© 2008 open grid forum production grid infrastructure wg pgi reference model towards an...
TRANSCRIPT
© 2008 Open Grid Forum
Production Grid Infrastructure WGPGI Reference ModelTowards an infrastructure interoperability reference modelMorris Riedel (FZJ – Jülich Supercomputing Centre & DEISA)
PGI Co-Chair …and many others…
© 2008 Open Grid Forum 2
OGF IPR Policies Apply
• “I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy.”• Intellectual Property Notices Note Well: All statements related to the activities of the OGF and addressed to
the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to:
• the OGF plenary session, • any OGF working group or portion thereof, • the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning under OGF auspices, • the OGF Editor or the document authoring and review process
• Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions.
• Excerpt from Appendix B of GFD-C.1: ”Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non-discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification.”
• OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.
© 2008 Open Grid Forum 3
Outline
© 2008 Open Grid Forum 4
Outline
• Scope• Interoperability Reference Model Overview• Missing Links & Refinements• PGI Security Considerations• PGI Information Considerations• PGI Job Considerations• PGI Data Considerations• Summary• References• Acknowledgements
© 2008 Open Grid Forum 5
Scope
© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.
OGSA Standards
[7] Foster et al., ‘The Open Grid Services Architecture‘
Job description language standards
Self-management standards
Co-allocationstandards
Job submission interface
& protocol standards
Service level agreements standard
Storage access & data transfer standards
Information semanticsstandards
Security setup standards
Standard N+1 Standard N+2 Standard N+3 Standard N+3 Standard N+4 Standard N+5 Standard N+6 Standard N+7
© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.
GIN Production Experience
Job description language standards
Self-management standards
Co-allocationstandards
Job submission interface
& protocol standards
Service level agreements standard
Storage access & data transfer standards
Information semanticsstandards
Security setup standards
Standard N+1 Standard N+2 Standard N+3 Standard N+3 Standard N+4 Standard N+5 Standard N+6 Standard N+7
[8] Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures ‘
© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.
PGI Approach (1)
[5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘
Job description language standards
Job submission interface
& protocol standards
Storage access & data transfer standards
Information semanticsstandards
Security setup standards
Work on the missing links between currently deployed and matured
open standards
Different job description languages
Different job submission interfaces & protocols
Different security setups
Different information semantics
Different DataTransfer Techniques
Different StorageAccess Techniques
Challenges
© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.
PGI Approach (2)
Job description language standards
Job submission interface
& protocol standards
Storage access & data transfer standards
Information semanticsstandards
Security setup standards
Work on the missing links between currently deployed and matured
open standards
Different job description languages
Different job submission interfaces & protocols
Different security setups
Different information semantics
Different DataTransfer Techniques
Different StorageAccess Techniques
Challenges Solved
[5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘
© 2008 Open Grid Forum 10
Scope• Identified Basic Use Case• Only matured specifications• Specification adoption exist in
production middleware systems
• Experience exists in production infrastructures
• Interoperability tests have been performed
• Real scientific use cases require these standards
• Refinements necessary and not complete spec. re-definitions
‘Low hanging fruits’
© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.
Compare History of Computer Science
Production GridInfrastructure Standard
Extensible Markup Language (XML)
Internet 4 Layer Model
Open Grid Services Architecture(OGSA)
Standardized Generalized Markup Language (SGML)
ISO / OSI 7 Layer Model
de-facto usedversion
trimmed-downversion
akaOGSA – Economy
OGSA – light OGSA OXA
(like [SG]ML [X]ML)
© 2008 Open Grid Forum 12
Reference Model Overview
© 2008 Open Grid Forum 13
Reference Model Overview
© 2008 Open Grid Forum 14
Plumbings Idea
• Plumbings can be used to put different ‚elements‘ through• E.g. warm water (full X.509 certificates) vs.
Cold water (X.509 proxies)• Many plumbings can be installed in parallel – while not crossing the
other plumbings• E.g. modern container concepts allow easily addition of
n handler that can take care of the elements by n plumbings• Different plumbings can use the same source and can be
sink into the same achievement/functionality• E.g. Attribute-based VOMS system vs.
