© 2008 open grid forum production grid infrastructure wg pgi reference model towards an...

© 2008 Open Grid Forum

Production Grid Infrastructure WGPGI Reference ModelTowards an infrastructure interoperability reference modelMorris Riedel (FZJ – Jülich Supercomputing Centre & DEISA)

PGI Co-Chair …and many others…

© 2008 Open Grid Forum 2

OGF IPR Policies Apply

• “I acknowledge that participation in this meeting is subject to the OGF Intellectual Property Policy.”• Intellectual Property Notices Note Well: All statements related to the activities of the OGF and addressed to

the OGF are subject to all provisions of Appendix B of GFD-C.1, which grants to the OGF and its participants certain licenses and rights in such statements. Such statements include verbal statements in OGF meetings, as well as written and electronic communications made at any time or place, which are addressed to:

• the OGF plenary session, • any OGF working group or portion thereof, • the OGF Board of Directors, the GFSG, or any member thereof on behalf of the OGF, • the ADCOM, or any member thereof on behalf of the ADCOM, • any OGF mailing list, including any group list, or any other list functioning under OGF auspices, • the OGF Editor or the document authoring and review process

• Statements made outside of a OGF meeting, mailing list or other function, that are clearly not intended to be input to an OGF activity, group or function, are not subject to these provisions.

• Excerpt from Appendix B of GFD-C.1: ”Where the OGF knows of rights, or claimed rights, the OGF secretariat shall attempt to obtain from the claimant of such rights, a written assurance that upon approval by the GFSG of the relevant OGF document(s), any party will be able to obtain the right to implement, use and distribute the technology or works when implementing, using or distributing technology based upon the specific specification(s) under openly specified, reasonable, non-discriminatory terms. The working group or research group proposing the use of the technology with respect to which the proprietary rights are claimed may assist the OGF secretariat in this effort. The results of this procedure shall not affect advancement of document, except that the GFSG may defer approval where a delay may facilitate the obtaining of such assurances. The results will, however, be recorded by the OGF Secretariat, and made available. The GFSG may also direct that a summary of the results be included in any GFD published containing the specification.”

• OGF Intellectual Property Policies are adapted from the IETF Intellectual Property Policies that support the Internet Standards Process.


Outline


Outline

• Scope• Interoperability Reference Model Overview• Missing Links & Refinements• PGI Security Considerations• PGI Information Considerations• PGI Job Considerations• PGI Data Considerations• Summary• References• Acknowledgements


Scope

© 2008 Open Grid Forum Indianapolis, Indiana, 11th Dec. 2008 – Morris Riedel et al.

OGSA Standards

[7] Foster et al., ‘The Open Grid Services Architecture‘

Job description language standards

Self-management standards

Co-allocationstandards

Job submission interface

& protocol standards

Service level agreements standard

Storage access & data transfer standards

Information semanticsstandards

Security setup standards

Standard N+1 Standard N+2 Standard N+3 Standard N+3 Standard N+4 Standard N+5 Standard N+6 Standard N+7


GIN Production Experience


Self-management standards

Co-allocationstandards



Service level agreements standard




Standard N+1 Standard N+2 Standard N+3 Standard N+3 Standard N+4 Standard N+5 Standard N+6 Standard N+7

[8] Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures ‘


PGI Approach (1)

[5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘







Work on the missing links between currently deployed and matured

open standards

Different job description languages

Different job submission interfaces & protocols

Different security setups

Different information semantics

Different DataTransfer Techniques

Different StorageAccess Techniques

Challenges


PGI Approach (2)







Work on the missing links between currently deployed and matured

open standards

Different job description languages

Different job submission interfaces & protocols

Different security setups

Different information semantics

Different DataTransfer Techniques

Different StorageAccess Techniques

Challenges Solved

[5] Riedel et al., ‘Experiences and Requirements for Interoperability between HTC- and HPC-driven e-Science Infrastructures‘


Scope• Identified Basic Use Case• Only matured specifications• Specification adoption exist in

production middleware systems

• Experience exists in production infrastructures

• Interoperability tests have been performed

• Real scientific use cases require these standards

• Refinements necessary and not complete spec. re-definitions

‘Low hanging fruits’


Compare History of Computer Science

Production GridInfrastructure Standard

Extensible Markup Language (XML)

Internet 4 Layer Model

Open Grid Services Architecture(OGSA)

Standardized Generalized Markup Language (SGML)

ISO / OSI 7 Layer Model

de-facto usedversion

trimmed-downversion

akaOGSA – Economy

OGSA – light OGSA OXA

(like [SG]ML [X]ML)


Reference Model Overview


Plumbings Idea

• Plumbings can be used to put different ‚elements‘ through• E.g. warm water (full X.509 certificates) vs.

