03 Overview of gLite - Indico · 2018. 11. 15. · Enabling Grids for E-sciencE EGEE Middleware: gLite • gLite 3.0, gLite 3.1 ⇨ Merger of LCG 2.7 and gLite 1.5 LCG-2 prototyping

Enabling Grids for E sciencEEnabling Grids for E-sciencE

Overview of gLite grid middlewaregLite grid middleware

G l SiGergely SiposMTA SZTAKIsipos@sztaki [email protected]

www eu egee org

EGEE-II INFSO-RI-031688

www.eu-egee.org

Enabling Grids for E-sciencE

Outline

• Basic features of gLite middlewareBasic features of gLite middleware

• gLite servicesgLite services

• Security in gLite• Security in gLite

• External services• External services

EGEE-II INFSO-RI-031688 2


Grid vision

G

Mobile Access

GRID

Supercomputer, PC-Cluster

MIDD

WorkstationDLEWA

Data-storage, Sensors, Experiments

ARE


VisualisingInternet, networks


Problems to solve

• Standardised access to resources– Computers– Storages

Special eq ipments– Special equipments– Software services

• Access policyAccess policy• Load balancing• Monitoring resources and servicesg• Monitoring applications• Fault management• Programming contepts, level of abstraction• User interfaces


• ...


EGEE grid, gLite middleware

• EGEE is establishing a production grid infrastructure with gLite middlewareg

Application specific A li ti ifiApplication specificgrid services

Application specificgrid services

gLite middleware services



VO concept

• gLite middleware runs on each shared resource to provideresource to provide– Data services– Computation

services

INTERNET

services – Security service

• Resources and users form Virtual organisations: basis for collaboration

• Distributed services (both people and middleware) enable


)the grid


Grid Middleware

• When using a PC or workstation you

• When using a Grid you– Login with digitalworkstation you

– Login with a username and password (“Authentication”)

Login with digital credentials – single sign-on (“Authentication”)

( Authentication )– Use rights given to you

(“Authorisation”)

– Use rights given you (“Authorisation”)

– Run jobs– Run jobs– Manage files: create

them, read/write, list

– Run jobs– Manage files: create

them, read/write, list them, read/write, list directories

• Components are li k d b b

directories• Services are linked by

th I t tlinked by a bus• Operating system • One admin domain

the Internet• Middleware

M d i d i


• One admin. domain • Many admin. domains


EGEE Middleware: gLite

• gLite 3.0, gLite 3.1⇨ Merger of LCG 2.7 and gLite 1.5

LCG-2

prototyping

20042004gLite

g gScientific Linux v3 and v4Ongoing efforts to port to other OS

Exploit experience and existing

prototyping

d t– Exploit experience and existing components from VDT (Condor, Globus), EDG/LCG, and othersD l li ht i ht t k f i

product

20052005product

– Develop a lightweight stack of generic middleware useful to EGEE applications (HEP and Biomedics are

product

pp (pilot applications).

– Focus is on providing a stable and basic infrastructure

20062006 gLite 3.0

basic infrastructure



Basic services of gLite

Information System

Submit job Resource Broker

User Interface

Submit job

query

Resource Broker

create

Retrieve status & output

Submit job publishquery

createproxy

Submit jobRetrieve

output

pstateFile and Replica Catalog

Job status Logging

Computing Element Storage Element

Site X

Job status

Authorization Service

process

L i d

status


(VO Management Service)

Logging and bookkeeping


What is happening now?

Real Time Monitor – Java tool– Displays jobs

running (submitted through RBs)g )

– Shows jobs moving around

ld iworld map in real time, along with changes in status


http://gridportal.hep.ph.ic.ac.uk/rtm/ (snapshot 16 January 2007)


Main components

User Interface (UI)User Interface (UI): The place where users logon to the Grid

Resource Broker (RB) (Workload Management System (WMS)Resource Broker (RB) (Workload Management System (WMS):Matches the user requirements with the available resources on the Grid

Information SystemInformation System: Characteristics and status of CE and SE

File and replica catalogFile and replica catalog: Location of grid files and grid file replicas

