Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Open Grid Forum Production Grid Infrastructure WG PGI Reference Model Towards an infrastructure interoperability reference model Morris Riedel (FZJ.

Similar presentations


Presentation on theme: "© 2008 Open Grid Forum Production Grid Infrastructure WG PGI Reference Model Towards an infrastructure interoperability reference model Morris Riedel (FZJ."— Presentation transcript:

1 © 2008 Open Grid Forum Production Grid Infrastructure WG PGI Reference Model Towards an infrastructure interoperability reference model Morris Riedel (FZJ – Jülich Supercomputing Centre & DEISA) PGI Co-Chair …and many others…

2 © 2008 Open Grid Forum 2 OGF IPR Policies Apply “ I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy. ” Intellectual Property Notices Note Well: All statements related to the activities of the OGF and addressed to the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to: the OGF plenary session, any OGF working group or portion thereof, the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, the ADCOM, or any member thereof on behalf of the ADCOM, any OGF mailing list, including any group list, or any other list functioning under OGF auspices, the OGF Editor or the document authoring and review process Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions. Excerpt from Appendix B of GFD-C.1: ” Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non- discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification. ” OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.

3 © 2008 Open Grid Forum 3 Outline

4 © 2008 Open Grid Forum 4 Outline Scope Interoperability Reference Model Overview Missing Links & Refinements PGI Security Considerations PGI Information Considerations PGI Job Considerations PGI Data Considerations Summary References Acknowledgements

5 © 2008 Open Grid Forum 5 Scope

6 © 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al. OGSA Standards [7] Foster et al., ‘The Open Grid Services Architecture‘ Job description language standards Self-management standards Co-allocation standards Job submission interface & protocol standards Service level agreements standard Storage access & data transfer standards Information semantics standards Security setup standards Standard N+1 Standard N+2Standard N+3 Standard N+4Standard N+5Standard N+6Standard N+7

7 © 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al. GIN Production Experience Job description language standards Self-management standards Co-allocation standards Job submission interface & protocol standards Service level agreements standard Storage access & data transfer standards Information semantics standards Security setup standards Standard N+1 Standard N+2Standard N+3 Standard N+4Standard N+5Standard N+6Standard N+7 [8] Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures ‘

8 © 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al. PGI Approach (1) [5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘ Job description language standards Job submission interface & protocol standards Storage access & data transfer standards Information semantics standards Security setup standards Work on the missing links between currently deployed and matured open standards Different job description languages Different job submission interfaces & protocols Different security setups Different information semantics Different Data Transfer Techniques Different Storage Access Techniques Challenges

9 © 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al. PGI Approach (2) Job description language standards Job submission interface & protocol standards Storage access & data transfer standards Information semantics standards Security setup standards Work on the missing links between currently deployed and matured open standards Different job description languages Different job submission interfaces & protocols Different security setups Different information semantics Different Data Transfer Techniques Different Storage Access Techniques Challenges Solved [5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘

10 © 2008 Open Grid Forum 10 Scope Identified Basic Use Case Only matured specifications Specification adoption exist in production middleware systems Experience exists in production infrastructures Interoperability tests have been performed Real scientific use cases require these standards Refinements necessary and not complete spec. re-definitions  ‘Low hanging fruits’

11 © 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al. Compare History of Computer Science Production Grid Infrastructure Standard Extensible Markup Language (XML) Internet 4 Layer Model Open Grid Services Architecture (OGSA) Standardized Generalized Markup Language (SGML) ISO / OSI 7 Layer Model de-facto used version trimmed-down version aka OGSA – Economy OGSA – light OGSA  OXA (like [SG]ML  [X]ML)

