GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.

GEON meeting - May 22, 2006

GAMA 2.0 Features and Status

Kurt MuellerSDSC


GAMA 1 in a nutshell

• A system for creating and managing Grid accounts for portal and application users

• Provides dedicated server installation consisting of Grid software (CACL, MyProxy, CAS) wrapped in web services

• Provides management portlets for easy integration into GridSphere portal framework– User account request form– Administrative account management console– User login through GAMA - retrieves GSI credential


GAMA 1 architecture

Portal server 2Portal server 1

GAMA server

CACL

MyProxy

CAS

AX

IS W

eb S

ervi

ces

wra

pper

…

Servlet container

import user

retrieve credential

Stand-alone applications

retrieve credential

DBDBgridportlets

Java keystoreJava keystore

Java keystoreJava keystore

gama

GridSphere

Servlet container

create user


GAMA 1 ideal environment

• New portal/Grid project• No existing users/credentials• Single administrator• Globus Grid• GridSphere portal• Authorization through grid-mapfile


GAMA 1 weaknesses

• Hard to incorporate existing user accounts and Grid credentials

• Hard to use existing infrastructure– MyProxy server– Other CA packages

• Hard to expand core GAMA functions– SRB account creation– Authorization - CAS not so useful?– Unix accounts– grid-mapfile updates


Back to the drawing board…


GAMA 2 features

• Implementation agnostic• Extensible through a plug-in architecture• Workflow system for multi-step operations• Supports VOs with many sites and

independent site administrators• Provides cluster account management


Implementation agnostic

• No explicit reliance on MyProxy, CACL, CAS. Accomplished through a plug-in architecture on GAMA server: use whatever CA you want, whatever credential storage, whatever authorization service, etc.

• GAMA 2 includes CACL, Naregi and MyProxy plugins out of the box

• May also include SRB account management, and other plugins


Extensible

• GAMA admin can write task plugins to accomplish novel tasks:– Interface with existing infrastructure

(authentication/authorization mechanisms, databases, CA packages, etc.)

– Manage Unix / Windows / physical accounts– etc.


Extensible

All GAMA tasks extend GAMATask class:

abstract public class GAMATask {

…

abstract public void doTask() throws GAMATaskException;

abstract public void rollbackTask() throws GAMATaskRollbackException {};

…

}


<task-def> <task-param> <param-name>username</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> </task-param> <task-param> <param-name>password</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> <param-nopersist>true</param-nopersist> </task-param>… <task-output> <output-name>credentialobject</output-name> <output-class>org.globus.gsi.GlobusCredential</output-class> </task-output> <task-output> <output-name>credentialstring</output-name> <output-class>java.lang.String</output-class> </task-output></task-def>

Extensible - MyProxyAuthNTask.xml


Extensible - MyProxyAuthNTask.java

public class MyProxyAuthNTask extends GAMATask {

public void doTask() throws GAMATaskException {

String username = (String)

getParamObjectByName("username");

String passwd = (String)

getParamObjectByName("password");

…

cred = (GSSCredential) myproxy.get(username, passwd, myProxyLifetime.intValue());

…

getOutputByName("credentialobject").setOutputObject(cred);

getOutputByName("credentialstring").

setOutputObject(cred.toString());

}

}


Workflow system

• Server operations are customizable and expandable. Uses a workflow system that can execute arbitrary sequences of tasks for any operation, such as “login.”

– GAMA 1 login does one thing: tries to retrieve a credential from MyProxy.

– GAMA 2 login could do a sequence of things: retrieve credential from MyProxy, open an SRB socket connection, write a message to a logfile, etc.


