Introduction to Grid Computing and the Globus Toolkit

About This Presentation

Title:

Introduction to Grid Computing and the Globus Toolkit

Description:

Condor-G delivered 3.46E8 CPU seconds in 7 days (peak 1009 processors) in U.S. ... XML, Condor ClassAds, Globus RSL. X.509 certificate format (RFC 2459) ... – PowerPoint PPT presentation

Number of Views:157

Avg rating:3.0/5.0

Slides: 220

Provided by: leel166

Category:

more less

Transcript and Presenter's Notes

Title: Introduction to Grid Computing and the Globus Toolkit

1
Introduction toGrid Computingand the Globus
Toolkit

The Globus ProjectArgonne National
LaboratoryUSC Information Sciences Institute
http//www.globus.org

2
Outline

Introduction to Grid Computing
Some Definitions
Grid Architecture
The Programming Problem
The Globus Toolkit
Introduction, Security, Resource Management,
Information Services, Data Management
Related work
Futures and Conclusions

3
The Grid Problem

Flexible, secure, coordinated resource sharing
among dynamic collections of individuals,
institutions, and resource
From The Anatomy of the Grid Enabling Scalable
Virtual Organizations
Enable communities (virtual organizations) to
share geographically distributed resources as
they pursue common goals -- assuming the absence
of
central location,
central control,
omniscience,
existing trust relationships.

4
Elements of the Problem

Resource sharing
Computers, storage, sensors, networks,
Sharing always conditional issues of trust,
policy, negotiation, payment,
Coordinated problem solving
Beyond client-server distributed data analysis,
computation, collaboration,
Dynamic, multi-institutional virtual orgs
Community overlays on classic org structures
Large or small, static or dynamic

5
Why Grids?

A biochemist exploits 10,000 computers to screen
100,000 compounds in an hour
1,000 physicists worldwide pool resources for
petaop analyses of petabytes of data
Civil engineers collaborate to design, execute,
analyze shake table experiments
Climate scientists visualize, annotate, analyze
terabyte simulation datasets
An emergency response team couples real time
data, weather model, population data

6
Why Grids? (contd)

A multidisciplinary analysis in aerospace couples
code and data in four companies
A home user invokes architectural design
functions at an application service provider
An application service provider purchases cycles
from compute cycle providers
Scientists working for a multinational soap
company design a new product
A community group pools members PCs to analyze
alternative designs for a local road

7
Online Access to Scientific Instruments
Advanced Photon Source
wide-area dissemination
desktop VR clients with shared controls
real-time collection
archival storage
tomographic reconstruction
DOE X-ray grand challenge ANL, USC/ISI, NIST,
U.Chicago
8
Data Grids forHigh Energy Physics
Image courtesy Harvey Newman, Caltech
9
Mathematicians Solve NUG30

Looking for the solution to the NUG30 quadratic
assignment problem
An informal collaboration of mathematicians and
computer scientists
Condor-G delivered 3.46E8 CPU seconds in 7 days
(peak 1009 processors) in U.S. and Italy (8 sites)

14,5,28,24,1,3,16,15, 10,9,21,2,4,29,25,22, 13,26,
17,30,6,20,19, 8,18,7,27,12,11,23
MetaNEOS Argonne, Iowa, Northwestern, Wisconsin
10
Network for EarthquakeEngineering Simulation

NEESgrid national infrastructure to couple
earthquake engineers with experimental
facilities, databases, computers, each other
On-demand access to experiments, data streams,
computing, archives, collaboration

NEESgrid Argonne, Michigan, NCSA, UIUC, USC
11
Home ComputersEvaluate AIDS Drugs

Community
1000s of home computer users
Philanthropic computing vendor (Entropia)
Research group (Scripps)
Common goal advance AIDS research

12
Broader Context

Grid Computing has much in common with major
industrial thrusts
Business-to-business, Peer-to-peer, Application
Service Providers, Storage Service Providers,
Distributed Computing, Internet Computing
Sharing issues not adequately addressed by
existing technologies
Complicated requirements run program X at site
Y subject to community policy P, providing access
to data at Z according to policy Q
High performance unique demands of advanced
high-performance systems

13
Why Now?

Moores law improvements in computing produce
highly functional endsystems
The Internet and burgeoning wired and wireless
provide universal connectivity
Changing modes of working and problem solving
emphasize teamwork, computation
Network exponentials produce dramatic changes in
geometry and geography

14
Network Exponentials

Network vs. computer performance
Computer speed doubles every 18 months
Network speed doubles every 9 months
Difference order of magnitude per 5 years
1986 to 2000
Computers x 500
Networks x 340,000
2001 to 2010
Computers x 60
Networks x 4000

Moores Law vs. storage improvements vs. optical
improvements. Graph from Scientific American
(Jan-2001) by Cleo Vilett, source Vined Khoslan,
Kleiner, Caufield and Perkins.
15
The Globus ProjectMaking Grid computing a
reality

Close collaboration with real Grid projects in
science and industry
Development and promotion of standard Grid
protocols to enable interoperability and shared
infrastructure
Development and promotion of standard Grid
software APIs and SDKs to enable portability and
code sharing
The Globus Toolkit Open source, reference
software base for building grid infrastructure
and applications
Global Grid Forum Development of standard
protocols and APIs for Grid computing

