Enabling Grids for E sciencEEnabling Grids for E-sciencE
Overview of gLite grid middlewaregLite grid middleware
G l SiGergely SiposMTA SZTAKIsipos@sztaki [email protected]
www eu egee org
EGEE-II INFSO-RI-031688
www.eu-egee.org
Enabling Grids for E-sciencE
Outline
• Basic features of gLite middlewareBasic features of gLite middleware
• gLite servicesgLite services
• Security in gLite• Security in gLite
• External services• External services
EGEE-II INFSO-RI-031688 2
Enabling Grids for E-sciencE
Grid vision
G
Mobile Access
GRID
Supercomputer, PC-Cluster
MIDD
WorkstationDLEWA
Data-storage, Sensors, Experiments
ARE
EGEE-II INFSO-RI-031688 3
VisualisingInternet, networks
Enabling Grids for E-sciencE
Problems to solve
• Standardised access to resources– Computers– Storages
Special eq ipments– Special equipments– Software services
• Access policyAccess policy• Load balancing• Monitoring resources and servicesg• Monitoring applications• Fault management• Programming contepts, level of abstraction• User interfaces
EGEE-II INFSO-RI-031688 4
• ...
Enabling Grids for E-sciencE
EGEE grid, gLite middleware
• EGEE is establishing a production grid infrastructure with gLite middlewareg
Application specific A li ti ifiApplication specificgrid services
Application specificgrid services
gLite middleware services
EGEE-II INFSO-RI-031688 5
Enabling Grids for E-sciencE
VO concept
• gLite middleware runs on each shared resource to provideresource to provide– Data services– Computation
services
INTERNET
services – Security service
• Resources and users form Virtual organisations: basis for collaboration
• Distributed services (both people and middleware) enable
EGEE-II INFSO-RI-031688 6
)the grid
Enabling Grids for E-sciencE
Grid Middleware
• When using a PC or workstation you
• When using a Grid you– Login with digitalworkstation you
– Login with a username and password (“Authentication”)
Login with digital credentials – single sign-on (“Authentication”)
( Authentication )– Use rights given to you
(“Authorisation”)
– Use rights given you (“Authorisation”)
– Run jobs– Run jobs– Manage files: create
them, read/write, list
– Run jobs– Manage files: create
them, read/write, list them, read/write, list directories
• Components are li k d b b
directories• Services are linked by
th I t tlinked by a bus• Operating system • One admin domain
the Internet• Middleware
M d i d i
EGEE-II INFSO-RI-031688 7
• One admin. domain • Many admin. domains
Enabling Grids for E-sciencE
EGEE Middleware: gLite
• gLite 3.0, gLite 3.1⇨ Merger of LCG 2.7 and gLite 1.5
LCG-2
prototyping
20042004gLite
g gScientific Linux v3 and v4Ongoing efforts to port to other OS
Exploit experience and existing
prototyping
d t– Exploit experience and existing components from VDT (Condor, Globus), EDG/LCG, and othersD l li ht i ht t k f i
product
20052005product
– Develop a lightweight stack of generic middleware useful to EGEE applications (HEP and Biomedics are
product
pp (pilot applications).
– Focus is on providing a stable and basic infrastructure
20062006 gLite 3.0
basic infrastructure
EGEE-II INFSO-RI-031688 8
Enabling Grids for E-sciencE
Basic services of gLite
Information System
Submit job Resource Broker
User Interface
Submit job
query
Resource Broker
create
Retrieve status & output
Submit job publishquery
createproxy
Submit jobRetrieve
output
pstateFile and Replica Catalog
Job status Logging
Computing Element Storage Element
Site X
Job status
Authorization Service
process
L i d
status
EGEE-II INFSO-RI-031688 9
(VO Management Service)
Logging and bookkeeping
Enabling Grids for E-sciencE
What is happening now?
