Presentation is loading. Please wait.

Presentation is loading. Please wait.

MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic.

Published byAlvin Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic."— Presentation transcript:

1 MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic

2 13.9.2010MetaCentrum - the Czech computational grid2 Highlights MetaCentrum is a computing infrastructure pooling resources contributed by several universities, using AFS and Kerberos the mod_auth_kerb module for the Apache http server is maintained by Dan Kouřil of MetaCentrum Kerberos support for Firefox/Mozilla was developed in MetaCentrum

3 13.9.2010MetaCentrum - the Czech computational grid3 History of MetaCentrum MetaCentrum was established in 1996 as a supercomputing meta-center consisting of –Supercomputing Center at Masaryk University in Brno –Supercomputing Center at University of West Bohemia in Plzeň –Supercomputing Center at Charles University in Prague later included –CESNET – operator of the Czech NREN (academic network) –University of South Bohemia in České Budějovice (Budweis) –University of Technology in Brno now connects 15 computer clusters consisting of 290 machines with 1500 CPUs, located in six geographical locations

4 13.9.2010MetaCentrum - the Czech computational grid4 MetaCentrum map

5 13.9.2010MetaCentrum - the Czech computational grid5 MetaCentrum users MetaCentrum is open and free for the Czech academic community users can be scientists or students from –26 public universities –57 institutes of the Czech Academy of Sciences challenges in establishing user identity users run applications for –computational chemistry –structural biology, protein engineering –material and structural simulations –liquid and gas flow simulations –mathematics, number theory –speech recognition and generation

6 13.9.2010MetaCentrum - the Czech computational grid6 Future of MetaCentrum MetaCentrum was involved in the DataGrid, EGEE I,II,III and EGI Design Study projects the coming European Grid Infrastructure (EGI) is organized in National Grid Infrastructures (NGIs) MetaCentrum is now transforming into the Czech NGI, its free resources will be one of many VOs (Virtual Organizations)

7 13.9.2010MetaCentrum - the Czech computational grid7 Infrastructure clusters of linux x86-compatible machines –strongest machines have 8x quadcore Opteron (32 cores), 256GB user accounts are maintained by own system Perun –Oracle database holding users, machines, accounts, etc. –master-slave architecture, generating local config files on changes several file systems (local,NFSv3,NFSv4,AFS) single sign-on using Kerberos –first access using Kerberos PAM module –Kerberized ssh, telnet, ftp, rsh (MPI needs) workload management system PBSPro, moving to Torque –Kerberized, own ticket renewal system for long running jobs web portal, supports Kerberos, SSL certs, Shibboleth,...

8 13.9.2010MetaCentrum - the Czech computational grid8 File systems several file systems for various needs –fast, but small and not shared – local HDD or SSD –large and shared, but slower - NFSv4 on all machines (100TB) –home directories shared by NFSv3 on local clusters –software installed on AFS with multiple read-only copies –experiments with Lustre for shared network scratch for shared FS we need Kerberos authN (not trusting admins of clients), thus NFSv4 or AFS both can be installed on user workstations from standard SUSE/Debian/Ubuntu repositories AFS is slow compared to NFSv4 both support ACL, AFS only directories, NFSv4 also files AFS supports multiple read-only copies

9 13.9.2010MetaCentrum - the Czech computational grid9 User authentication users can come from many of institutions ways of establishing user identity on web portal –paper application with boss’ signature (slow and too much work) –SSL client certificates (complicated, needs visit to RA) –eduroam (Wi-Fi federation) –access to local ID system (WebAuth, LDAP, Kerberos) –SAML (Shibboleth) identity federation eduId.cz after establishing identity, MetaCentrum account is created, annual renewal in exchange for report of activities authN to MetaCentrum machines –Kerberos –username/password translated to Kerberos –One Time Passwords translated to Kerberos

10 13.9.2010MetaCentrum - the Czech computational grid10 User authentication to web portal users manage their account through web portal authentication in web browser –username/password (HTTP basic auth) to mod_auth_kerb creates Kerberos ticket on the web server mod_auth_kerb maintained by Daniel Kouřil of MetaCentrum used by majority of users –Negotiate – GSSAPI Kerberos needs negotiation support in browser (MSIE and Konqueror have) support for Firefox/Mozilla was created as bachelor thesis in MetaCentrum and later included into the Firefox sources used only by our security experts –SSL client X509 certificates from grid Certification Authorities grid certificates have unique Distinguished Names best method, no typing or clicking, but used by few created new mod_ssl_preauth to have SSL client certs and other auth modules on one URL

11 13.9.2010MetaCentrum - the Czech computational grid11 USB tokens we tried USB token (Rainbow iKey 3000) for storing private key and certificate PKCS11 device encrypts and signs internally, never gives out the private key unsuccessful experiment –connector damaged after weeks –many applications do not support –problems with drivers –uncomfortable, must be connected to computer during work

12 13.9.2010MetaCentrum - the Czech computational grid12 Real authentication in MetaCentrum typical user authentication: –account created after authentication using identity federation user selects username and password –first login using username/password to frontend machine kerberos ticket and AFS tokens on the frontend machine –jobs submitted using kerberized PBSPro delegates kerberos ticket and AFS tokens –login to computing machines using kerberized ssh delegates kerberos ticket and AFS tokens –long running jobs have Kerberos tickets renewed using krb525 MetaCentrum maintains its own accounts in Kerberos –Shibboleth identity federation so far works only on web –no dependence on external services

13 13.9.2010MetaCentrum - the Czech computational grid13 Thank you http://www.MetaCentrum.cz/ Thank you for your attention Questions ?

Download ppt "MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
11 September 2007Milos Lokajicek Institute of Physics AS CR Prague Status of the GRID in the Czech Republic NEC’2007.

11 September 2007Milos Lokajicek Institute of Physics AS CR Prague Status of the GRID in the Czech Republic NEC’2007.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Similar presentations

Ads by Google