geon meeting - may 22, 2006 gama 2.0 features and status kurt mueller sdsc

GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

Upload: steven-ball

Post on 01-Jan-2016




0 download


Page 1: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 2.0 Features and Status

Kurt MuellerSDSC

Page 2: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 1 in a nutshell

• A system for creating and managing Grid accounts for portal and application users

• Provides dedicated server installation consisting of Grid software (CACL, MyProxy, CAS) wrapped in web services

• Provides management portlets for easy integration into GridSphere portal framework– User account request form– Administrative account management console– User login through GAMA - retrieves GSI credential

Page 3: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 1 architecture

Portal server 2Portal server 1

GAMA server






eb S





Servlet container

import user

retrieve credential

Stand-alone applications

retrieve credential


Java keystoreJava keystore

Java keystoreJava keystore



Servlet container

create user

Page 4: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 1 ideal environment

• New portal/Grid project• No existing users/credentials• Single administrator• Globus Grid• GridSphere portal• Authorization through grid-mapfile

Page 5: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 1 weaknesses

• Hard to incorporate existing user accounts and Grid credentials

• Hard to use existing infrastructure– MyProxy server– Other CA packages

• Hard to expand core GAMA functions– SRB account creation– Authorization - CAS not so useful?– Unix accounts– grid-mapfile updates

Page 6: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Back to the drawing board…

Page 7: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 2 features

• Implementation agnostic• Extensible through a plug-in architecture• Workflow system for multi-step operations• Supports VOs with many sites and

independent site administrators• Provides cluster account management

Page 8: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Implementation agnostic

• No explicit reliance on MyProxy, CACL, CAS. Accomplished through a plug-in architecture on GAMA server: use whatever CA you want, whatever credential storage, whatever authorization service, etc.

• GAMA 2 includes CACL, Naregi and MyProxy plugins out of the box

• May also include SRB account management, and other plugins

Page 9: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006


• GAMA admin can write task plugins to accomplish novel tasks:– Interface with existing infrastructure

(authentication/authorization mechanisms, databases, CA packages, etc.)

– Manage Unix / Windows / physical accounts– etc.

Page 10: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006


All GAMA tasks extend GAMATask class:

abstract public class GAMATask {

abstract public void doTask() throws GAMATaskException;

abstract public void rollbackTask() throws GAMATaskRollbackException {};


Page 11: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

<task-def> <task-param> <param-name>username</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> </task-param> <task-param> <param-name>password</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> <param-nopersist>true</param-nopersist> </task-param>… <task-output> <output-name>credentialobject</output-name> <output-class>org.globus.gsi.GlobusCredential</output-class> </task-output> <task-output> <output-name>credentialstring</output-name> <output-class>java.lang.String</output-class> </task-output></task-def>

Extensible - MyProxyAuthNTask.xml

Page 12: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Extensible -

public class MyProxyAuthNTask extends GAMATask {

public void doTask() throws GAMATaskException {

String username = (String)


String passwd = (String)


cred = (GSSCredential) myproxy.get(username, passwd, myProxyLifetime.intValue());






Page 13: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Workflow system

• Server operations are customizable and expandable. Uses a workflow system that can execute arbitrary sequences of tasks for any operation, such as “login.”

– GAMA 1 login does one thing: tries to retrieve a credential from MyProxy.

– GAMA 2 login could do a sequence of things: retrieve credential from MyProxy, open an SRB socket connection, write a message to a logfile, etc.

Page 14: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Workflow system - MyProxyAuthNSequence.xml<sequence-def> <sequence-description>GAMA's default MyProxy authentication

sequence</sequence-description> <sequence-type>authenticate</sequence-type> <sequence-type-default>true</sequence-type-default> <sequence-rollbackallonfailure>false</sequence-

rollbackallonfailure> <sequence-item> <item-class>

authn.MyProxyAuthNTask</item-class> <item-class-config-id>0</item-class-config-id> <item-description>simple MyProxy authentication with username

and password</item-description> <item-rollbackonfailure>false</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>

Page 15: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Workflow system - NewUserSetupSequence.xml<sequence-def> <sequence-description>GAMA's default CACL and MyProxy new user

sequence</sequence-description> … <sequence-item> <item-class>

CACLNewUserTask</item-class> <item-description>Create a new user in CACL</item-description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item> <sequence-item> <item-class>

MyProxyLoadCredentialsFromCATask</item-class> <item-description>Load a user's credentials from CA into MyProxy</item-

description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>

Page 16: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GridSphere Portal GAMA 1 Server




Account request portlet (GridSphere)

Account admin portlet (GridSphere)

Create user

Task engine







Account admin GUI (GridSphere portal)





Login portlet (GridSphere) Login user



Login web service client

Login web service client

GAMA 2 Server

Page 17: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Multi-site support

• GAMA 2 server supports multiple sites, each with its own local site administrator

• Site admin logs in to GAMA server and manages accounts for just their site; other sites’ users are not visible. Primary GAMA admin can manage all users.

• GAMA can be configured to perform different sequences of actions for different sites:– Site A -> login sequence A– Site B -> login sequence B

Page 18: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

Cluster account management

• GAMA knows about resources such as clusters– A resource belongs to a site

• Site admin can specify access permissions for each user on each resource in their site

• Resources can poll GAMA server for list of valid users, and manage individual user accounts and/or grid-mapfile entries accordingly.

• Provides a critical step in cluster management:Rocks for OS/software install, GAMA for users

Page 19: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 2 web services

• Provide a simple API that duplicates GAMA 1 API:authenticateUser()authorizeUser()requestNewUser()…

• Plus new methods for site/resource management:createSite()addNewResource()getResourceUsers()addUserToResource()…

Page 20: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 2 web services

• All web services take as inputs a set of key-value pairs, and produce as outputs another set of key-value pairs

• Allows flexibility for task/sequence writers, at the expense of explicitness:

String authenticateUser(String username, String password, String lifetime) {…}

vs.HashMap authenticateUser(HashMap inputs) {…}

Page 21: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA server admin GUI demo

Page 22: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA 2.0: Steps to completion

• Finish tying in web service interface to task engine

• Complete the administrative GUI– Group management– Task and sequence management

• Refactor account request and login portlets• Provide client tools for cluster user

management• Construct server Rocks roll with Naregi,

MyProxy and GAMA

Page 23: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006

GAMA: the future

• Explore authentication technologies– CAS still useful?– Shibboleth / GridShib– etc.

• More complete end-to-end user management:– grid-mapfile updates on end resources, for instance

• Synchronization / cooperation between multiple GAMA servers across VOs

Page 24: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006


• GAMA:• GridSphere:• CACL:• Naregi CA:• MyProxy:• CAS:• GEON project:• Telescience project:• NBCR:

Page 25: GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC

GEON meeting - May 22, 2006


SDSC/GEON:Kurt Mueller, Sandeep Chandra, Karan Bhatia

UCSD/NCMIR:Abel Lin, Khim Ung, Lu Dai

UCSD/BIRN:Jason Novotny, Ramil Manansala, Jana Nguyen