Real Time Monitor – Java tool– Displays jobs
running (submitted through RBs)g )
– Shows jobs moving around
ld iworld map in real time, along with changes in status
EGEE-II INFSO-RI-031688 10
http://gridportal.hep.ph.ic.ac.uk/rtm/ (snapshot 16 January 2007)
Enabling Grids for E-sciencE
Main components
User Interface (UI)User Interface (UI): The place where users logon to the Grid
Resource Broker (RB) (Workload Management System (WMS)Resource Broker (RB) (Workload Management System (WMS):Matches the user requirements with the available resources on the Grid
Information SystemInformation System: Characteristics and status of CE and SE
File and replica catalogFile and replica catalog: Location of grid files and grid file replicas
L i d B kk i (LB)L i d B kk i (LB) L i f ti f j bLogging and Bookkeeping (LB)Logging and Bookkeeping (LB): Log information of jobs
Computing Element (CE)Computing Element (CE): A batch queue on a site’s computers wherethe user’s job is executed
EGEE-II INFSO-RI-031688 11
Storage Element (SE)Storage Element (SE): provides (large-scale) storage for files
Enabling Grids for E-sciencE
Main components
User Interface (UI)User Interface (UI): The place where users logon to the Grid
Resource Broker (RB) (Workload Management System (WMS)Resource Broker (RB) (Workload Management System (WMS):Matches the user requirements with the available resources on the Grid
Information SystemInformation System: Characteristics and status of CE and SEAll built upon authorisationFile and replica catalogFile and replica catalog: Location of grid files and grid file replicas
L i d B kk i (LB)L i d B kk i (LB) L i f ti f j b
authorisation, authentication,
Logging and Bookkeeping (LB)Logging and Bookkeeping (LB): Log information of jobssecurityComputing Element (CE)Computing Element (CE): A batch queue on a site’s computers where
the user’s job is executed
EGEE-II INFSO-RI-031688 12
Storage Element (SE)Storage Element (SE): provides (large-scale) storage for files
Enabling Grids for E-sciencE
gLite User Interface (UI)• Server where the user has a login• gLite client programs are installed
Command line clients– Command line clients– Programming APIs
• Typical UI scenario(UI is central for the VO)(UI is central for the VO)– Upload program to UI with SCP– Login to UI with SSH
Compile code– Compile code– Write job description (JDL file)– Create proxy certificate
S b it j b– Submit job– Check job status, download result from grid to UI when DONE– Download result from UI with SCP
T i ll hi h l l i t hid Lit UI• Typically high level environments hide gLite UI.– P-GRADE Portal– GANGA
EGEE-II INFSO-RI-031688 13
– GridWay– …
Enabling Grids for E-sciencE
Resource Broker
• Official name: Workload Management System• Key service in gLiteKey service in gLite• Accepts Job Description Language files from User
Interface, execute jobs on Computing Resources, j p g
• Detailed lecture later…Detailed lecture later…
EGEE-II INFSO-RI-031688 14
Enabling Grids for E-sciencE
Information system (IS)
• the user or a service (e.g. broker) can query– the top level BDII (usual mode)– BDII servers on each site Top BDII
Site BDII
Information Provider
EGEE-II INFSO-RI-031688 15
Enabling Grids for E-sciencE
Information system (IS)
• BDII server– LDAP server– Structures data as a tree– Tree model is defined by GLUE schema– Optimized for frequent queries
• Interacting with information system– Programming APIProgramming API– Command line tools (on UI)
lcg-infosites: simple, meets most needslcg infosites: simple, meets most needs
lcg-info: supports more complex queries
– Portals (e.g. P-GRADE Portal)
EGEE-II INFSO-RI-031688 16
Portals (e.g. P GRADE Portal)
Enabling Grids for E-sciencE
Example – CE query
$ lcg-infosites --vo alice ce
#CPU | Free | Total Jobs | Running | Waiting | ComputingElement ---------------------------------------------------------------------------------------
14 0 0 0 0 ce002 ipp acad bg:2119/jobmanager lcgpbs alice14 0 0 0 0 ce002.ipp.acad.bg:2119/jobmanager-lcgpbs-alice 15 4 0 0 0 ce001.ipp.acad.bg:2119/blah-pbs-alice 80 8 0 0 0 ce02.grid.acad.bg:2119/jobmanager-pbs-alice 10 10 0 0 0 ce hpc iit bme hu:2119/blah pbs alice10 10 0 0 0 ce.hpc.iit.bme.hu:2119/blah-pbs-alice 96 94 0 0 0 grid109.kfki.hu:2119/jobmanager-lcgpbs-alice
3409 6 493 493 0 ce101.cern.ch:2119/jobmanager-lcglsf-grid_alice3409 6 493 493 0 102 h 2119/j b l l f id li3409 6 493 493 0 ce102.cern.ch:2119/jobmanager-lcglsf-grid_alice3409 6 493 493 0 ce105.cern.ch:2119/jobmanager-lcglsf-grid_alice[ . . .]
EGEE-II INFSO-RI-031688 17
Enabling Grids for E-sciencE
Example – SE query
$ lcg-infosites --vo atlas se
Avail Space(Kb) Used Type SEsSpace(Kb)
------------------------------------------------------------------------------------------------39657488 106362948 n.a se.phy.bg.ac.yu 31400000 18580000 n.a se1.egee.man.poznan.pl 569586792 47148288 n.a clrauvergridse01.in2p3.fr 1200000000 410000000 n.a koala.unimelb.edu.au 22903032 42994124 n.a se-lcg.sdg.ac.cn22903032 42994124 n.a se lcg.sdg.ac.cn 457865076 663121389 n.a atlasse01.ihep.ac.cn 29593756 80561288 n.a se001.grid.bas.bg 931135488 41943040 001 i d b931135488 41943040 n.a se001.ipp.acad.bg [. . .]