16
Selected Major Grid Projects
New
New
17
Selected Major Grid Projects
New
New
New
New
New
18
Selected Major Grid Projects
New
New
19
Selected Major Grid Projects
New
New
Also many technology RD projects e.g., Condor,
NetSolve, Ninf, NWS See also www.gridforum.org
20
The 13.6 TF TeraGridComputing at 40 Gb/s
Site Resources
Site Resources
26
HPSS
HPSS
4
24
External Networks
External Networks
8
5
Caltech
Argonne
External Networks
External Networks
NCSA/PACI 8 TF 240 TB
SDSC 4.1 TF 225 TB
Site Resources
Site Resources
HPSS
UniTree
TeraGrid/DTF NCSA, SDSC, Caltech, Argonne
www.teragrid.org
21
iVDGLInternational Virtual Data Grid Laboratory
U.S. PIs Avery, Foster, Gardner, Newman, Szalay
www.ivdgl.org
22
For More Information

Globus Project
www.globus.org
Grid Forum
www.gridforum.org
Book (Morgan Kaufman)
www.mkp.com/grids

23
Some Definitions

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

24
Some Important Definitions

Resource
Network protocol
Network enabled service
Application Programmer Interface (API)
Software Development Kit (SDK)
Syntax
Not discussed, but important policies

25
Resource

An entity that is to be shared
E.g., computers, storage, data, software
Does not have to be a physical entity
E.g., Condor pool, distributed file system,
Defined in terms of interfaces, not devices
E.g. scheduler such as LSF and PBS define a
compute resource
Open/close/read/write define access to a
distributed file system, e.g. NFS, AFS, DFS

26
Network Protocol

A formal description of message formats and a set
of rules for message exchange
Rules may define sequence of message exchanges
Protocol may define state-change in endpoint,
e.g., file system state change
Good protocols designed to do one thing
Protocols can be layered
Examples of protocols
IP, TCP, TLS (was SSL), HTTP, Kerberos

27
Network Enabled Services

Implementation of a protocol that defines a set
of capabilities
Protocol defines interaction with service
All services require protocols
Not all protocols are used to provide services
(e.g. IP, TLS)
Examples FTP and Web servers

28
Application Programming Interface

A specification for a set of routines to
facilitate application development
Refers to definition, not implementation
E.g., there are many implementations of MPI
Spec often language-specific (or IDL)
Routine name, number, order and type of
arguments mapping to language constructs
Behavior or function of routine
Examples
GSS API (security), MPI (message passing)

29
Software Development Kit

A particular instantiation of an API
SDK consists of libraries and tools
Provides implementation of API specification
Can have multiple SDKs for an API
Examples of SDKs
MPICH, Motif Widgets

30
Syntax

Rules for encoding information, e.g.
XML, Condor ClassAds, Globus RSL
X.509 certificate format (RFC 2459)
Cryptographic Message Syntax (RFC 2630)
Distinct from protocols
One syntax may be used by many protocols (e.g.,
XML) useful for other purposes
Syntaxes may be layered
E.g., Condor ClassAds -gt XML -gt ASCII
Important to understand layerings when comparing
or evaluating syntaxes

31
A Protocol can have Multiple APIs

TCP/IP APIs include BSD sockets, Winsock, System
V streams,
The protocol provides interoperability programs
using different APIs can exchange information
I dont need to know remote users API

Application
Application
WinSock API
Berkeley Sockets API
TCP/IP Protocol Reliable byte streams
32
An API can have Multiple Protocols

MPI provides portability any correct program
compiles runs on a platform
Does not provide interoperability all processes
must link against same SDK
E.g., MPICH and LAM versions of MPI

33
APIs and Protocols are Both Important

Standard APIs/SDKs are important
They enable application portability
But w/o standard protocols, interoperability is
hard (every SDK speaks every protocol?)
Standard protocols are important
Enable cross-site interoperability
Enable shared infrastructure
But w/o standard APIs/SDKs, application
portability is hard (different platforms access
protocols in different ways)

34
Grid Architecture

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

35
Why Discuss Architecture?

Descriptive
Provide a common vocabulary for use when
describing Grid systems
Guidance
Identify key areas in which services are required
Prescriptive
Define standard Intergrid protocols and APIs to
facilitate creation of interoperable Grid systems
and portable applications

36
One View of Requirements

Identity authentication
Authorization policy
Resource discovery
Resource characterization
Resource allocation
(Co-)reservation, workflow
Distributed algorithms
Remote data access
High-speed data transfer
Performance guarantees
Monitoring

Adaptation
Intrusion detection
Resource management
Accounting payment
Fault management
System evolution
Etc.
Etc.

