirements with the available resources on the Grid Main components Information System Information System: Characteristics and status of CE and SE File and replica catalog File and replica catalog: Location of grid files and grid file replicas Logging and Bookkeeping (LB) Logging and Bookkeeping (LB): Log information of jobs

12. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 12 User Interface (UI) User Interface (UI): The place where users logon to the Grid Computing Element (CE) Computing Element (CE): A batch queue on a site’s computers where the user’s job is executed Storage Element (SE) Storage Element (SE): provides (large-scale) storage for files Resource Broker (RB) (Workload Management System (WMS) Resource Broker (RB) (Workload Management System (WMS): Matches the user requirements with the available resources on the Grid Main components Information System Information System: Characteristics and status of CE and SE File and replica catalog File and replica catalog: Location of grid files and grid file replicas Logging and Bookkeeping (LB) Logging and Bookkeeping (LB): Log information of jobs All built upon authorisation, authentication, security

13. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 13 gLite User Interface (UI) Server where the user has a login gLite client programs are installed –Command line clients –Programming APIs Typical UI scenario (UI is central for the VO) –Upload program to UI with SCP –Login to UI with SSH –Compile code –Write job description (JDL file) –Create proxy certificate –Submit job –Check job status, download result from grid to UI when DONE –Download result from UI with SCP Typically high level environments hide gLite UI. –P-GRADE Portal –GANGA –GridWay –…

14. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 14 Resource Broker Official name: Workload Management System Key service in gLite Accepts Job Description Language files from User Interface, execute jobs on Computing Resources Detailed lecture later…

15. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 15 the user or a service (e.g. broker) can query – the top level BDII (usual mode) – BDII servers on each site Information system (IS) Site BDII Top BDII Information Provider

16. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 16 Information system (IS) BDII server –LDAP server – Structures data as a tree – Tree model is defined by GLUE schema – Optimized for frequent queries Interacting with information system – Programming API – Command line tools (on UI)  lcg-infosites: simple, meets most needs  lcg-info: supports more complex queries – Portals (e.g. P-GRADE Portal)

17. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 17 Example – CE query $ lcg-infosites --vo alice ce #CPU | Free | Total Jobs | Running | Waiting | ComputingElement --------------------------------------------------------------------------------------- 14 0 0 0 0 ce002.ipp.acad.bg:2119/jobmanager-lcgpbs-alice 15 4 0 0 0 ce001.ipp.acad.bg:2119/blah-pbs-alice 80 8 0 0 0 ce02.grid.acad.bg:2119/jobmanager-pbs-alice 10 10 0 0 0 ce.hpc.iit.bme.hu:2119/blah-pbs-alice 96 94 0 0 0 grid109.kfki.hu:2119/jobmanager-lcgpbs-alice 3409 6 493 493 0 ce101.cern.ch:2119/jobmanager-lcglsf-grid_alice 3409 6 493 493 0 ce102.cern.ch:2119/jobmanager-lcglsf-grid_alice 3409 6 493 493 0 ce105.cern.ch:2119/jobmanager-lcglsf-grid_alice [...]

18. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 18 Example – SE query $ lcg-infosites --vo atlas se Avail Space(Kb) Used Type SEs Space(Kb) ------------------------------------------------------------------------------------------------ 39657488106362948n.a se.phy.bg.ac.yu 31400000 18580000 n.a se1.egee.man.poznan.pl 569586792 47148288 n.a clrauvergridse01.in2p3.fr 1200000000 410000000 n.a koala.unimelb.edu.au 22903032 42994124 n.a se-lcg.sdg.ac.cn 457865076 663121389 n.a atlasse01.ihep.ac.cn 29593756 80561288 n.a se001.grid.bas.bg 931135488 41943040 n.a se001.ipp.acad.bg [...]

19. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 19 File and replica catalog (LFC) Users and their jobs refer to files by logical file name –lfn:/grid/gilda/sipos/matrix_computation/input1 File catalog is used to map logical file name to physical file name(s) –sfn://grid005.iucc.ac.il/storage/gilda/generated/2007-06- 23/fileb233d43f-5bc6-4ede-a5fe-611d48be2ba5 LFC is a central database in the VO

20. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 20 Logging and bookkeeping (LB) Job history stored here –When, what, where Detailed information, not only a job status value LB is a central database in the VO Will not be used during the course –Command line tools to query LB

21. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 21 Computing Element (CE) A “core” grid services –One installation at every grid site Expose computational facility - CPU Typically installed on a cluster Worker nodes Local Resource Management System: Condor / PBS / LSF master Computing element server Job request Info system Logging Information system Logging and Bookkeeping Proxy

22. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 22 Storage Element (SE) A “core” grid services –One installation at every grid site Expose storage facility – Hard disk / tape Storage Element File request Disk Authentication, authorization Tape protocol protocols server resources Proxy

23. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 23 Who provides the resources?! ServiceProviderNote User interface User / institute / VOComputer with client SW Resource Broker (WMS) VOs - EGEE does not fund RBs Information System Grid operations - EGEE funded effort File and replica catalog VOs - EGEE does not fund catalogs Logging and Bookkeeping VOs - EGEE does not fund LB servers Computing Element (CE) VOs - EGEE does not fund CEs VOs provide resources to match average need Storage Element (SE) VOs - EGEE does not fund SEs VOs provide resources to match average need External servicesUser / institute / VOTo extend the capabilities of the core infrastructure

24. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 24 Security Grid Security Infrastructure (GSI) enables VOs gLite security extended GSI Two levels of grid security problems –Network level:  Mutual authentication of endpoints  Encrypted messages  Non repudiation  Integrity (protection against 3 rd party changes) –VO level:  Who can be the member of a VO, who cannot?  What a VO member is allowed to do?  How can a SW (e.g broker) act on your behalf?

25. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 25 Basic concept of GSI Asymmetric encryption… Every networked entity (user/machine/software) is assigned with two keys: one private key and one public key –Private: only owner knows –Public: everybody else knows Communication concept (simplified version): 1.Public keys are exchanged 2.The sender encrypts message using  receiver’s public key and  Sender’s own private key 3.The reciever decrypts using  Receiver’s own private key  Sender’s public key Encrypted text Private Key Public Key Clear text message

26. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 26 PKI in action Encription –Encription with recipient’s public key –Only recipient can decript the message Non-repudiation –Naiv approach: encript message with sender’s private key  Too costly for long messages –Solution:  generate hash of the message  Encript hash with sender’s private key  Attach encripted hash to message  Digital signature –Additional benefit: Integrity (hash is constant) Paul’s keys public private JohnPaul ciao3$rciao3$r message Digital Signature Hash A Digital Signature

27. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 PKI in action – the big picture John message Digital Signature Paul message Digital Signature message Digital Signature Hash A Paul’s keys privatepublic Hash B Hash A = ? John’s keys privatepublic message Mutual authentication and exchanging public keys: SSL protocol

28. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 28 Entity identity Since I’m the only one with access to my private key, you know I signed the data associated with it But, how do you know that you have my correct public key? ?

29. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 29 Your public and private keys Private Key encrypted on local disk: passphrase Cert Request Public Key ID Cert User generates public/private key pair in browser or in files. User sends public key to CA and shows RA proof of identity. CA signature links identity and public key in certificate. CA informs user. CA root certificate Instructions, tutorials (should be) on CA homepages

30. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 30 Your certificate and private key Do not loan your certificate and private key to anyone! –Report to CA if your files were compromised  Certificate revocation list Where to store them? –Store them in your browser –Store them in a file sysytem you trust  Different file formats (PEM, P12, …) –Store them on a USB key –Store them in MyProxy server  Obtain short term certificate just before grid interaction Every Grid which recognizes your CA will trust your certificate CAs recognized by EGEE: http://www.gridpma.orghttp://www.gridpma.org

31. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 31 Grid security at VO level Users (and machines) are identified by certificates. VO Management Service: tool for VO level security Steps –User obtains certificate from Certification Authority –User registers at the VO  usually via a web form –VO manager authorizes the user  VO DB updated –User information is replicated onto VO resources typically within 24 hours CA VO manager Obtaining certificate: Annually VOMS database Grid sites VO Membership Service Joining VO: Once Replicating VOMS DB once a day User’s identity in the Grid = Subject of grid certificate: /C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/Email=sipos@sztaki.hu List of EGEE VOs: On CIC Operations Portal

32. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 Proxy certificates Delegation - allows remote process and services to authenticate on behalf of the user –Remote process/service “impersonates” the user Achieved by creation of next-level private key–certificate pair from the user’s private key–certificate. –New key-pair is a single file: Proxy credential –Proxy private key is not protected by password –Proxy may be valid for limited operations –Proxy has limited lifetime The client can delegate proxies to services, processes –Each service decides whether it accepts proxies for authentication

33. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 33 Proxy in action Login to the grid: Generate a proxy certificate Command line tools on a User Interface: voms-proxy-init –voms gilda From a portal: See P-GRADE Portal tomorrow Proxy Proxy + VO roles

34. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 34 External services to gLite Where computer science meets the application communities! The tools, services used by the VO’s applications NA4 Recommended External Software Packages for Egee CommuniTies –Current RESPECT tools:  GridWay  P-GRADE Portal –http://egeena4.lal.in2p3.fr/  “Grid software” menu Basic gLite services: CE, SE, info, security Higher-level gLite services (WMS,…) Application toolkits Application Production infrastructure contains these services –Basic services: Must be complete and robust; Should not assume the use of Higher-Level Grid Services –High level services: help the users building their computing infrastructure but should not be mandatory Command line & APIs

35. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 35 Further information, references EGEE –http://www.eu-egee.org/http://www.eu-egee.org/ gLite middleware –http://www.glite.orghttp://www.glite.org gLite manuals, documentation –http://glite.web.cern.ch/glite/documentation/ (gLite user guide)http://glite.web.cern.ch/glite/documentation/ Recommended External Software Packages for Egee CommuniTies (RESPECT) –http://egeena4.lal.in2p3.fr/http://egeena4.lal.in2p3.fr/