EGEE-II INFSO-RI-031688 18
Enabling Grids for E-sciencE
File and replica catalog (LFC)
• Users and their jobs refer to files by logical file name– lfn:/grid/gilda/sipos/matrix computation/input1g g p _ p p
• File catalog is used to map logical file name to physical file name(s)– sfn://grid005.iucc.ac.il/storage/gilda/generated/2007-06-
23/fileb233d43f-5bc6-4ede-a5fe-611d48be2ba5
• LFC is a central database in the VO
EGEE-II INFSO-RI-031688 19
Enabling Grids for E-sciencE
Logging and bookkeeping (LB)
• Job history stored here– When, what, where, ,
• Detailed information, not only a job status value, y j
• LB is a central database in the VO
• Will not be used during the courseg– Command line tools to query LB
EGEE-II INFSO-RI-031688 20
Enabling Grids for E-sciencE
Computing Element (CE)
• A “core” grid services– One installation at every grid sitey g
• Expose computational facility - CPU• Typically installed on a clusterTypically installed on a cluster
Job request Information systemLogging
Proxy
Computing element server Info system
Logging
systemLoggingand
Bookkeeping
Local Resource Management System:Condor / PBS / LSF master
y
W k d
EGEE-II INFSO-RI-031688 21
Worker nodes
Enabling Grids for E-sciencE
Storage Element (SE)
• A “core” grid services– One installation at every grid siteOne installation at every grid site
• Expose storage facility – Hard disk / tape
protocols server resources
Storage El t
File request Diskprotocol
protocolProxy Element Tape
Tape
Tape
p
protocol
Proxy
Authentication, authorization
EGEE-II INFSO-RI-031688 22
z
Enabling Grids for E-sciencE
Who provides the resources?!
ServiceService Provider NoteUser interfaceUser interface User / institute / VO Computer with client SWp
Resource Broker Resource Broker (WMS)(WMS)
VOs - EGEE does not fund RBs
Information SystemInformation System Grid operations -EGEE funded effort
File and replica catalogFile and replica catalog VOs - EGEE does p gp gnot fund catalogs
Logging and Logging and BookkeepingBookkeeping
VOs - EGEE does not fund LB serversBookkeepingBookkeeping not fund LB servers
Computing Element Computing Element (CE)(CE)
VOs - EGEE does not fund CEs
VOs provide resources to match average need
Storage Element Storage Element (SE)(SE)
VOs - EGEE does not fund SEs
VOs provide resources to match average need
External services User / institute / VO To extend the capabilities of
EGEE-II INFSO-RI-031688 23
External services User / institute / VO To extend the capabilities of the core infrastructure
Enabling Grids for E-sciencE
Security
• Grid Security Infrastructure (GSI) enables VOs• gLite security extended GSIgLite security extended GSI • Two levels of grid security problems
– Network level:Network level:Mutual authentication of endpointsEncrypted messagesNon repudiationIntegrity (protection against 3rd party changes)
– VO level:– VO level:Who can be the member of a VO, who cannot?What a VO member is allowed to do?How can a SW (e.g broker) act on your behalf?
EGEE-II INFSO-RI-031688 24
Enabling Grids for E-sciencE
Basic concept of GSI• Asymmetric encryption…
Encrypted Encrypted texttext
Clear text Clear text messagemessage
Clear text Clear text messagemessage
• Every networked entity (user/machine/software) is assigned with two keys: one private key and one public
texttextPrivate Key Public Key
messagemessage messagemessage
assigned with two keys: one private key and one public key– Private: only owner knows– Public: everybody else knows
• Communication concept (simplified version):1 P bli k h d1. Public keys are exchanged2. The sender encrypts message using
receiver’s public key andreceiver s public key and Sender’s own private key
3. The reciever decrypts using R i ’ i t k
EGEE-II INFSO-RI-031688 25
Receiver’s own private keySender’s public key
Enabling Grids for E-sciencE
PKI in action
• Encription– Encription with recipient’s public key
Paul’s keysEncription with recipient s public key
– Only recipient can decript the message
public privateJohn Paul public privateciao 3$r ciao3$r
• Non-repudiation– Naiv approach: encript message with sender’s private keypp p g p y
Too costly for long messages – Solution:
generate hash of the message messageHash A
generate hash of the messageEncript hash with sender’s private keyAttach encripted hash to message Digital signature
g
Digital SignatureDigital Signature
EGEE-II INFSO-RI-031688 26
– Additional benefit: Integrity (hash is constant)
Enabling Grids for E-sciencE
PKI in action – the big picture
PaulPaul’s keys
message
Digital Signature
messageHash A
private public g g Digital Signatureprivate public
Mutual authentication and exchanging public keys: SSL protocol
John
John’s keys
y
messageHash B= ?
message
EGEE-II INFSO-RI-031688
Digital SignatureHash Aprivate public
Enabling Grids for E-sciencE
Entity identity
• Since I’m the onlySince I m the only one with access to my private key youmy private key, you know I signed the data associateddata associated with it
• But how do you ?• But, how do you know that you have my correcthave my correct public key?
