Download - G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago
![Page 1: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/1.jpg)
GRID MIDDLEWARE AND SECURITYSuchandra Thapa
Computation Institute
University of Chicago
![Page 2: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/2.jpg)
NC
GS 2
00
9 C
hapel H
ill
2
THE OSG COMPUTE ELEMENT
Introduction to OSG terms
The OSG compute element
Grid Middleware
Web Resources
Security
Q&A time
April 2
2, 2
00
9
![Page 3: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/3.jpg)
3
NC
GS 2
00
9 C
hapel H
ill
BASIC TERMS
CE – Compute Element SE – Storage Element VO – Virtual Organization WN – Worker Node VDT – Virtual Data Toolkit DN – Distinguished name GUMS – Grid User Management Server CA – Certificate Authority CRL – Certificate Revocation List
April 2
2, 2
00
9
![Page 4: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/4.jpg)
NC
GS 2
00
9 C
hapel H
ill
4
THE OSG COMPUTE ELEMENT
Introduction to OSG terms
The OSG compute element
Grid Middleware
Web Resources
Security
Q&A time
April 2
2, 2
00
9
![Page 5: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/5.jpg)
5
NC
GS 2
00
9 C
hapel H
ill
OSG SOFTWARE STACK
Consists of: VDT Software
PLUS Additional OSG Specific bits
E.g. CE VDT Subset
Globus RSV PRIMA … and another dozen
OSG bits: Information about OSG VOs OSG configuration script (configure_osg.py)
April 2
2, 2
00
9
![Page 6: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/6.jpg)
6
NC
GS 2
00
9 C
hapel H
ill
OVERVIEW OF OSG COMPONENTS CE – Compute Element
Provides point of interface for tools attempting to run jobs or work on a cluster
Users submit jobs to this system OSG provides a package that installs all software needed for this
component SE – Storage Element
Several implementations dCache Bestman
Manages data and storage services on cluster WN – Worker Node
Software found on each compute node on grid Provides software that incoming jobs may depend on (e.g. curl, srmcp,
gsiftp, etc.) Client – Client Software
Provides software that users can use to submit and manage jobs and data on OSG
May be superseded by VO specific software Other tools (more specific and not necessarily used by many people)
April 2
2, 2
00
9
![Page 7: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/7.jpg)
7
NC
GS 2
00
9 C
hapel H
ill
OVERVIEW OF CE
GRAM : Allows job submissions and passes them on to local batch manager
Gridftp : Provides data transfer services into and out of cluster
CEMon / GIP : Provides information to central services
Gratia : Sends accounting information on jobs run to central server
RSV : Provides probes to monitor health of the CE
User authorization : Needed to connect certificates to user accounts
April 2
2, 2
00
9
![Page 8: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/8.jpg)
8
NC
GS 2
00
9 C
hapel H
ill
BASIC CEA
pril 2
2, 2
00
9
GRAM
GridFTP
Authorization
RSV
CEMon/GIP
Submit jobs
Query
Query
Test
QueryGratia
![Page 9: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/9.jpg)
9
NC
GS 2
00
9 C
hapel H
ill
SOFTWARE OVERVIEW April 2
2, 2
00
9
![Page 10: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/10.jpg)
10
NC
GS 2
00
9 C
hapel H
ill
GRAM
Two different flavors OSG provides and supports both Very different implementations
GT2 What most users and VOs use Very stable and well understood On the other hand, fairly old
GT4 (aka ws-gram) Web services enabled job submission Currently in transition Used primarily by LIGO
April 2
2, 2
00
9
![Page 11: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/11.jpg)
11
NC
GS 2
00
9 C
hapel H
ill
GRATIA
Collects information about what jobs have run on your site and by whom
Hooks into GRAM and/or job manager Sends information to a central server Can connect and query central service to get
reports and graphs
April 2
2, 2
00
9
