GAMA: Grid Account Management Architecture - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

GAMA: Grid Account Management Architecture

Description:

Administrative account management console. User login through ... Account admin GUI (GridSphere portal) AuthNSequence. Login portlet (GridSphere) Login user ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 26
Provided by: kur148
Category:

less

Transcript and Presenter's Notes

Title: GAMA: Grid Account Management Architecture


1
GAMA Grid Account Management Architecture
  • Kurt Mueller
  • Grid Middleware Development Group
  • San Diego Supercomputer Center
  • University of California, San Diego

2
GAMA 1 in a nutshell
  • A system for creating and managing Grid accounts
    for portal and application users
  • Provides dedicated server installation consisting
    of Grid software (CACL, MyProxy, CAS) wrapped in
    web services
  • Provides management portlets for easy integration
    into GridSphere portal framework
  • User account request form
  • Administrative account management console
  • User login through GAMA - retrieves GSI credential

3
GAMA 1 architecture
gama
create user
DB
gridportlets
GridSphere
import user
AXIS Web Services wrapper
retrieve credential
Servlet container
Java keystore
Portal server 1
retrieve credential
Portal server 2
Servlet container
Java keystore
GAMA server
Stand-alone applications
4
GAMA 1 ideal environment
  • New portal/Grid project
  • No existing users/credentials
  • Single administrator
  • Globus Grid
  • GridSphere portal
  • Authorization through grid-mapfile

5
GAMA 1 weaknesses
  • Hard to incorporate existing user accounts and
    Grid credentials
  • Hard to use existing infrastructure
  • MyProxy server
  • Other CA packages
  • Hard to expand core GAMA functions
  • SRB account creation
  • Authorization - CAS not so useful?
  • Unix accounts
  • grid-mapfile updates

6
Back to the drawing board
7
GAMA 2 features
  • Implementation agnostic
  • Extensible through a plug-in architecture
  • Workflow system for multi-step operations
  • Supports VOs with many sites and independent site
    administrators
  • Provides cluster account management

8
Implementation agnostic
  • No explicit reliance on MyProxy, CACL, CAS.
    Accomplished through a plug-in architecture on
    GAMA server use whatever CA you want, whatever
    credential storage, whatever authorization
    service, etc.
  • GAMA 2 includes CACL, Naregi and MyProxy plugins
    out of the box
  • May also include SRB account management, and
    other plugins

9
Extensible
  • GAMA admin can write task plugins to accomplish
    novel tasks
  • Interface with existing infrastructure
    (authentication/authorization mechanisms,
    databases, CA packages, etc.)
  • Manage Unix / Windows / physical accounts
  • etc.

10
Extensible
  • All GAMA tasks extend GAMATask class
  • abstract public class GAMATask
  • abstract public void doTask() throws
    GAMATaskException
  • abstract public void rollbackTask() throws
    GAMATaskRollbackException

11
Extensible - MyProxyAuthNTask.xml
  • lttask-defgt
  • lttask-paramgt
  • ltparam-namegtusernamelt/param-namegt
  • ltparam-classgtjava.lang.Stringlt/param-class
    gt
  • ltparam-requiredgttruelt/param-requiredgt
  • lt/task-paramgt
  • lttask-paramgt
  • ltparam-namegtpasswordlt/param-namegt
  • ltparam-classgtjava.lang.Stringlt/param-class
    gt
  • ltparam-requiredgttruelt/param-requiredgt
  • ltparam-nopersistgttruelt/param-nopersistgt
  • lt/task-paramgt
  • lttask-outputgt
  • ltoutput-namegtcredentialobjectlt/output-name
    gt
  • ltoutput-classgtorg.globus.gsi.GlobusCredent
    iallt/output-classgt
  • lt/task-outputgt
  • lttask-outputgt
  • ltoutput-namegtcredentialstringlt/output-name
    gt

12
Extensible - MyProxyAuthNTask.java
  • public class MyProxyAuthNTask extends GAMATask
  • public void doTask() throws GAMATaskException
  • String username (String)
  • getParamObjectByName("username")
  • String passwd (String)
  • getParamObjectByName("password")
  • cred (GSSCredential) myproxy.get(username,
    passwd, myProxyLifetime.intValue())
  • getOutputByName("credentialobject").setOutputObj
    ect(cred)
  • getOutputByName("credentialstring").
  • setOutputObject(cred.toString())

13
Workflow system
  • Server operations are customizable and
    expandable. Uses a workflow system that can
    execute arbitrary sequences of tasks for any
    operation, such as login.
  • GAMA 1 login does one thing tries to retrieve a
    credential from MyProxy.
  • GAMA 2 login could do a sequence of things
    retrieve credential from MyProxy, open an SRB
    socket connection, write a message to a logfile,
    etc.