37
Another View Three Obstaclesto Making Grid
Computing Routine

New approaches to problem solving
Data Grids, distributed computing, peer-to-peer,
collaboration grids,
Structuring and writing programs
Abstractions, tools
Enabling resource sharing across distinct
institutions
Resource discovery, access, reservation,
allocation authentication, authorization,
policy communication fault detection and
notification

38
Programming Systems Problems

The programming problem
Facilitate development of sophisticated apps
Facilitate code sharing
Requires prog. envs APIs, SDKs, tools
The systems problem
Facilitate coordinated use of diverse resources
Facilitate infrastructure sharing e.g.,
certificate authorities, info services
Requires systems protocols, services
E.g., port/service/protocol for accessing
information, allocating resources

39
The Systems ProblemResource Sharing Mechanisms
That

Address security and policy concerns of resource
owners and users
Are flexible enough to deal with many resource
types and sharing modalities
Scale to large number of resources, many
participants, many program components
Operate efficiently when dealing with large
amounts of data computation

40
Aspects of the Systems Problem

Need for interoperability when different groups
want to share resources
Diverse components, policies, mechanisms
E.g., standard notions of identity, means of
communication, resource descriptions
Need for shared infrastructure services to avoid
repeated development, installation
E.g., one port/service/protocol for remote access
to computing, not one per tool/appln
E.g., Certificate Authorities expensive to run
A common need for protocols services

41
Hence, a Protocol-Oriented View of Grid
Architecture, that Emphasises

Development of Grid protocols services
Protocol-mediated access to remote resources
New services e.g., resource brokering
On the Grid speak Intergrid protocols
Mostly (extensions to) existing protocols
Development of Grid APIs SDKs
Interfaces to Grid protocols services
Facilitate application development by supplying
higher-level abstractions
The (hugely successful) model is the Internet

42
Layered Grid Architecture(By Analogy to Internet
Architecture)
43
Protocols, Services,and APIs Occur at Each Level
Applications
Languages/Frameworks
Collective Service APIs and SDKs
Collective Service Protocols
Collective Services
Resource APIs and SDKs
Resource Service Protocols
Resource Services
Connectivity APIs
Connectivity Protocols
Local Access APIs and Protocols
Fabric Layer
44
Important Points

Built on Internet protocols services
Communication, routing, name resolution, etc.
Layering here is conceptual, does not imply
constraints on who can call what
Protocols/services/APIs/SDKs will, ideally, be
largely self-contained
Some things are fundamental e.g., communication
and security
But, advantageous for higher-level functions to
use common lower-level functions

45
The Hourglass Model

Focus on architecture issues
Propose set of core services as basic
infrastructure
Use to construct high-level, domain-specific
solutions
Design principles
Keep participation cost low
Enable local control
Support for adaptation
IP hourglass model

A p p l i c a t i o n s
Diverse global services
Core services
Local OS
46
Where Are We With Architecture?

No official standards exist
But
Globus Toolkit has emerged as the de facto
standard for several important Connectivity,
Resource, and Collective protocols
GGF has an architecture working group
Technical specifications are being developed for
architecture elements e.g., security, data,
resource management, information
Internet drafts submitted in security area

47
Fabric LayerProtocols Services

Just what you would expect the diverse mix of
resources that may be shared
Individual computers, Condor pools, file systems,
archives, metadata catalogs, networks, sensors,
etc., etc.
Few constraints on low-level technology
connectivity and resource level protocols form
the neck in the hourglass
Defined by interfaces not physical characteristics

48
Connectivity LayerProtocols Services

Communication
Internet protocols IP, DNS, routing, etc.
Security Grid Security Infrastructure (GSI)
Uniform authentication, authorization, and
message protection mechanisms in
multi-institutional setting
Single sign-on, delegation, identity mapping
Public key technology, SSL, X.509, GSS-API
Supporting infrastructure Certificate
Authorities, certificate key management,

GSI www.gridforum.org/security
49
Resource LayerProtocols Services

Grid Resource Allocation Mgmt (GRAM)
Remote allocation, reservation, monitoring,
control of compute resources
GridFTP protocol (FTP extensions)
High-performance data access transport
Grid Resource Information Service (GRIS)
Access to structure state information
Network reservation, monitoring, control
All built on connectivity layer GSI IP

GridFTP www.gridforum.org GRAM, GRIS
www.globus.org
50
Collective LayerProtocols Services

Index servers aka metadirectory services
Custom views on dynamic resource collections
assembled by a community
Resource brokers (e.g., Condor Matchmaker)
Resource discovery and allocation
Replica catalogs
Replication services
Co-reservation and co-allocation services
Workflow management services
Etc.

Condor www.cs.wisc.edu/condor
51
ExampleHigh-ThroughputComputing System
App
High Throughput Computing System
Collective (App)
Dynamic checkpoint, job management, failover,
staging
Collective (Generic)
Brokering, certificate authorities
Access to data, access to computers, access to
network performance data
Resource
Communication, service discovery (DNS),
authentication, authorization, delegation
Connect
Storage systems, schedulers
Fabric
52
ExampleData Grid Architecture
App
Discipline-Specific Data Grid Application
Coherency control, replica selection, task
management, virtual data catalog, virtual data
code catalog,
Collective (App)
Replica catalog, replica management,
co-allocation, certificate authorities, metadata
catalogs,
Collective (Generic)
Access to data, access to computers, access to
network performance data,
Resource
Communication, service discovery (DNS),
authentication, authorization, delegation
Connect
Storage systems, clusters, networks, network
caches,
Fabric
53
The Programming Problem

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

54
The Programming Problem

But how do I develop robust, secure, long-lived,
well-performing applications for dynamic,
heterogeneous Grids?
I need, presumably
Abstractions and models to add to
speed/robustness/etc. of development
Tools to ease application development and
diagnose common problems
Code/tool sharing to allow reuse of code
components developed by others

