global grid forum gridworld ggf15 boston usa october 03 2005 abhishek singh rana and frank...
Post on 28-Mar-2015
213 Views
Preview:
TRANSCRIPT
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VOs and Multi-VO Sites in Open Science Grid
Abhishek Singh RanaUC San Diego
rana@fnal.gov
Frank WuerthweinUC San Diegofkw@fnal.gov
GridWorld/GGF15October 3-6, 2005Boston, MA, USA
Community Activity: Leveraging Site Infrastructute for Multi-Site Grids
2
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Collaborative Effort
Open Science GridRBAC, Security and Policy Frameworks
Privilege Project
PPDG Common
USATLAS
USCMSFermi National Lab
Brookhaven National Lab
U California San Diego
Virginia Tech
Technical Lead:Ian Fisk, FNAL
Technical Coordinator:Dane Skow, FNAL
3
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Outline
• Concepts & Goals.• Examples
– Compute Element.– Storage Element.
• Possible future examples– Dynamically provisioned environments/Workspaces.
• VO Workspace on Site boundary.– Edge Services Framework (ES Wafers).
• User Workspace on WNs – Resource Slices.
4
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach: Concepts
• VO-Global specification of privilege requirements per Role.
• Site central mapping of Role to site’s implementation of privilege requirements.
• Local enforcement of privilege requirements.
5
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-Site VO
CESE
Site
CE
SE
Site CESE
Site
CESE
Site
CESE
Site
6
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Multi-VO Site
CE
SE
Site
7
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
A Multi-VO Multi-Site Grid
CESE
Site
CE
SE
SiteCE
SE
Site
CESE
Site
CESE
Site
CE
SE
Site
CESE
Site
CESE
Site
8
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
OSG Approach
• VO defines Roles and associated privileges by specifying expected functionality.– E.g. cmssoft may install software in area that is read-only by all cmsgrid user jobs running on site/campus.
– E.g. cmssvc may deploy DB cache available to all cmsgrid user jobs running on site/campus.
• Site maps VO scope identities to local scope identities.– Site wide management of mapping.– Service level granularity of mapping.
• Site enforces VO privilege policies within local scope identities.
• Authorization = !(Site-vetoed) && (VO-allowed)
9
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
10
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Attribute Repository
Service X
Service Y
Service X
Service Z
Service X VetoService Y VetoService Z Veto
Site-wide Assertion Service
Host 1
Host 2
Site
Authorization Service for
Service X, Y, Z
Site-wide Mapping Service
Auxiliary Authorization
Service for Service Z
Auxiliary Mapping Service
Callout Module for X, Y
Callout Module
for Z
Local or Remote ClientProxy with VO Membership | Role Attributes
PDPPEP
PEP
PDP
11
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Compute Element
12
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
CE: Globus and Condor
• PRIMA and GUMS provide CE authz in OSG approach.
PRIMA authenticates.GUMS translates {DN, Membership, Role} to Username.System translates Username to site-wide {UID}.
13
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Deployed at many sites/campuses with static UIDs as well as UID pools.
14
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
CE
Deployed at many sites/campuses with static UIDs as well as UID pools.
15
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
PRIMAC SAMLlibraries
CE
Globus Gatekeeper PRIMAcallout
Deployed at many sites/campuses with static UIDs as well as UID pools.
16
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
PRIMAC SAMLlibraries
CE
Globus Gatekeeper PRIMAcallout
Deployed at many sites/campuses with static UIDs as well as UID pools.
PEP
17
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Example: Storage Element
18
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• Different doors for different authz methods.
• Same underlying local authz mechanism.
• Can be mapped to site’s UID/GID domain.
• Or be restricted to SRM-dCache only.
• Examples:– USCMS-VO at FNAL: Site UID domain.– CDF-VO at FNAL: Site Kerberos domain.
19
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
SE: SRM-dCache
• gPLAZMA extends SRM-dCache separation of SE authz and CE authz to OSG approach.
gPLAZMA authenticates.Storage Authz Service contacts GUMS and gPLAZMA Storage Metadata Service.GUMS translates {DN, Membership, Role} to Username.System optionally translates Username to site-wide {UID, GID}.gPLAZMA Storage Metadata Service translates Username to Storage-privilege Set.Storage-privilege Set is {UID, GID, permitted storage area, R/W permissions}.Storage-privilege Set is User-level ACL governed by {DN, Membership, Role} .
20
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAAuthorization
Service
21
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAAuthorization
Service
22
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAAuthorization
Service
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
23
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAAuthorization
Service
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
PEP
24
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
CE
SE
gPLAZMAStorage
metadata
PRIMAAuthorization
Service
PRIMAC SAMLlibraries
Globus Gatekeeper PRIMAcallout
25
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
26
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
gPLAZMALiteAuthorizationServices suite
PEP
27
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
OGSAAuthZ
interface
gPLAZMALiteAuthorizationServices suite
28
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAA System for
Privilege Management and Authorization in Grids
gPLAZMAgrid-aware Pluggable
AuthorizationManagement System
GUMSGrid User Management
System
SAZSite Authorization Service
VOMSVirtual Organization Membership Service
gPLAZMALiteAuthorizationServices suite
29
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
GUMS
Local or Remote ClientProxy with VO Membership | Role Attributes
Site-wide Assertion Service
Site
SAZ
VOMS
Site-wide Mapping Service
Auxiliary Mapping Service
PRIMAC SAMLlibraries
CE
SE
gPLAZMAStorage
metadata
PRIMAJava SAMLgPLAZMA
PRIMAAuthorization
Service
Globus Gatekeeper PRIMAcallout
SRM-GridFTP gPLAZMA callout
PRIMAMarkus Lorch, VT
gPLAZMAAbhishek Singh Rana, UCSD
Timur Perelmutov, FNAL
GUMSGabriele Carcassi, BNL
SAZVijay Sekhri, FNAL
John Weigand, FNAL
SRM-dCacheDESY/FNAL teams
VOMSINFN teams, Italy
gPLAZMALiteAuthorizationServices suite
30
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
• VO control of ACLs.– All files are owned by VO.– Simple solutions.– VO PDP, separated from Resource.