SAML-based VOMS system• Both based on same VO DBs but convey attributes differently• However, authZ decision based on these attributes can be again usable for
both approaches (e.g. one XACML policy file)• Plumbings may be removed over time while new plumbings are
already deployed in infrastructures
© 2008 Open Grid Forum 15
Missing Links & Refinements
© 2008 Open Grid Forum 16
Missing Links & Refinements
© 2008 Open Grid Forum 17
PGI Security Considerations
© 2008 Open Grid Forum 18
Security is orthogonal to layers
[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperabilitybetween HTC- and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009
© 2008 Open Grid Forum 19
Orthogonal Security: Plumbings
© 2008 Open Grid Forum 20
Plumbing II - Authentication
© 2008 Open Grid Forum 21
Plumbing III - Authorization
© 2008 Open Grid Forum 22
Still work to do…
• Big picture in (many) GIN production Grids & efforts
SOAP Message
22
SOAP Header
SOAP Body
IETF TLS
Proxy
Extensionsfor attributes
and restrictions
VO Support
attributes
SAMLAssertion
Contraintselement
AttributeStatementelement
OASISWS-Security
Extension
Delegation of Rights
restictions/constraints
OGF BES OGF JSDL + Ext.
© 2008 Open Grid Forum 23
Missing Links & Tunings
© 2008 Open Grid Forum 24
SAML Assertion Example
• Using SAML Assertions to convey attributes of users
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion” … >
<saml:Issuer> … </saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"> CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum JuelichGmbH,O=GridGermany,C=DE
</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="..." NotOnOrAfter="..." />
<saml:AttributeStatement>
<saml:Attribute Name="group-membership-id" NameFormat="urn...">
<saml:AttributeValue type="xs:string">
/deisa/group-interop
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
…
</saml:Assertion>
© 2008 Open Grid Forum 25
Missing Links & Refinement
• n SAML Assertions in SOAP Messages (WS-Security)
<soap:Envelope xmlns:soap="...„>
<soap:Header>
<wsse:Security wsse="...„>
<saml:Assertion xmlns:saml="...">… </saml:Assertion xmlns:saml="..."> (n times)
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:Envelope>
• Define structure and common semantics of attributes• Attributes states the position of a user in a VO (e.g. role, group,…)• E.g. Approach /VONAME/GROUPNAME• E.g. Approach /VONAME=XYZ/GENERALCAPABILITY=XYZ…
© 2008 Open Grid Forum 26
Restricted Delegation
• Proxies & SAML Assertions are used in production Grids• But most Grid and e-science infrastructures operate on a security paradigm of
‘full impersonification delegation of rights’• “If I delegate someone to buy me a toaster he is actually allowed to buy me a
car – there are no restrictions what exactly to do”
• ‘Proxies are not bad’ standard• But the way proxies are used on
the infrastructures is “bad”• Restrictions within proxies can
be added into proxy extensions• ‘SAML assertions are not bad’ standard• SAML assertions have same drawback
when no constraints are provided• Restrictions within SAML assertions
can be coded in SAML assertions contraints parts
Proxy
SAMLAssertion
extensionwith restrictions
contraintselement
© 2008 Open Grid Forum 27
PGI Information Considerations
© 2008 Open Grid Forum 28
PGI Information Considerations
• Plumbing using GLUE2• Largely using GLUE2 on multiple levels• Using GLUE2 in conjunction with OGSA-BES endpoints
• Another plumbing using OGF Secure Addressing• If and only if you are using Endpoint References (EPRs)• The way to tell how this endpoint is contacted using the right set of security
plumbings
• Henn and egg problem• Where do I get the initial information?• EPR of information system to query for information may already require a
correct security setup• Approach of Website providing the EPR information
© 2008 Open Grid Forum 29
PGI Job Considerations
© 2008 Open Grid Forum 30
PGI Job Considerations
• Basic specifications• OGSA – Basic Execution Service (BES)• Implied Job Submission Description Language (JSDL)
• Modified operations in BES• Some operation have to be added• Statemodel refinements ready vs. finished states?!