Cold water (X.509 proxies)• Many plumbings can be installed in parallel – while not crossing the

other plumbings• E.g. modern container concepts allow easily addition of

n handler that can take care of the elements by n plumbings• Different plumbings can use the same source and can be

sink into the same achievement/functionality• E.g. Attribute-based VOMS system vs.

SAML-based VOMS system• Both based on same VO DBs but convey attributes differently• However, authZ decision based on these attributes can be again usable for

both approaches (e.g. one XACML policy file)• Plumbings may be removed over time while new plumbings are

already deployed in infrastructures


Missing Links & Refinements


PGI Security Considerations


Security is orthogonal to layers

[4] Morris Riedel et al., ‘Experiences and Requirements for Interoperabilitybetween HTC- and HPC-driven e-Science Infrastructures, Proceedings of Korea e-Science AH Meeting 2008, 2009


Orthogonal Security: Plumbings


Plumbing II - Authentication


Plumbing III - Authorization


Still work to do…

• Big picture in (many) GIN production Grids & efforts

SOAP Message

22

SOAP Header

SOAP Body

IETF TLS

Proxy

Extensionsfor attributes

and restrictions

VO Support

attributes

SAMLAssertion

Contraintselement

AttributeStatementelement

OASISWS-Security

Extension

Delegation of Rights

restictions/constraints

OGF BES OGF JSDL + Ext.


Missing Links & Tunings


SAML Assertion Example

• Using SAML Assertions to convey attributes of users

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion” … >

<saml:Issuer> … </saml:Issuer>

<saml:Subject>

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"> CN=Morris Riedel,OU=ZAM,OU=Forschungszentrum JuelichGmbH,O=GridGermany,C=DE

</saml:NameID>

</saml:Subject>

<saml:Conditions NotBefore="..." NotOnOrAfter="..." />

<saml:AttributeStatement>

<saml:Attribute Name="group-membership-id" NameFormat="urn...">

<saml:AttributeValue type="xs:string">

/deisa/group-interop

</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

…

</saml:Assertion>


Missing Links & Refinement

• n SAML Assertions in SOAP Messages (WS-Security)

<soap:Envelope xmlns:soap="...„>

<soap:Header>

<wsse:Security wsse="...„>

<saml:Assertion xmlns:saml="...">… </saml:Assertion xmlns:saml="..."> (n times)

</wsse:Security>

</soap:Header>

<soap:Body>

...

</soap:Body>

</soap:Envelope>

• Define structure and common semantics of attributes• Attributes states the position of a user in a VO (e.g. role, group,…)• E.g. Approach /VONAME/GROUPNAME• E.g. Approach /VONAME=XYZ/GENERALCAPABILITY=XYZ…


Restricted Delegation

• Proxies & SAML Assertions are used in production Grids• But most Grid and e-science infrastructures operate on a security paradigm of

‘full impersonification delegation of rights’• “If I delegate someone to buy me a toaster he is actually allowed to buy me a

car – there are no restrictions what exactly to do”

• ‘Proxies are not bad’ standard• But the way proxies are used on

the infrastructures is “bad”• Restrictions within proxies can

be added into proxy extensions• ‘SAML assertions are not bad’ standard• SAML assertions have same drawback

when no constraints are provided• Restrictions within SAML assertions

can be coded in SAML assertions contraints parts

Proxy

SAMLAssertion

extensionwith restrictions

contraintselement


PGI Information Considerations


PGI Information Considerations

• Plumbing using GLUE2• Largely using GLUE2 on multiple levels• Using GLUE2 in conjunction with OGSA-BES endpoints

• Another plumbing using OGF Secure Addressing• If and only if you are using Endpoint References (EPRs)• The way to tell how this endpoint is contacted using the right set of security

plumbings

• Henn and egg problem• Where do I get the initial information?• EPR of information system to query for information may already require a

correct security setup• Approach of Website providing the EPR information


PGI Job Considerations


PGI Job Considerations

• Basic specifications• OGSA – Basic Execution Service (BES)• Implied Job Submission Description Language (JSDL)

• Modified operations in BES• Some operation have to be added• Statemodel refinements ready vs. finished states?!