55
Grid Programming Technologies

Grid applications are incredibly diverse (data,
collaboration, computing, sensors, )
Seems unlikely there is one solution
Most applications have been written from
scratch, with or without Grid services
Application-specific libraries have been shown to
provide significant benefits
No new language, programming model, etc., has yet
emerged that transforms things
But certainly still quite possible

56
Examples of GridProgramming Technologies

MPICH-G2 Grid-enabled message passing
CoG Kits, GridPort Portal construction, based on
N-tier architectures
GDMP, Data Grid Tools, SRB replica management,
collection management
Condor-G workflow management
Legion object models for Grid computing
Cactus Grid-aware numerical solver framework
Note tremendous variety, application focus

57
MPICH-G2 A Grid-Enabled MPI

A complete implementation of the Message Passing
Interface (MPI) for heterogeneous, wide area
environments
Based on the Argonne MPICH implementation of MPI
(Gropp and Lusk)
Requires services for authentication, resource
allocation, executable staging, output, etc.
Programs run in wide area without change
See also MetaMPI, PACX, STAMPI, MAGPIE

www.globus.org/mpi
58
Cactus(Allen, Dramlitsch, Seidel, Shalf, Radke)

Modular, portable framework for parallel,
multidimensional simulations
Construct codes by linking
Small core (flesh) mgmt services
Selected modules (thorns) Numerical methods,
grids domain decomps, visualization and
steering, etc.
Custom linking/configuration tools
Developed for astrophysics, but not
astrophysics-specific

Thorns
Cactus flesh
www.cactuscode.org
59
High-Throughput Computingand Condor

High-throughput computing
CPU cycles/day (week, month, year?) under
non-ideal circumstances
How many times can I run simulation X in a month
using all available machines?
Condor converts collections of distributively
owned workstations and dedicated clusters into a
distributed high-throughput computing facility
Emphasis on policy management and reliability

www.cs.wisc.org/condor
60
Object-Based Approaches

Grid-enabled CORBA
NASA Lewis, Rutgers, ANL, others
CORBA wrappers for Grid protocols
Some initial successes
Legion
U.Virginia
Object models for Grid components (e.g.,
vaultstorage, hostcomputer)

61
Portals

N-tier architectures enabling thin clients, with
middle tiers using Grid functions
Thin clients web browsers
Middle tier e.g. Java Server Pages, with Java
CoG Kit, GPDK, GridPort utilities
Bottom tier various Grid resources
Numerous applications and projects, e.g.
Unicore, Gateway, Discover, Mississippi
Computational Web Portal, NPACI Grid Port,
Lattice Portal, Nimrod-G, Cactus, NASA IPG
Launchpad, Grid Resource Broker,

62
Common Toolkit Underneath

Each of these programming environments should not
have to implement the protocols and services from
scratch!
Rather, want to share common code that
Implements core functionality
SDKs that can be used to construct a large
variety of services and clients
Standard services that can be easily deployed
Is robust, well-architected, self-consistent
Is open source, with broad input
Which leads us to the Globus Toolkit

63
The Globus ToolkitIntroduction

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

64
Globus Toolkit

A software toolkit addressing key technical
problems in the development of Grid enabled
tools, services, and applications
Offer a modular bag of technologies
Enable incremental development of grid-enabled
tools and applications
Implement standard Grid protocols and APIs
Make available under liberal open source license

65
General Approach

Define Grid protocols APIs
Protocol-mediated access to remote resources
Integrate and extend existing standards
On the Grid speak Intergrid protocols
Develop a reference implementation
Open source Globus Toolkit
Client and server SDKs, services, tools, etc.
Grid-enable wide variety of tools
Globus Toolkit, FTP, SSH, Condor, SRB, MPI,
Learn through deployment and applications

66
Four Key Protocols

The Globus Toolkit centers around four key
protocols
Connectivity layer
Security Grid Security Infrastructure (GSI)
Resource layer
Resource Management Grid Resource Allocation
Management (GRAM)
Information Services Grid Resource Information
Protocol (GRIP)
Data Transfer Grid File Transfer Protocol
(GridFTP)

67
Three Types of API/SDK

Portability and convenience API/SDKs
API/SDKs implementing the four key Connectivity
and Resource layer protocols
Collective layer API/SDKs
This tutorial focuses primarily on the
functionality available in 2 and 3
Developer tutorial included in depth API
discussions of all three

68
Portability and Convenience API

globus_common
Module activation/deactivation
Threads, mutual exclusion, conditions
Callback/event driver
Libc wrappers
Convenience modules (list, hash, etc).