L i d B kk i (LB)L i d B kk i (LB) L i f ti f j bLogging and Bookkeeping (LB)Logging and Bookkeeping (LB): Log information of jobs

Computing Element (CE)Computing Element (CE): A batch queue on a site’s computers wherethe user’s job is executed


Storage Element (SE)Storage Element (SE): provides (large-scale) storage for files


Main components

User Interface (UI)User Interface (UI): The place where users logon to the Grid

Resource Broker (RB) (Workload Management System (WMS)Resource Broker (RB) (Workload Management System (WMS):Matches the user requirements with the available resources on the Grid

Information SystemInformation System: Characteristics and status of CE and SEAll built upon authorisationFile and replica catalogFile and replica catalog: Location of grid files and grid file replicas

L i d B kk i (LB)L i d B kk i (LB) L i f ti f j b

authorisation, authentication,

Logging and Bookkeeping (LB)Logging and Bookkeeping (LB): Log information of jobssecurityComputing Element (CE)Computing Element (CE): A batch queue on a site’s computers where

the user’s job is executed


Storage Element (SE)Storage Element (SE): provides (large-scale) storage for files


gLite User Interface (UI)• Server where the user has a login• gLite client programs are installed

Command line clients– Command line clients– Programming APIs

• Typical UI scenario(UI is central for the VO)(UI is central for the VO)– Upload program to UI with SCP– Login to UI with SSH

Compile code– Compile code– Write job description (JDL file)– Create proxy certificate

S b it j b– Submit job– Check job status, download result from grid to UI when DONE– Download result from UI with SCP

T i ll hi h l l i t hid Lit UI• Typically high level environments hide gLite UI.– P-GRADE Portal– GANGA


– GridWay– …


Resource Broker

• Official name: Workload Management System• Key service in gLiteKey service in gLite• Accepts Job Description Language files from User

Interface, execute jobs on Computing Resources, j p g

• Detailed lecture later…Detailed lecture later…



Information system (IS)

• the user or a service (e.g. broker) can query– the top level BDII (usual mode)– BDII servers on each site Top BDII

Site BDII

Information Provider



Information system (IS)

• BDII server– LDAP server– Structures data as a tree– Tree model is defined by GLUE schema– Optimized for frequent queries

• Interacting with information system– Programming APIProgramming API– Command line tools (on UI)

lcg-infosites: simple, meets most needslcg infosites: simple, meets most needs

lcg-info: supports more complex queries

– Portals (e.g. P-GRADE Portal)


Portals (e.g. P GRADE Portal)


Example – CE query

$ lcg-infosites --vo alice ce

#CPU | Free | Total Jobs | Running | Waiting | ComputingElement ---------------------------------------------------------------------------------------

14 0 0 0 0 ce002 ipp acad bg:2119/jobmanager lcgpbs alice14 0 0 0 0 ce002.ipp.acad.bg:2119/jobmanager-lcgpbs-alice 15 4 0 0 0 ce001.ipp.acad.bg:2119/blah-pbs-alice 80 8 0 0 0 ce02.grid.acad.bg:2119/jobmanager-pbs-alice 10 10 0 0 0 ce hpc iit bme hu:2119/blah pbs alice10 10 0 0 0 ce.hpc.iit.bme.hu:2119/blah-pbs-alice 96 94 0 0 0 grid109.kfki.hu:2119/jobmanager-lcgpbs-alice

3409 6 493 493 0 ce101.cern.ch:2119/jobmanager-lcglsf-grid_alice3409 6 493 493 0 102 h 2119/j b l l f id li3409 6 493 493 0 ce102.cern.ch:2119/jobmanager-lcglsf-grid_alice3409 6 493 493 0 ce105.cern.ch:2119/jobmanager-lcglsf-grid_alice[ . . .]



Example – SE query

$ lcg-infosites --vo atlas se

Avail Space(Kb) Used Type SEsSpace(Kb)

------------------------------------------------------------------------------------------------39657488 106362948 n.a se.phy.bg.ac.yu 31400000 18580000 n.a se1.egee.man.poznan.pl 569586792 47148288 n.a clrauvergridse01.in2p3.fr 1200000000 410000000 n.a koala.unimelb.edu.au 22903032 42994124 n.a se-lcg.sdg.ac.cn22903032 42994124 n.a se lcg.sdg.ac.cn 457865076 663121389 n.a atlasse01.ihep.ac.cn 29593756 80561288 n.a se001.grid.bas.bg 931135488 41943040 001 i d b931135488 41943040 n.a se001.ipp.acad.bg [. . .]