• JSDL refinements/additions• What is mandatory – what is optional?• Additions such as network topology of large-scale systems• Re-specify which subset of JSDL elements make sense

for production use• Having one JSDL for production Grids instead of numerous extensions that

lead to non-interoperable systems again• What security plumbings? Plumbing II X.509 (or proxies)

• Other plumbings? Yes Attribute-based AuthZ, TLS with username/passwd is not enough! More complicated!


Get Attributes for job submit

• To be defined using the two plumbings• Virtual Organization Membership Service (VOMS)

• Acts as an attribute authority releasing signed attributes• (Shibboleth is also an attribute authority that might be used)• Attributes state the position of a user in a VO (role, group, etc.)


Agree on attributes (&semantics)

• Big picture in (many) GIN production Grids & efforts

SOAP Message

32

SOAP Header

SOAP Body

IETF TLS

Proxy

Extensionsfor attributes

and restrictions

VO Support

attributes

SAMLAssertion

Contraintselement

AttributeStatementelement

OASISWS-Security

Extension

Delegation of Rights

restictions/constraints

OGF BES OGF JSDL + Ext.


Context Comp. Activities

• Base: Computational activities using OGSA-BES & JSDL• Secure cross-Grid job submission using open standards

for authentication and attribute-based authorization• IETF X.509 Certificates• OGF Open Grid Services Architecture (OGSA) Basic Execution

Services (BES) & Job Submission Description Language (JSDL)• OASIS Security Assertion Markup Language (SAML)

[3] Morris Riedel et al., ‘Interoperation of World-Wide Production e-Science Infrastructures, Concurrency and Computation: Practice and Experience, OGF Special Issue, 2008


PGI Data Considerations


PGI Data Considerations

• WS-DAIS Refinements• We learned a lot of OGSA-DAI that was once a reference

implementation of WS-DAI• Refinements necessary that are scalable for production use• How can be WS-DAI requests used in data staging via OGSA-BES?

• Storage Resource Manager (SRM)• Many SRM implementations already exist• They are basically interoperable• However, a subset of SRM is not interoperable• Nail down which operations work and which operations can be

omitted• How can be SRM requests (or movements like copyto) used via

OGSA-BES data stagings?


Summary

© 2008 Open Grid ForumJahresabschluss-Kolloquium, FZJ, 18th Dec. 2008 – Morris Riedel et al.

Summary

• More and more e-science projects require Grid interoperability• Many approaches exist – only production-aware standards help• Production Grid Infrastructure Standardization Process

• OGSA exists, but…• Hard to maintain, nearly half of all specs defined, missing links,…

• Comparison with history of computer science• Cp. XML & SGML, Internet model vs. ISO / OSI model• Bottom-up (from production) instead of top-down architecture

• Reference model obtained from real scientific use cases• Interoperability reference model (or aka profiles) make sense

• Scientific use cases proof feasibility of initial reference model• Can be a milestone towards full OGSA-conformance roadmaps


Mapping Notes


Additional Mapping Notes

• TBD


References


References

• Hinleitung zum reference model…


Acknowledgements

© 2008 Open Grid Forum

Morris: Acknowledgements

• Morris Travel and Participation in OGF is funded by…• Distributed European Infrastructure for Supercomputing

Applications (DEISA)

• DEISA2 is funded by the European Commission in FP7 under grant agreement RI-222919

• Jülich Supercomputing Centre (JSC)of Forschungszentrum Jülich (FZJ) in the HELMHOLTZ association


Full Copyright Notice

Copyright (C) Open Grid Forum (2009). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.

The limited permissions granted above are perpetual and will not be revoked by the OGF or its successors or assignees.

© 2008 open grid forum production grid infrastructure wg pgi reference model towards an...

Documents