69
Connectivity APIs

globus_io
TCP, UDP, IP multicast, and file I/O
Integrates GSI security
Asynchronous and synchronous interfaces
Attribute based control of behavior
Nexus (Deprecated)
Higher level, active message style comms
Built on globus_io, but without security
MPICH-G2
High level, MPI (send/receive) interface
Built on globus_io and native MPI

70
The Globus ToolkitSecurity Services

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

71
Security Terminology

Authentication Establishing identity
Authorization Establishing rights
Message protection
Message integrity
Message confidentiality
Non-repudiation
Digital signature
Accounting
Certificate Authority (CA)

72
Why Grid Security is Hard

Resources being used may be valuable the
problems being solved sensitive
Resources are often located in distinct
administrative domains
Each resource has own policies procedures
Set of resources used by a single computation may
be large, dynamic, and unpredictable
Not just client/server, requires delegation
It must be broadly available applicable
Standard, well-tested, well-understood protocols
integrated with wide variety of tools

73
GSI in ActionCreate Processes at A and B that
Communicate Access Files at C
User
Site A (Kerberos)
Site B (Unix)
Computer
Computer
Site C (Kerberos)
Storage system
74
Grid Security Requirements
75
Candidate Standards

Kerberos 5
Fails to meet requirements
Integration with various local security solutions
User based trust model
Transport Layer Security (TLS/SSL)
Fails to meet requirements
Single sign-on
Delegation

76
Grid Security Infrastructure (GSI)

Extensions to standard protocols APIs
Standards SSL/TLS, X.509 CA, GSS-API
Extensions for single sign-on and delegation
Globus Toolkit reference implementation of GSI
SSLeay/OpenSSL GSS-API SSO/delegation
Tools and services to interface to local security
Simple ACLs SSLK5/PKINIT for access to K5, AFS
Tools for credential management
Login, logout, etc.
Smartcards
MyProxy Web portal login and delegation
K5cert Automatic X.509 certificate creation

77
Review ofPublic Key Cryptography

Asymmetric keys
A private key is used to encrypt data.
A public key can decrypt data encrypted with the
private key.
An X.509 certificate includes
Someones subject name (user ID)
Their public key
A signature from a Certificate Authority (CA)
that
Proves that the certificate came from the CA.
Vouches for the subject name
Vouches for the binding of the public key to the
subject

78
Public Key Based Authentication

User sends certificate over the wire.
Other end sends user a challenge string.
User encodes the challenge string with private
key
Possession of private key means you can
authenticate as subject in certificate
Public key is used to decode the challenge.
If you can decode it, you know the subject
Treat your private key carefully!!
Private key is stored only in well-guarded
places, and only in encrypted form

79
X.509 Proxy Certificate

Defines how a short term, restricted credential
can be created from a normal, long-term X.509
credential
A proxy certificate is a special type of X.509
certificate that is signed by the normal end
entity cert, or by another proxy
Supports single sign-on delegation through
impersonation
Currently an IETF draft

80
User Proxies

Minimize exposure of users private key
A temporary, X.509 proxy credential for use by
our computations
We call this a user proxy certificate
Allows process to act on behalf of user
User-signed user proxy cert stored in local file
Created via grid-proxy-init command
Proxys private key is not encrypted
Rely on file system security, proxy certificate
file must be readable only by the owner

81
Delegation

Remote creation of a user proxy
Results in a new private key and X.509 proxy
certificate, signed by the original key
Allows remote process to act on behalf of the
user
Avoids sending passwords or private keys across
the network

82
Globus Security APIs

Generic Security Service (GSS) API
IETF standard
Provides functions for authentication,
delegation, message protection
Decoupled from any particular communication
method
But GSS-API is somewhat complicated, so we also
provide the easier-to-use globus_gss_assist API.
GSI-enabled SASL is also provided

83
Results

GSI adopted by 100s of sites, 1000s of users
Globus CA has issued gt3000 certs (user host),
gt1500 currently active other CAs active
Rollouts are currently underway all over
NSF Teragrid, NASA Information Power Grid, DOE
Science Grid, European Data Grid, etc.
Integrated in research commercial apps
GrADS testbed, Earth Systems Grid, European Data
Grid, GriPhyN, NEESgrid, etc.
Standardization begun in Global Grid Forum, IETF

84
GSI Applications

Globus Toolkit uses GSI for authentication
Many Grid tools, directly or indirectly, e.g.
Condor-G, SRB, MPICH-G2, Cactus, GDMP,
Commercial and open source tools, e.g.
ssh, ftp, cvs, OpenLDAP, OpenAFS
SecureCRT (Win32 ssh client)
And since we use standard X.509 certificates,
they can also be used for
Web access, LDAP server access, etc.

85
Ongoing and Future GSI Work

Protection against compromised resources
Restricted delegation, smartcards
Standardization
Scalability in numbers of users resources
Credential management
Online credential repositories (MyProxy)
Account management
Authorization
Policy languages
Community authorization

86
Restricted Proxies

Q How to restrict rights of delegated proxy to a
subset of those associated with the issuer?
A Embed restriction policy in proxy cert
Policy is evaluated by resource upon proxy use
Reduces rights available to the proxy to a subset
of those held by the user
But how to avoid policy language wars?
Proxy cert just contains a container for a policy
specification, without defining the language
Container OID blob
Can evolve policy languages over time

87
Delegation Tracing

Often want to know through what entities a proxy
certificate has been delegated
Audit (retrace footsteps)
Authorization (deny from bad entities)
Solved by adding information to the signed proxy
certificate about each entity to which a proxy is
delegated.
Does NOT guarantee proper use of proxy
Just tells you which entities were purposely
involved in a delegation