12 © 2008 Open Grid Forum 12 Reference Model Overview

13 © 2008 Open Grid Forum 13 Reference Model Overview

14 © 2008 Open Grid Forum 14 Plumbings Idea Plumbings can be used to put different ‚elements‘ through E.g. warm water (full X.509 certificates) vs. Cold water (X.509 proxies) Many plumbings can be installed in parallel – while not crossing the other plumbings E.g. modern container concepts allow easily addition of n handler that can take care of the elements by n plumbings Different plumbings can use the same source and can be sink into the same achievement/functionality E.g. Attribute-based VOMS system vs. SAML-based VOMS system Both based on same VO DBs but convey attributes differently However, authZ decision based on these attributes can be again usable for both approaches (e.g. one XACML policy file) Plumbings may be removed over time while new plumbings are already deployed in infrastructures

15 © 2008 Open Grid Forum 15 Missing Links & Refinements

16 © 2008 Open Grid Forum 16 Missing Links & Refinements

17 © 2008 Open Grid Forum 17 PGI Security Considerations

18 © 2008 Open Grid Forum 18 Security is orthogonal to layers [4] Morris Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009

19 © 2008 Open Grid Forum 19 Orthogonal Security: Plumbings

20 © 2008 Open Grid Forum 20 Plumbing II - Authentication

21 © 2008 Open Grid Forum 21 Plumbing III - Authorization

22 © 2008 Open Grid Forum 22 Still work to do… Big picture in (many) GIN production Grids & efforts SOAP Message 22 SOAP Header SOAP Body IETF TLS Proxy Extensions for attributes and restrictions VO Support attributes SAML Assertion Contraints element Attribute Statement element OASIS WS-Security Extension Delegation of Rights restictions/constraints OGF BESOGF JSDL + Ext.

23 © 2008 Open Grid Forum 23 Missing Links & Tunings

24 © 2008 Open Grid Forum 24 SAML Assertion Example Using SAML Assertions to convey attributes of users … CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum JuelichGmbH,O=GridGermany,C=DE /deisa/group-interop …

25 © 2008 Open Grid Forum 25 Missing Links & Refinement n SAML Assertions in SOAP Messages (WS-Security) … (n times)... Define structure and common semantics of attributes Attributes states the position of a user in a VO (e.g. role, group,…) E.g. Approach /VONAME/GROUPNAME E.g. Approach /VONAME=XYZ/GENERALCAPABILITY=XYZ…

26 © 2008 Open Grid Forum 26 Restricted Delegation Proxies & SAML Assertions are used in production Grids But most Grid and e-science infrastructures operate on a security paradigm of ‘full impersonification delegation of rights’ “If I delegate someone to buy me a toaster he is actually allowed to buy me a car – there are no restrictions what exactly to do” ‘Proxies are not bad’  standard But the way proxies are used on the infrastructures is “bad” Restrictions within proxies can be added into proxy extensions ‘SAML assertions are not bad’  standard SAML assertions have same drawback when no constraints are provided Restrictions within SAML assertions can be coded in SAML assertions contraints parts Proxy SAML Assertion extension with restrictions contraints element

27 © 2008 Open Grid Forum 27 PGI Information Considerations

28 © 2008 Open Grid Forum 28 PGI Information Considerations Plumbing using GLUE2 Largely using GLUE2 on multiple levels Using GLUE2 in conjunction with OGSA-BES endpoints Another plumbing using OGF Secure Addressing If and only if you are using Endpoint References (EPRs) The way to tell how this endpoint is contacted using the right set of security plumbings Henn and egg problem Where do I get the initial information? EPR of information system to query for information may already require a correct security setup Approach of Website providing the EPR information

29 © 2008 Open Grid Forum 29 PGI Job Considerations

30 © 2008 Open Grid Forum 30 PGI Job Considerations Basic specifications OGSA – Basic Execution Service (BES) Implied Job Submission Description Language (JSDL) Modified operations in BES Some operation have to be added Statemodel refinements  ready vs. finished states?! JSDL refinements/additions What is mandatory – what is optional? Additions such as network topology of large-scale systems Re-specify which subset of JSDL elements make sense for production use Having one JSDL for production Grids instead of numerous extensions that lead to non-interoperable systems again What security plumbings? Plumbing II X.509 (or proxies) Other plumbings? Yes  Attribute-based AuthZ, TLS with username/passwd is not enough! More complicated!