• JSDL refinements/additions• What is mandatory – what is optional?• Additions such as network topology of large-scale systems• Re-specify which subset of JSDL elements make sense
for production use• Having one JSDL for production Grids instead of numerous extensions that
lead to non-interoperable systems again• What security plumbings? Plumbing II X.509 (or proxies)
• Other plumbings? Yes Attribute-based AuthZ, TLS with username/passwd is not enough! More complicated!
© 2008 Open Grid Forum 31
Get Attributes for job submit
• To be defined using the two plumbings• Virtual Organization Membership Service (VOMS)
• Acts as an attribute authority releasing signed attributes• (Shibboleth is also an attribute authority that might be used)• Attributes state the position of a user in a VO (role, group, etc.)
© 2008 Open Grid Forum 32
Agree on attributes (&semantics)
• Big picture in (many) GIN production Grids & efforts
SOAP Message
32
SOAP Header
SOAP Body
IETF TLS
Proxy
Extensionsfor attributes
and restrictions
VO Support
attributes
SAMLAssertion
Contraintselement
AttributeStatementelement
OASISWS-Security
Extension
Delegation of Rights
restictions/constraints
OGF BES OGF JSDL + Ext.
© 2008 Open Grid Forum 33
Context Comp. Activities
• Base: Computational activities using OGSA-BES & JSDL• Secure cross-Grid job submission using open standards
for authentication and attribute-based authorization• IETF X.509 Certificates• OGF Open Grid Services Architecture (OGSA) Basic Execution
Services (BES) & Job Submission Description Language (JSDL)• OASIS Security Assertion Markup Language (SAML)
[3] Morris Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures, Concurrency and Computation: Practice and Experience, OGF Special Issue, 2008
© 2008 Open Grid Forum 34
PGI Data Considerations
© 2008 Open Grid Forum 35
PGI Data Considerations
• WS-DAIS Refinements• We learned a lot of OGSA-DAI that was once a reference
implementation of WS-DAI• Refinements necessary that are scalable for production use• How can be WS-DAI requests used in data staging via OGSA-BES?
• Storage Resource Manager (SRM)• Many SRM implementations already exist• They are basically interoperable• However, a subset of SRM is not interoperable• Nail down which operations work and which operations can be
omitted• How can be SRM requests (or movements like copyto) used via
OGSA-BES data stagings?
© 2008 Open Grid Forum 36
Summary
© 2008 Open Grid ForumJahresabschluss-Kolloquium, FZJ, 18th Dec. 2008 – Morris Riedel et al.
Summary
• More and more e-science projects require Grid interoperability• Many approaches exist – only production-aware standards help• Production Grid Infrastructure Standardization Process
• OGSA exists, but…• Hard to maintain, nearly half of all specs defined, missing links,…
• Comparison with history of computer science• Cp. XML & SGML, Internet model vs. ISO / OSI model• Bottom-up (from production) instead of top-down architecture
• Reference model obtained from real scientific use cases• Interoperability reference model (or aka profiles) make sense
• Scientific use cases proof feasibility of initial reference model• Can be a milestone towards full OGSA-conformance roadmaps
© 2008 Open Grid Forum 38
Mapping Notes
© 2008 Open Grid Forum 39
Mapping Notes
© 2008 Open Grid Forum 40
Additional Mapping Notes
• TBD
© 2008 Open Grid Forum 41
References
© 2008 Open Grid Forum 42
References
• Hinleitung zum reference model…
© 2008 Open Grid Forum 43
Acknowledgements
© 2008 Open Grid Forum
Morris: Acknowledgements
• Morris Travel and Participation in OGF is funded by…• Distributed European Infrastructure for Supercomputing
Applications (DEISA)
• DEISA2 is funded by the European Commission in FP7 under grant agreement RI-222919
• Jülich Supercomputing Centre (JSC)of Forschungszentrum Jülich (FZJ) in the HELMHOLTZ association
© 2008 Open Grid Forum 45
Full Copyright Notice
Copyright (C) Open Grid Forum (2009). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.
The limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.