88
Proxy Certificate Standards Work

Internet Public Key Infrastructure X.509 Proxy
Certificate Profile
draft-ietf-pkix-proxy-01.txt
Draft being considered by IETF PKIX working
group, and by GGF GSI working group
Defines proxy certificate format, including
restricted rights and delegation tracing
Demonstrated a prototype of restricted proxies at
HPDC (August 2001) as part of CAS demo

89
Delegation Protocol Work

TLS Delegation Protocol
draft-ietf-tls-delegation-01.txt
Draft being considered by IETF TLS working group,
and by GGF GSI working group
Defines how to remotely delegate an X.509 Proxy
Certificate using extensions to the TLS (SSL)
protocol
But, may change approach here
Instead of embedding into TLS, carry on top of
TLS
This is the current approach in Globus Toolkit

90
GSS-API Extensions Work

4 years of GSS-API experience, while on the whole
quite positive, has shed light on various
deficiencies of GSS-API
GSS-API Extensions
draft-ggf-gss-extensions-04.txt
Draft being considered by GGF GSI working group.
Not yet submitted to IETF.
Defines extensions to the GSS-API to better
support Grid security

91
GSS-API Extensions

Credential export/import
Allows delegated credentials to be externalized
Used for checkpointing a service
Delegation at any time, in either direction
More rich options on use of delegation
Restricted delegation handling
Add proxy restrictions to delegated cred
Inspect auth cert for restrictions
Allow better mapping of GSS to TLS
Support TLS framing of messages

92
Community Authorization Service

Question How does a large community grant its
users access to a large set of resources?
Should minimize burden on both the users and
resource providers
Community Authorization Service (CAS)
Community negotiates access to resources
Resource outsources fine-grain authorization to
CAS
Resource only knows about CAS user credential
CAS handles user registration, group membership
User who wants access to resource asks CAS for a
capability credential
Restricted proxy of the CAS user cred., checked
by resource

93
Community Authorization(Prototype shown August
2001)
User

94
Community Authorization Service

CAS provides user community with information
needed to authenticate resources
Sent with capability credential, used on
connection with resource
Resource identity (DN), CA
This allows new resources/users (and their CAs)
to be made available to a community through the
CAS without action on the other users/resources
part

95
Authorization API

Service providers need to perform authorization
policy evaluation on
Local policies
Policies contained in restricted proxies
We are working on 2 API layers
Low level GAA-API implementation for evaluation
of policies
High level, very simple authorization API that
can easily be embedded into services
Still in early prototyping stage

96
Passport Online CA MyProxy

Requiring users to manage their own certs and
keys is annoying and error prone
A solution Leverage Passport global
authentication to obtain a proxy credential
Passport provides
Globally unique user name (email address)
Method of verifying ownership of the name
(authentication)
Re-issuance (e.g. forgotten password)
Passport credentials can be presented to an
online CA or credential repository
Creates and issues new (restricted) proxy
certificate to the user on demand

97
Other Future Security Work

Ease-of-use
Improved error message, online CA, etc.
Improved online credential repositories
See MyProxy paper at HPDC
Support for multiple user credentials
Multi-factor authentication
Subordinate certificate authorities for domains
Ease issuance of host certs for domains
Independent Data Unit Support

98
Security Summary

GSI successfully addresses wide variety of Grid
security issues
Broad acceptance, deployment, integration with
tools
Standardization on-going in IETF GGF
Ongoing RD to address next set of issues
For more information
www.globus.org/research/papers.html
A Security Architecture for Computational Grids
Design and Deployment of a National-Scale
Authentication Infrastructure
www.gridforum.org/security

99
The Globus ToolkitResource Management Services

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

100
The Challenge

Enabling secure, controlled remote access to
heterogeneous computational resources and
management of remote computation
Authentication and authorization
Resource discovery characterization
Reservation and allocation
Computation monitoring and control
Addressed by new protocols services
GRAM protocol as a basic building block
Resource brokering co-allocation services
GSI for security, MDS for discovery

101
Resource Management

The Grid Resource Allocation Management (GRAM)
protocol and client API allows programs to be
started on remote resources, despite local
heterogeneity
Resource Specification Language (RSL) is used to
communicate requirements
A layered architecture allows application-specific
resource brokers and co-allocators to be defined
in terms of GRAM services
Integrated with Condor, PBS, MPICH-G2,

102
Resource Management Architecture
RSL specialization
RSL
Application
Information Service
Queries
Info
Ground RSL
Simple ground RSL
Local resource managers
GRAM
GRAM
GRAM
LSF
Condor
NQE
103
Resource Specification Language

Common notation for exchange of information
between components
Syntax similar to MDS/LDAP filters
RSL provides two types of information
Resource requirements Machine type, number of
nodes, memory, etc.
Job configuration Directory, executable, args,
environment
Globus Toolkit provides an API/SDK for
manipulating RSL

104
RSL Syntax

Elementary form parenthesis clauses
(attribute op value value )
Operators Supported
lt, lt, , gt, gt , !
Some supported attributes
executable, arguments, environment, stdin,
stdout, stderr, resourceManagerContact,resourceMa
nagerName
Unknown attributes are passed through
May be handled by subsequent tools

105
Constraints

For example
(countgt5) (countlt10)
(max_time240) (memorygt64)
(executablemyprog)
Create 5-10 instances of myprog, each on a
machine with at least 64 MB memory that is
available to me for 4 hours