31 © 2008 Open Grid Forum 31 Get Attributes for job submit To be defined using the two plumbings Virtual Organization Membership Service (VOMS) Acts as an attribute authority releasing signed attributes (Shibboleth is also an attribute authority that might be used) Attributes state the position of a user in a VO (role, group, etc.)

32 © 2008 Open Grid Forum 32 Agree on attributes (&semantics) Big picture in (many) GIN production Grids & efforts SOAP Message 32 SOAP Header SOAP Body IETF TLS Proxy Extensions for attributes and restrictions VO Support attributes SAML Assertion Contraints element Attribute Statement element OASIS WS-Security Extension Delegation of Rights restictions/constraints OGF BESOGF JSDL + Ext.

33 © 2008 Open Grid Forum 33 Context Comp. Activities Base: Computational activities using OGSA-BES & JSDL Secure cross-Grid job submission using open standards for authentication and attribute-based authorization IETF X.509 Certificates OGF Open Grid Services Architecture (OGSA) Basic Execution Services (BES) & Job Submission Description Language (JSDL) OASIS Security Assertion Markup Language (SAML) [3] Morris Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures, Concurrency and Computation: Practice and Experience, OGF Special Issue, 2008

34 © 2008 Open Grid Forum 34 PGI Data Considerations

35 © 2008 Open Grid Forum 35 PGI Data Considerations WS-DAIS Refinements We learned a lot of OGSA-DAI that was once a reference implementation of WS-DAI Refinements necessary that are scalable for production use How can be WS-DAI requests used in data staging via OGSA- BES? Storage Resource Manager (SRM) Many SRM implementations already exist They are basically interoperable However, a subset of SRM is not interoperable Nail down which operations work and which operations can be omitted How can be SRM requests (or movements like copyto) used via OGSA-BES data stagings?

36 © 2008 Open Grid Forum 36 Summary

37 © 2008 Open Grid Forum Jahresabschluss-Kolloquium, FZJ, 18th Dec. 2008 – Morris Riedel et al. Summary More and more e-science projects require Grid interoperability Many approaches exist – only production-aware standards help Production Grid Infrastructure Standardization Process OGSA exists, but… Hard to maintain, nearly half of all specs defined, missing links,… Comparison with history of computer science Cp. XML & SGML, Internet model vs. ISO / OSI model Bottom-up (from production) instead of top-down architecture Reference model obtained from real scientific use cases Interoperability reference model (or aka profiles) make sense Scientific use cases proof feasibility of initial reference model Can be a milestone towards full OGSA-conformance roadmaps

38 © 2008 Open Grid Forum 38 Mapping Notes

39 © 2008 Open Grid Forum 39 Mapping Notes

40 © 2008 Open Grid Forum 40 Additional Mapping Notes TBD

41 © 2008 Open Grid Forum 41 References

42 © 2008 Open Grid Forum 42 References Hinleitung zum reference model…

43 © 2008 Open Grid Forum 43 Acknowledgements

44 © 2008 Open Grid Forum Morris: Acknowledgements Morris Travel and Participation in OGF is funded by… Distributed European Infrastructure for Supercomputing Applications (DEISA) DEISA2 is funded by the European Commission in FP7 under grant agreement RI-222919 Jülich Supercomputing Centre (JSC) of Forschungszentrum Jülich (FZJ) in the HELMHOLTZ association

45 © 2008 Open Grid Forum 45 Full Copyright Notice Copyright (C) Open Grid Forum (2009). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. The limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.


Download ppt "© 2008 Open Grid Forum Production Grid Infrastructure WG PGI Reference Model Towards an infrastructure interoperability reference model Morris Riedel (FZJ."

Similar presentations


Ads by Google