![Page 12: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/12.jpg)
12
NC
GS 2
00
9 C
hapel H
ill
CEMON / GIP
• These work together Essential for accurate information about your site End-users see this information
• Generic Information Provider (GIP) Scripts to scrape information about your site Some information is dynamic (queue length) Some is static (site name)
• CEMon Reports information to OSG GOC’s BDII Reports to OSG Resource Selector (ReSS)
April 2
2, 2
00
9
![Page 13: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/13.jpg)
13
NC
GS 2
00
9 C
hapel H
ill
RSV
System to run tests on various components of your site
Presents a web page with red/green overview and links to more specific information on test results
Optional interface to nagios Can be run on a server other than CE
April 2
2, 2
00
9
![Page 14: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/14.jpg)
NC
GS 2
00
9 C
hapel H
ill
14
GRID SECURITY
Introduction to OSG terms
The OSG compute element
Grid Middleware
Web Resources
Security
Q&A time
April 2
2, 2
00
9
![Page 15: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/15.jpg)
15
NC
GS 2
00
9 C
hapel H
ill
CERTIFICATES USED
OSG uses X.509 certificates for authentication and authorization
Most certificates are from the DOEGrids certificate chain
Obtained from GOC / Need someone to “vouch” for you
All tools use and verify using certificates User submissions (job submission, gsiftp) use
proxies signed by user’s X.509 certificate Sites and services have certificates which are
verified by user tools
April 2
2, 2
00
9
![Page 16: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/16.jpg)
16
NC
GS 2
00
9 C
hapel H
ill
CA CERTIFICATES
What are they? Public certificate for certificate authorities Used to verify authenticity of user certificates
Recommended: OSG CA distribution IGTF + TeraGrid-only
April 2
2, 2
00
9
![Page 17: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/17.jpg)
17
NC
GS 2
00
9 C
hapel H
ill
CERTIFICATE REVOCATION LISTS (CRLS)
It’s not enough to have the CAs CAs publish CRLs: lists of certificates that
have been revoked Sometimes revoked for administrative reasons Sometimes revoked for security reasons
On OSG, default settings are to update these lists once a day
April 2
2, 2
00
9
![Page 18: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/18.jpg)
18
NC
GS 2
00
9 C
hapel H
ill
CERTIFCATE CHECKING April 2
2, 2
00
9
Server
Certificate
CA List
CRL List
Valid?
Revoked? Yes!
No
Certificate accepted
![Page 19: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/19.jpg)
AUTHORIZATION
Done by gridmap files or GUMS Gridmap files are fairly simple
Text file with DN followed by local account GUMS is preferred solution for larger site
Central location for authorization decisions Allows for vo roles and multiple vo membership
April 2
2, 2
00
9
19
NC
GS 2
00
9 C
hapel H
ill
![Page 20: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/20.jpg)
20
NC
GS 2
00
9 C
hapel H
ill
GRIDMAP AUTHORIZATION PROCEDURE A
pril 2
2, 2
00
9Server 1
Server 2
Gridmap text file
Certificate
Certificate
User DN
User DN
engage
osg
Gridmap text file
![Page 21: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/21.jpg)
21
NC
GS 2
00
9 C
hapel H
ill
GUMS AUTHORIZATION PROCEDURE April 2
2, 2
00
9Server 1
Server 2
GUMS Server
Certificate
Certificate
User DNServer DN
User DNServer DN
engage
osg
![Page 22: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/22.jpg)
NC
GS 2
00
9 C
hapel H
ill
22
QUESTIONS? THOUGHTS? COMMENTS?
Introduction to OSG terms and operations
Installing an OSG site
Maintaining a site
Q&A time
April 2
2, 2
00
9
![Page 23: G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago](https://reader030.vdocuments.site/reader030/viewer/2022032709/56649ec05503460f94bcc325/html5/thumbnails/23.jpg)
23
NC
GS 2
00
9 C
hapel H
ill
ACKNOWLEDGEMENTS
Alain Roy Terrence Martin
April 2
2, 2
00
9