14
Workflow system - MyProxyAuthNSequence.xml
  • ltsequence-defgt
  • ltsequence-descriptiongtGAMA's default MyProxy
    authentication sequencelt/sequence-descriptiongt
  • ltsequence-typegtauthenticatelt/sequence-typegt
  • ltsequence-type-defaultgttruelt/sequence-type-def
    aultgt
  • ltsequence-rollbackallonfailuregtfalselt/sequence
    -rollbackallonfailuregt
  • ltsequence-itemgt
  • ltitem-classgtedu.sdsc.gama.server.services.
    task.auth.
  • authn.MyProxyAuthNTasklt/item-classgt
  • ltitem-class-config-idgt0lt/item-class-config
    -idgt
  • ltitem-descriptiongtsimple MyProxy
    authentication with username and
    passwordlt/item-descriptiongt
  • ltitem-rollbackonfailuregtfalselt/item-rollba
    ckonfailuregt
  • ltitem-stopsequenceonsuccessgtfalselt/item-st
    opsequenceonsuccessgt
  • ltitem-stopsequenceonfailuregttruelt/item-sto
    psequenceonfailuregt
  • lt/sequence-itemgt
  • lt/sequence-defgt

15
Workflow system - NewUserSetupSequence.xml
  • ltsequence-defgt
  • ltsequence-descriptiongtGAMA's default CACL and
    MyProxy new user sequencelt/sequence-descriptiongt
  • ltsequence-itemgt
  • ltitem-classgtedu.sdsc.gama.server.services.
    task.ca.newuser.
  • CACLNewUserTasklt/item-classgt
  • ltitem-descriptiongtCreate a new user in
    CACLlt/item-descriptiongt
  • ltitem-rollbackonfailuregttruelt/item-rollbac
    konfailuregt
  • ltitem-stopsequenceonsuccessgtfalselt/item-st
    opsequenceonsuccessgt
  • ltitem-stopsequenceonfailuregttruelt/item-sto
    psequenceonfailuregt
  • lt/sequence-itemgt
  • ltsequence-itemgt
  • ltitem-classgtedu.sdsc.gama.server.services.
    task.myproxy.newuser.
  • MyProxyLoadCredentialsFromCATasklt/item-classgt
  • ltitem-descriptiongtLoad a user's
    credentials from CA into MyProxylt/item- descripti
    ongt
  • ltitem-rollbackonfailuregttruelt/item-rollbac
    konfailuregt
  • ltitem-stopsequenceonsuccessgtfalselt/item-st
    opsequenceonsuccessgt
  • ltitem-stopsequenceonfailuregttruelt/item-sto
    psequenceonfailuregt
  • lt/sequence-itemgt

16
GridSphere Portal
GAMA 1 Server
GAMA 2 Server
Login user
Login portlet (GridSphere)
Task engine
Account request portlet (GridSphere)
CACL
MyProxy
Account admin portlet (GridSphere)
Create user
NewUserSequence
AuthNSequence
CAS
Login web service client
SRB

Login web service client
Account admin GUI (GridSphere portal)
17
Multi-site support
  • GAMA 2 server supports multiple sites, each with
    its own local site administrator
  • Site admin logs in to GAMA server and manages
    accounts for just their site other sites users
    are not visible. Primary GAMA admin can manage
    all users.
  • GAMA can be configured to perform different
    sequences of actions for different sites
  • Site A -gt login sequence A
  • Site B -gt login sequence B

18
Cluster account management
  • GAMA knows about resources such as clusters
  • A resource belongs to a site
  • Site admin can specify access permissions for
    each user on each resource in their site
  • Resources can poll GAMA server for list of valid
    users, and manage individual user accounts and/or
    grid-mapfile entries accordingly.
  • Provides a critical step in cluster management
  • Rocks for OS/software install, GAMA for users

19
GAMA 2 web services
  • Provide a simple API that duplicates GAMA 1 API
  • authenticateUser()
  • authorizeUser()
  • requestNewUser()
  • Plus new methods for site/resource management
  • createSite()
  • addNewResource()
  • getResourceUsers()
  • addUserToResource()

20
GAMA 2 web services
  • All web services take as inputs a set of
    key-value pairs, and produce as outputs another
    set of key-value pairs
  • Allows flexibility for task/sequence writers, at
    the expense of explicitness
  • String authenticateUser(String username, String
    password, String lifetime)
  • vs.
  • HashMap authenticateUser(HashMap inputs)

21
GAMA server admin GUI demo
22
GAMA 2.0 Steps to completion
  • Finish tying in web service interface to task
    engine
  • Complete the administrative GUI
  • Group management
  • Task and sequence management
  • Refactor account request and login portlets
  • Provide client tools for cluster user management
  • Construct server Rocks roll with Naregi, MyProxy
    and GAMA

23
GAMA the future
  • Explore authentication technologies
  • CAS still useful?
  • Shibboleth / GridShib
  • etc.
  • More complete end-to-end user management
  • grid-mapfile updates on end resources, for
    instance
  • Synchronization / cooperation between multiple
    GAMA servers across VOs

24
References
  • GAMA http//grid-devel.sdsc.edu/gama
  • GridSphere http//www.gridsphere.org
  • CACL http//www.sdsc.edu/CA
  • Naregi CA https//www.naregi.org/ca
  • MyProxy http//grid.ncsa.uiuc.edu/myproxy
  • CAS http//www.globus.org/security/CAS
  • GEON project http//www.geongrid.org
  • Telescience project http//telescience.ucsd.edu
  • NBCR http//nbcr.sdsc.edu

25
Credits
  • SDSC/GEON
  • Kurt Mueller, Sandeep Chandra, Karan Bhatia
  • UCSD/NCMIR
  • Abel Lin, Khim Ung, Lu Dai
  • UCSD/BIRN
  • Jason Novotny, Ramil Manansala, Jana Nguyen
Write a Comment
User Comments (0)
About PowerShow.com