• Site control of ACLs.– All files are owned by {DN, Membership, Role} of a User.– Site SE enforces global (VO) and local (site) policies.– Global & local policies are used together to aid in isolation of
privileges, grant privacy to user, and perform fine-grained security.
– Demands sophisticated solutions.– Site PDP, closer to Resource.
SE ACLs: VO versus Site Control
31
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Possible Future Examples:Dynamic Virtual Environments/Workspaces 1. VO Workspace on Site boundary - Edge Services Framework (ES Wafers).2. User Workspace on WNs (Resource Slices).
32
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
No ESF - Phase 0
SECE
Site
33
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
No ESF - Phase 0
Site
SECE
Static deployment
CMS ATLAS CDF
34
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF?
SECE
Site
35
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SE
Site
Snapshot ofES Wafers
implemented asVirtual Workspaces
CE CDFCMS ATLAS
GuestVO
36
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
An attempt at ESF Terminology
• Edge Services Wafer (ES Wafer)– A specific instance of a dynamically-created VM (workspace) is called
an Edge Services Wafer. – An ES Wafer can have several Edge Services running. – A VO can have multiple ES Wafers up at a Site.
• Edge Services Slot (ES Slot) – An ES Slot has hardware characteristics specified by the Site Admin.– An ES Slot can be leased by a VO to host an ES Wafer.
• Edge Service (ES) – A VO-specific service instantiated by a VO in a Wafer.
• Workspace Service (WS)– Service at a Site that allows VOs to instantiate ES Wafers in ES Slots.
37
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
CDFCMS ATLAS
GuestVO
ESF
SECE
Site
GT4 Workspace Service & VMM
Dynamically deployed ES Wafers for each VO
Wafer imagesstored in SE
Compute nodes and Storage nodes
38
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
CDFCMS ATLAS
GuestVO
ESF
SECE
Site
GT4 Workspace Service & VMM
Dynamically deployed ES Wafers for each VO
Wafer imagesstored in SE
Compute nodes and Storage nodes
Globus Workspace ServiceKate Keahey, ANL/Globus
Timothy Freeman, ANL/Globus
Edge Services SuiteCMS and ATLAS Collaborations
Xen VMMCambridge University, UK
XenSource Inc.
39
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User jobs at Compute nodes using ES Wafers for VO Edge Services
ESF
SECE
Site
CDFCMS ATLAS
GuestVO
40
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Admin transporting/storing ES image to a remote Site..
..Deploying ES using image stored in Site’s local repository
41
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
VO Workspaces (Edge Services)
• Concepts– TID (Transactional Identity) = {DN, Membership
Profile, Set of Roles}– Thus, TID is VO & “VO-Site agreement” specific.– TID functions as a tag for VO Workspace
characteristics.– Site central mapping service translates TID into VO
Workspace characteristics.– ESF provisions VO Workspace according to
characteristics.
42
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
43
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
PEP
44
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
45
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
46
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
PEP
47
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
48
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
Role=VO Admin
PEP
49
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
50
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
51
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
52
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
ESF - Phase 1
ESF
SECE
Site
CMS
Role=VO Admin
ES Wafer (Multiple VO Services at a Site’s Edge)
53
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
A VO User using ESF....Executing at a User Workspace
54
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
• User Workspace– Slicing of a Resource, on demand.– PEP closer to such finer slices of a Resource.– Customized (possibly transient) slices.– Isolation of environment of such a slice.
• A resource slice and VO/User environment make a User Workspace.
55
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
• Concepts– TID (Transactional Identity) = {DN, Membership
Profile, Set of Roles}– Thus, TID is VO & “application type” specific.– TID functions as a tag for Workspace characteristics.– Site central mapping service translates TID into User
Workspace characteristics.– Compute node local service provisions User
Workspace according to characteristics.
56
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SECE
Site
CMS
Role=VO User
57
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SECE
Site
CMS
Role=VO User
PEP
58
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SE
Site
CMS
Role=VO User
CE
59
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SE
Site
CMS
Role=VO User
CE
PEP
60
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SE
Site
CMS
Role=VO User
CE
Resource Slice (User execution environment at a WN)
61
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SECE
Site
CMS
Role=VO User
62
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SECE
Site
CMS
Role=VO User
PEP
63
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
User Workspace
ESF
SECE
Site
CMS
Role=VO User
64
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Summary of OSG Approach
• VO-Global specification of privilege requirements per role.– Means to do so are lacking today!– Making progress.
• Site central mapping of role to implementation of privilege requirements.– Simple solutions in production usage.
• Local enforcement of privilege requirements.– Simple solutions in production usage.– Moving forward to designing more advanced
solutions.
65
Global Grid Forum GridWorld GGF15 Boston USA October 03 2005
Abhishek Singh Rana and Frank Wuerthwein UC San Diego www.opensciencegrid.org
The Open Science Grid Consortium
Thank You.
top related