File and replica catalog (LFC)

• Users and their jobs refer to files by logical file name– lfn:/grid/gilda/sipos/matrix computation/input1g g p _ p p

• File catalog is used to map logical file name to physical file name(s)– sfn://grid005.iucc.ac.il/storage/gilda/generated/2007-06-

23/fileb233d43f-5bc6-4ede-a5fe-611d48be2ba5

• LFC is a central database in the VO



Logging and bookkeeping (LB)

• Job history stored here– When, what, where, ,

• Detailed information, not only a job status value, y j

• LB is a central database in the VO

• Will not be used during the courseg– Command line tools to query LB



Computing Element (CE)

• A “core” grid services– One installation at every grid sitey g

• Expose computational facility - CPU• Typically installed on a clusterTypically installed on a cluster

Job request Information systemLogging

Proxy

Computing element server Info system

Logging

systemLoggingand

Bookkeeping

Local Resource Management System:Condor / PBS / LSF master

y

W k d


Worker nodes


Storage Element (SE)

• A “core” grid services– One installation at every grid siteOne installation at every grid site

• Expose storage facility – Hard disk / tape

protocols server resources

Storage El t

File request Diskprotocol

protocolProxy Element Tape

Tape

Tape

p

protocol

Proxy

Authentication, authorization


z


Who provides the resources?!

ServiceService Provider NoteUser interfaceUser interface User / institute / VO Computer with client SWp

Resource Broker Resource Broker (WMS)(WMS)

VOs - EGEE does not fund RBs

Information SystemInformation System Grid operations -EGEE funded effort

File and replica catalogFile and replica catalog VOs - EGEE does p gp gnot fund catalogs

Logging and Logging and BookkeepingBookkeeping

VOs - EGEE does not fund LB serversBookkeepingBookkeeping not fund LB servers

Computing Element Computing Element (CE)(CE)

VOs - EGEE does not fund CEs

VOs provide resources to match average need

Storage Element Storage Element (SE)(SE)

VOs - EGEE does not fund SEs

VOs provide resources to match average need

External services User / institute / VO To extend the capabilities of


External services User / institute / VO To extend the capabilities of the core infrastructure


Security

• Grid Security Infrastructure (GSI) enables VOs• gLite security extended GSIgLite security extended GSI • Two levels of grid security problems

– Network level:Network level:Mutual authentication of endpointsEncrypted messagesNon repudiationIntegrity (protection against 3rd party changes)

– VO level:– VO level:Who can be the member of a VO, who cannot?What a VO member is allowed to do?How can a SW (e.g broker) act on your behalf?



Basic concept of GSI• Asymmetric encryption…

Encrypted Encrypted texttext

Clear text Clear text messagemessage

Clear text Clear text messagemessage

• Every networked entity (user/machine/software) is assigned with two keys: one private key and one public

texttextPrivate Key Public Key

messagemessage messagemessage

assigned with two keys: one private key and one public key– Private: only owner knows– Public: everybody else knows

• Communication concept (simplified version):1 P bli k h d1. Public keys are exchanged2. The sender encrypts message using

receiver’s public key andreceiver s public key and Sender’s own private key

3. The reciever decrypts using R i ’ i t k


Receiver’s own private keySender’s public key


PKI in action

• Encription– Encription with recipient’s public key

Paul’s keysEncription with recipient s public key

– Only recipient can decript the message

public privateJohn Paul public privateciao 3$r ciao3$r

• Non-repudiation– Naiv approach: encript message with sender’s private keypp p g p y

Too costly for long messages – Solution:

generate hash of the message messageHash A

generate hash of the messageEncript hash with sender’s private keyAttach encripted hash to message Digital signature

g

Digital SignatureDigital Signature


– Additional benefit: Integrity (hash is constant)


PKI in action – the big picture

PaulPaul’s keys

message

Digital Signature

messageHash A

private public g g Digital Signatureprivate public

Mutual authentication and exchanging public keys: SSL protocol

John

John’s keys

y

messageHash B= ?

message


Digital SignatureHash Aprivate public


Entity identity

• Since I’m the onlySince I m the only one with access to my private key youmy private key, you know I signed the data associateddata associated with it

• But how do you ?• But, how do you know that you have my correcthave my correct public key?