106
Disjunction

For example
(executablemyprog)
( ((count5)(memorygt64))
((count10)(memorygt32)))
Create 5 instances of myprog on a machine that
has at least 64MB of memory, or 10 instances on a
machine with at least 32MB of memory

107
GRAM Protocol

GRAM-1 Simple HTTP-based RPC
Job request
Returns a job contact Opaque string that can
be passed between clients, for access to job
Job cancel, status, signal
Event notification (callbacks) for state changes
Pending, active, done, failed, suspended
GRAM-1.5 (U Wisconsin contribution)
Add reliability improvements
Once-and-only-once submission
Recoverable job manager service
Reliable termination detection
GRAM-2 Moving to Web Services (SOAP)

108
Globus Toolkit Implementation

Gatekeeper
Single point of entry
Authenticates user, maps to local security
environment, runs service
In essence, a secure inetd
Job manager
A gatekeeper service
Layers on top of local resource management system
(e.g., PBS, LSF, etc.)
Handles remote interaction with the job

109
GRAM Components
MDS client API calls to locate resources
Client
MDS Grid Index Info Server
Site boundary
MDS client API calls to get resource info
GRAM client API calls to request resource
allocation and process creation.
MDS Grid Resource Info Server
Query current status of resource
GRAM client API state change callbacks
Grid Security Infrastructure
Local Resource Manager
Allocate create processes
Request
Job Manager
Create
Gatekeeper
Process
Parse
Monitor control
Process
RSL Library
Process
110
Co-allocation

Simultaneous allocation of a resource set
Handled via optimistic co-allocation based on
free nodes or queue prediction
In the future, advance reservations will also be
supported (already in prototype)
Globus APIs/SDKs support the co-allocation of
specific multi-requests
Uses a Globus component called the Dynamically
Updated Request OnlineCo-allocator (DUROC)

111
Multirequest

A multirequest allows us to specify multiple
resource needs, for example
( (count5)(memorygt64)
(executablep1))
((networkatm) (executablep2))
Execute 5 instances of p1 on a machine with at
least 64M of memory
Execute p2 on a machine with an ATM connection
Multirequests are central to co-allocation

112
A Co-allocation Multirequest
( (resourceManagerContact
flash.isi.edu754/CUS//CNflash.isi.edu-fork)
(count1) (label"subjob A")
(executable my_app1) ) (
(resourceManagerContact
sp139.sdsc.edu8711/CUS//CNsp097.sdsc.edu-lsf
") (count2) (label"subjob B")
(executablemy_app2) )
113
Job Submission Interfaces

Globus Toolkit includes several command line
programs for job submission
globus-job-run Interactive jobs
globus-job-submit Batch/offline jobs
globusrun Flexible scripting infrastructure
Others are building better interfaces
General purpose
Condor-G, PBS, GRD, Hotpage, etc
Application specific
ECCE, Cactus, Web portals

114
globus-job-run

For running of interactive jobs
Additional functionality beyond rsh
Ex Run 2 process job w/ executable staging
globus-job-run - host np 2 s myprog arg1 arg2
Ex Run 5 processes across 2 hosts
globus-job-run \
- host1 np 2 s myprog.linux arg1 \
- host2 np 3 s myprog.aix arg2
For list of arguments run
globus-job-run -help

115
globus-job-submit

For running of batch/offline jobs
globus-job-submit Submit job
Same interface as globus-job-run
Returns immediately
globus-job-status Check job status
globus-job-cancel Cancel job
globus-job-get-output Get job stdout/err
globus-job-clean Cleanup after job

116
globusrun

Flexible job submission for scripting
Uses an RSL string to specify job request
Contains an embedded globus-gass-server
Defines GASS URL prefix in RSL substitution
variable
(stdout(GLOBUSRUN_GASS_URL)/stdout)
Supports both interactive and offline jobs
Complex to use
Must write RSL by hand
Must understand its esoteric features
Generally you should use globus-job- commands
instead

117
Resource Management APIs

The globus_gram_client API provides access to all
of the core job submission and management
capabilities, including callback capabilities for
monitoring job status.
The globus_rsl API provides convenience functions
for manipulating and constructing RSL strings.
The globus_gram_myjob allows multi-process jobs
to self-organize and to communicate with each
other.
The globus_duroc_control and globus_duroc_runtime
APIs provide access to multirequest
(co-allocation) capabilities.

118
Advance Reservationand Other Generalizations

General-purpose Architecture for Reservation and
Allocation (GARA)
2nd generation resource management services
Broadens GRAM on two axes
Generalize to support various resource types
CPU, storage, network, devices, etc.
Advance reservation of resources, in addition to
allocation
Currently a research prototype

119
GARA The Big Picture
120
Resource Management FuturesGRAM-2 (planned for
2002)

Advance reservations
As prototyped in GARA in previous 2 years
Multiple resource types
Manage anything storage, networks, etc., etc.
Recoverable requests, timeout, etc.
Better lifetime management
Policy evaluation points for restricted proxies
Use of Web Services (WSDL, SOAP)

Karl Czajkowski, Steve Tuecke, others
121
The Globus ToolkitInformation Services

The Globus Project
Argonne National LaboratoryUSC Information
Sciences Institute
http//www.globus.org

122
Grid Information Services

System information is critical to operation of
the grid and construction of applications
What resources are available?
Resource discovery
What is the state of the grid?
Resource selection
How to optimize resource use
Application configuration and adaptation?
We need a general information infrastructure to
answer these questions

123
Examples of Useful Information

Characteristics of a compute resource
IP address, software available, system
administrator, networks connected to, OS version,
load
Characteristics of a network
Bandwidth and latency, protocols, logical
topology
Characteristics of the Globus infrastructure
Hosts, resource managers

124
Grid Information Facts of Life

Information is always old
Time of flight, changing system state
Need to provide quality metrics
Distributed state hard to obtain
Complexity of global snapshot
Component will fail
Scalability and overhead
Many different usage scenarios
Heterogeneous policy, different information
organizations, etc.