EGEE-II INFSO-RI-031688 28
Enabling Grids for E-sciencE
Your public and private keys
User generates CA root
Instructions, tutorials (should be) on CA
homepagesUser generatespublic/private
key pair in browseror in files CA signature links
certificatehomepages
Cert
or in files. gidentity and public key in
certificate. CA informs user.Request
Public Key
User sends public key to
CA informs user.
CertCA and shows RA proof
of identity.
Private Key encrypted on local disk:
ID
EGEE-II INFSO-RI-031688 29
on local disk: passphrase
Enabling Grids for E-sciencE
Your certificate and private key
• Do not loan your certificate and private key to anyone! – Report to CA if your files were compromised Certificate
revocation list• Where to store them?
Store them in your browser– Store them in your browser– Store them in a file sysytem you trust
Different file formats (PEM, P12, …)– Store them on a USB key– Store them in MyProxy server
Obtain short term certificate just before grid interactionObtain short term certificate just before grid interaction
• Every Grid which recognizes your CA will trust your y g y ycertificate
• CAs recognized by EGEE: http://www.gridpma.org
EGEE-II INFSO-RI-031688 30
Enabling Grids for E-sciencE
Grid security at VO level
• Users (and machines) are identified by certificates. CA
Obtaining certificate:Annually
identified by certificates.
• VO Management Service: tool for VO level security
CA
VO managerJoining List of EGEE VOs: On CIC Operations
Portaltool for VO level security
• Steps– User obtains certificate from
gVO:Once
Portal
– User obtains certificate from Certification Authority
– User registers at the VO usually via a web form
VO Membership Service
R li tiy– VO manager authorizes the userVO DB updated
– User information is replicated
VOMS database
Replicating VOMS DBonce a dayp
onto VO resources typically within 24 hours
Grid sites
EGEE-II INFSO-RI-031688 31
User’s identity in the Grid = Subject of grid certificate:/C=HU/O=NIIF CA/OU=GRID/OU=NIIF/CN=Gergely Sipos/[email protected]
Enabling Grids for E-sciencE
Proxy certificates
• Delegation - allows remote process and services to authenticate on behalf of the userauthenticate on behalf of the user– Remote process/service “impersonates” the user
• Achieved by creation of next-level private key–certificate pair from the user’s private key certificatepair from the user’s private key–certificate. – New key-pair is a single file: Proxy credential– Proxy private key is not protected by passwordy p y p y p– Proxy may be valid for limited operations– Proxy has limited lifetime
• The client can delegate proxies to services processes• The client can delegate proxies to services, processes– Each service decides whether it accepts proxies for authentication
EGEE-II INFSO-RI-031688
Enabling Grids for E-sciencE
Proxy in action
• Login to the grid:Generate a proxy certificateGenerate a proxy certificate
Command line tools on a User Interface:
voms-proxy-init –voms gildaP
From a portal:Proxy
Proxy+
VOroles
See P-GRADE Portal tomorrow
EGEE-II INFSO-RI-031688 33
Enabling Grids for E-sciencE
External services to gLite • Where computer science meets the
application communities!• The tools, services used by the VO’s Application , yapplications • NA4 Recommended External Software
Packages for Egee CommuniTies Current RESPECT tools:
Applicationtoolkits
Application
– Current RESPECT tools:GridWayP-GRADE Portal
– http://egeena4.lal.in2p3.fr/ “Grid Higher level gLite services
toolkitsCommand line & APIs
software” menu
Basic gLite services:
Higher-level gLite services (WMS,…)
Production infrastructure contains Basic gLite services:CE, SE, info, security these services
– Basic services: Must be complete and robust; Should not assume the use of ;Higher-Level Grid Services
– High level services: help the users building their computing infrastructure
EGEE-II INFSO-RI-031688 34
but should not be mandatory
Enabling Grids for E-sciencE
Further information, references
• EGEE– http://www.eu-egee.org/p g g
• gLite middleware– http://www.glite.org
• gLite manuals, documentation– http://glite.web.cern.ch/glite/documentation/
(gLite user guide)• Recommended External Software Packages for Egee
CommuniTies (RESPECT)CommuniTies (RESPECT)– http://egeena4.lal.in2p3.fr/
EGEE-II INFSO-RI-031688 35