Workflow system - MyProxyAuthNSequence.xml<sequence-def> <sequence-description>GAMA's default MyProxy authentication

sequence</sequence-description> <sequence-type>authenticate</sequence-type> <sequence-type-default>true</sequence-type-default> <sequence-rollbackallonfailure>false</sequence-

rollbackallonfailure> <sequence-item> <item-class>edu.sdsc.gama.server.services.task.auth.

authn.MyProxyAuthNTask</item-class> <item-class-config-id>0</item-class-config-id> <item-description>simple MyProxy authentication with username

and password</item-description> <item-rollbackonfailure>false</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>


Workflow system - NewUserSetupSequence.xml<sequence-def> <sequence-description>GAMA's default CACL and MyProxy new user

sequence</sequence-description> … <sequence-item> <item-class>edu.sdsc.gama.server.services.task.ca.newuser.

CACLNewUserTask</item-class> <item-description>Create a new user in CACL</item-description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item> <sequence-item> <item-class>edu.sdsc.gama.server.services.task.myproxy.newuser.

MyProxyLoadCredentialsFromCATask</item-class> <item-description>Load a user's credentials from CA into MyProxy</item-

description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>


GridSphere Portal GAMA 1 Server

Naregi

MyProxy

CAS

Account request portlet (GridSphere)

Account admin portlet (GridSphere)

Create user

Task engine

SRB

…

New

Use

rSeq

uenc

e

Account admin GUI (GridSphere portal)

Aut

hNS

equ

ence

Login portlet (GridSphere) Login user

GEMSTONE

Kepler

Login web service client

Login web service client

GAMA 2 Server


Multi-site support

• GAMA 2 server supports multiple sites, each with its own local site administrator

• Site admin logs in to GAMA server and manages accounts for just their site; other sites’ users are not visible. Primary GAMA admin can manage all users.

• GAMA can be configured to perform different sequences of actions for different sites:– Site A -> login sequence A– Site B -> login sequence B


Cluster account management

• GAMA knows about resources such as clusters– A resource belongs to a site

• Site admin can specify access permissions for each user on each resource in their site

• Resources can poll GAMA server for list of valid users, and manage individual user accounts and/or grid-mapfile entries accordingly.

• Provides a critical step in cluster management:Rocks for OS/software install, GAMA for users


GAMA 2 web services

• Provide a simple API that duplicates GAMA 1 API:authenticateUser()authorizeUser()requestNewUser()…

• Plus new methods for site/resource management:createSite()addNewResource()getResourceUsers()addUserToResource()…


GAMA 2 web services

• All web services take as inputs a set of key-value pairs, and produce as outputs another set of key-value pairs

• Allows flexibility for task/sequence writers, at the expense of explicitness:

String authenticateUser(String username, String password, String lifetime) {…}

vs.HashMap authenticateUser(HashMap inputs) {…}


GAMA server admin GUI demo


GAMA 2.0: Steps to completion

• Finish tying in web service interface to task engine

• Complete the administrative GUI– Group management– Task and sequence management

• Refactor account request and login portlets• Provide client tools for cluster user

management• Construct server Rocks roll with Naregi,

MyProxy and GAMA


GAMA: the future

• Explore authentication technologies– CAS still useful?– Shibboleth / GridShib– etc.

• More complete end-to-end user management:– grid-mapfile updates on end resources, for instance

• Synchronization / cooperation between multiple GAMA servers across VOs


References

• GAMA: http://grid-devel.sdsc.edu/gama• GridSphere: http://www.gridsphere.org• CACL: http://www.sdsc.edu/CA• Naregi CA: https://www.naregi.org/ca• MyProxy: http://grid.ncsa.uiuc.edu/myproxy• CAS: http://www.globus.org/security/CAS• GEON project: http://www.geongrid.org• Telescience project:

http://telescience.ucsd.edu• NBCR: http://nbcr.sdsc.edu


Credits

SDSC/GEON:Kurt Mueller, Sandeep Chandra, Karan Bhatia

UCSD/NCMIR:Abel Lin, Khim Ung, Lu Dai

UCSD/BIRN:Jason Novotny, Ramil Manansala, Jana Nguyen

GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.

Documents

Transcript of GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.