125
Grid Information Service

Provide access to static and dynamic information
regarding system components
A basis for configuration and adaptation in
heterogeneous, dynamic environments
Requirements and characteristics
Uniform, flexible access to information
Scalable, efficient access to dynamic data
Access to multiple information sources
Decentralized maintenance

126
The GIS Problem Many Information Sources, Many
Views
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
127
What is a Virtual Organization?

Facilitates the workflow of a group of users
across multiple domains who share (some of) their
resources to solve particular classes of problems
Collates and presents information about these
resources in a uniform view

128
Two Classes Of Information Servers

Resource Description Services
Supplies information about a specific resource
(e.g. Globus 1.1.3 GRIS).
Aggregate Directory Services
Supplies collection of information which was
gathered from multiple GRIS servers (e.g. Globus
1.1.3 GIIS).
Customized naming and indexing

129
Information Protocols

Grid Resource Registration Protocol
Support information/resource discovery
Designed to support machine/network failure
Grid Resource Inquiry Protocol
Query resource description server for information
Query aggregate server for information
LDAP V3.0 in Globus 1.1.3

130
GIS Architecture
Customized Aggregate Directories
Users
A
A
Enquiry Protocol
Registration Protocol
R
R
R
R
Standard Resource Description Services
131
Metacomputing Directory Service

Use LDAP as Inquiry
Access information in a distributed directory
Directory represented by collection of LDAP
servers
Each server optimized for particular function
Directory can be updated by
Information providers and tools
Applications (i.e., users)
Backend tools which generate info on demand
Information dynamically available to tools and
applications

132
Two Classes Of MDS Servers

Grid Resource Information Service (GRIS)
Supplies information about a specific resource
Configurable to support multiple information
providers
LDAP as inquiry protocol
Grid Index Information Service (GIIS)
Supplies collection of information which was
gathered from multiple GRIS servers
Supports efficient queries against information
which is spread across multiple GRIS server
LDAP as inquiry protocol

133
LDAP Details

Lightweight Directory Access Protocol
IETF Standard
Stripped down version of X.500 DAP protocol
Supports distributed storage/access (referrals)
Supports authentication and access control
Defines
Network protocol for accessing directory contents
Information model defining form of information
Namespace defining how information is referenced
and organized

134
MDS Components

LDAP 3.0 Protocol Engine
Based on OpenLDAP with custom backend
Integrated caching
Information providers
Delivers resource information to backend
APIs for accessing updating MDS contents
C, Java, PERL (LDAP API, JNDI)
Various tools for manipulating MDS contents
Command line tools, Shell scripts GUIs

135
Grid Resource Information Service

Server which runs on each resource
Given the resource DNS name, you can find the
GRIS server (well known port 2135)
Provides resource specific information
Much of this information may be dynamic
Load, process information, storage information,
etc.
GRIS gathers this information on demand
White pages lookup of resource information
Ex How much memory does machine have?
Yellow pages lookup of resource options
Ex Which queues on machine allows large jobs?

136
Grid Index Information Service

GIIS describes a class of servers
Gathers information from multiple GRIS servers
Each GIIS is optimized for particular queries
Ex1 Which Alliance machines are gt16 process
SGIs?
Ex2 Which Alliance storage servers have gt100Mbps
bandwidth to host X?
Akin to web search engines
Organization GIIS
The Globus Toolkit ships with one GIIS
Caches GRIS info with long update frequency
Useful for queries across an organization that
rely on relatively static information (Ex1 above)
Can be merged into GRIS

137
Finding a GRIS and Server Registration

A GRIS or GIIS server can be configured to (de-)
register itself during startup/shutdown
Targets specified in configuration file
Softstate registration protocol
Good behavior in case of failure
Allows for federations of information servers
E.g. Argonne GRIS can register with both Alliance
and DOE GIIS servers

138
Logical MDS Deployment
Grads
Gusto
GIIS
ISI
GRISes
139
MDS Commands

LDAP defines a set of standard commands
ldapsearch, etc.
We also define MDS-specific commands
grid-info-search, grid-info-host-search
APIs are defined for C, Java, etc.
C OpenLDAP client API
ldap_search_s(),
Java JNDI

140
Information Services API

RFC 1823 defines an IETF draft standard client
API for accessing LDAP databases
Connect to server
Pose query which returns data structures contains
sets of object classes and attributes
Functions to walk these data structures
Globus does not provide an LDAP API. We
recommend the use of OpenLDAP, an open source
implementation of RFC 1823.

141
Searching an LDAP Directory