Your public and private keys

User generates CA root

Instructions, tutorials (should be) on CA

homepagesUser generatespublic/private

key pair in browseror in files CA signature links

certificatehomepages

Cert

or in files. gidentity and public key in

certificate. CA informs user.Request

Public Key

User sends public key to

CA informs user.

CertCA and shows RA proof

of identity.

Private Key encrypted on local disk:

ID


on local disk: passphrase


Your certificate and private key

• Do not loan your certificate and private key to anyone! – Report to CA if your files were compromised Certificate

revocation list• Where to store them?

Store them in your browser– Store them in your browser– Store them in a file sysytem you trust

Different file formats (PEM, P12, …)– Store them on a USB key– Store them in MyProxy server

Obtain short term certificate just before grid interactionObtain short term certificate just before grid interaction

• Every Grid which recognizes your CA will trust your y g y ycertificate

• CAs recognized by EGEE: http://www.gridpma.org



Grid security at VO level

• Users (and machines) are identified by certificates. CA

Obtaining certificate:Annually

identified by certificates.

• VO Management Service: tool for VO level security

CA

VO managerJoining List of EGEE VOs: On CIC Operations

Portaltool for VO level security

• Steps– User obtains certificate from

gVO:Once

Portal

– User obtains certificate from Certification Authority

– User registers at the VO usually via a web form

VO Membership Service

R li tiy– VO manager authorizes the userVO DB updated

– User information is replicated

VOMS database

Replicating VOMS DBonce a dayp

onto VO resources typically within 24 hours

Grid sites


User’s identity in the Grid = Subject of grid certificate:/C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/[email protected]


Proxy certificates

• Delegation - allows remote process and services to authenticate on behalf of the userauthenticate on behalf of the user– Remote process/service “impersonates” the user

• Achieved by creation of next-level private key–certificate pair from the user’s private key certificatepair from the user’s private key–certificate. – New key-pair is a single file: Proxy credential– Proxy private key is not protected by passwordy p y p y p– Proxy may be valid for limited operations– Proxy has limited lifetime

• The client can delegate proxies to services processes• The client can delegate proxies to services, processes– Each service decides whether it accepts proxies for authentication



Proxy in action

• Login to the grid:Generate a proxy certificateGenerate a proxy certificate

Command line tools on a User Interface:

voms-proxy-init –voms gildaP

From a portal:Proxy

Proxy+

VOroles

See P-GRADE Portal tomorrow



External services to gLite • Where computer science meets the

application communities!• The tools, services used by the VO’s Application , yapplications • NA4 Recommended External Software

Packages for Egee CommuniTies Current RESPECT tools:

Applicationtoolkits

Application

– Current RESPECT tools:GridWayP-GRADE Portal

– http://egeena4.lal.in2p3.fr/ “Grid Higher level gLite services

toolkitsCommand line & APIs

software” menu

Basic gLite services:

Higher-level gLite services (WMS,…)

Production infrastructure contains Basic gLite services:CE, SE, info, security these services

– Basic services: Must be complete and robust; Should not assume the use of ;Higher-Level Grid Services

– High level services: help the users building their computing infrastructure


but should not be mandatory


Further information, references

• EGEE– http://www.eu-egee.org/p g g

• gLite middleware– http://www.glite.org

• gLite manuals, documentation– http://glite.web.cern.ch/glite/documentation/

(gLite user guide)• Recommended External Software Packages for Egee

CommuniTies (RESPECT)CommuniTies (RESPECT)– http://egeena4.lal.in2p3.fr/


03 Overview of gLite - Indico · 2018. 11. 15. · Enabling Grids for E-sciencE EGEE Middleware: gLite • gLite 3.0, gLite 3.1 ⇨ Merger of LCG 2.7 and gLite 1.5 LCG-2 prototyping

Documents