GEON IT Advances: ⁃ Data Integration ⁃ GEON Workbench ⁃ Scientific Workflows
GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.
-
Upload
steven-ball -
Category
Documents
-
view
222 -
download
0
Transcript of GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.
GEON meeting - May 22, 2006
GAMA 2.0 Features and Status
Kurt MuellerSDSC
GEON meeting - May 22, 2006
GAMA 1 in a nutshell
• A system for creating and managing Grid accounts for portal and application users
• Provides dedicated server installation consisting of Grid software (CACL, MyProxy, CAS) wrapped in web services
• Provides management portlets for easy integration into GridSphere portal framework– User account request form– Administrative account management console– User login through GAMA - retrieves GSI credential
GEON meeting - May 22, 2006
GAMA 1 architecture
Portal server 2Portal server 1
GAMA server
CACL
MyProxy
CAS
AX
IS W
eb S
ervi
ces
wra
pper
…
Servlet container
import user
retrieve credential
Stand-alone applications
retrieve credential
DBDBgridportlets
Java keystoreJava keystore
Java keystoreJava keystore
gama
GridSphere
Servlet container
create user
GEON meeting - May 22, 2006
GAMA 1 ideal environment
• New portal/Grid project• No existing users/credentials• Single administrator• Globus Grid• GridSphere portal• Authorization through grid-mapfile
GEON meeting - May 22, 2006
GAMA 1 weaknesses
• Hard to incorporate existing user accounts and Grid credentials
• Hard to use existing infrastructure– MyProxy server– Other CA packages
• Hard to expand core GAMA functions– SRB account creation– Authorization - CAS not so useful?– Unix accounts– grid-mapfile updates
GEON meeting - May 22, 2006
Back to the drawing board…
GEON meeting - May 22, 2006
GAMA 2 features
• Implementation agnostic• Extensible through a plug-in architecture• Workflow system for multi-step operations• Supports VOs with many sites and
independent site administrators• Provides cluster account management
GEON meeting - May 22, 2006
Implementation agnostic
• No explicit reliance on MyProxy, CACL, CAS. Accomplished through a plug-in architecture on GAMA server: use whatever CA you want, whatever credential storage, whatever authorization service, etc.
• GAMA 2 includes CACL, Naregi and MyProxy plugins out of the box
• May also include SRB account management, and other plugins
GEON meeting - May 22, 2006
Extensible
• GAMA admin can write task plugins to accomplish novel tasks:– Interface with existing infrastructure
(authentication/authorization mechanisms, databases, CA packages, etc.)
– Manage Unix / Windows / physical accounts– etc.
GEON meeting - May 22, 2006
Extensible
All GAMA tasks extend GAMATask class:
abstract public class GAMATask {
…
abstract public void doTask() throws GAMATaskException;
abstract public void rollbackTask() throws GAMATaskRollbackException {};
…
}
GEON meeting - May 22, 2006
<task-def> <task-param> <param-name>username</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> </task-param> <task-param> <param-name>password</param-name> <param-class>java.lang.String</param-class> <param-required>true</param-required> <param-nopersist>true</param-nopersist> </task-param>… <task-output> <output-name>credentialobject</output-name> <output-class>org.globus.gsi.GlobusCredential</output-class> </task-output> <task-output> <output-name>credentialstring</output-name> <output-class>java.lang.String</output-class> </task-output></task-def>
Extensible - MyProxyAuthNTask.xml
GEON meeting - May 22, 2006
Extensible - MyProxyAuthNTask.java
public class MyProxyAuthNTask extends GAMATask {
public void doTask() throws GAMATaskException {
String username = (String)
getParamObjectByName("username");
String passwd = (String)
getParamObjectByName("password");
…
cred = (GSSCredential) myproxy.get(username, passwd, myProxyLifetime.intValue());
…
getOutputByName("credentialobject").setOutputObject(cred);
getOutputByName("credentialstring").
setOutputObject(cred.toString());
}
}
GEON meeting - May 22, 2006
Workflow system
• Server operations are customizable and expandable. Uses a workflow system that can execute arbitrary sequences of tasks for any operation, such as “login.”
– GAMA 1 login does one thing: tries to retrieve a credential from MyProxy.
– GAMA 2 login could do a sequence of things: retrieve credential from MyProxy, open an SRB socket connection, write a message to a logfile, etc.
GEON meeting - May 22, 2006
Workflow system - MyProxyAuthNSequence.xml<sequence-def> <sequence-description>GAMA's default MyProxy authentication
sequence</sequence-description> <sequence-type>authenticate</sequence-type> <sequence-type-default>true</sequence-type-default> <sequence-rollbackallonfailure>false</sequence-
rollbackallonfailure> <sequence-item> <item-class>edu.sdsc.gama.server.services.task.auth.
authn.MyProxyAuthNTask</item-class> <item-class-config-id>0</item-class-config-id> <item-description>simple MyProxy authentication with username
and password</item-description> <item-rollbackonfailure>false</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>
GEON meeting - May 22, 2006
Workflow system - NewUserSetupSequence.xml<sequence-def> <sequence-description>GAMA's default CACL and MyProxy new user
sequence</sequence-description> … <sequence-item> <item-class>edu.sdsc.gama.server.services.task.ca.newuser.
CACLNewUserTask</item-class> <item-description>Create a new user in CACL</item-description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item> <sequence-item> <item-class>edu.sdsc.gama.server.services.task.myproxy.newuser.
MyProxyLoadCredentialsFromCATask</item-class> <item-description>Load a user's credentials from CA into MyProxy</item-
description> <item-rollbackonfailure>true</item-rollbackonfailure> <item-stopsequenceonsuccess>false</item-stopsequenceonsuccess> <item-stopsequenceonfailure>true</item-stopsequenceonfailure> </sequence-item></sequence-def>
GEON meeting - May 22, 2006
GridSphere Portal GAMA 1 Server
Naregi
MyProxy
CAS
Account request portlet (GridSphere)
Account admin portlet (GridSphere)
Create user
Task engine
SRB
…
New
Use
rSeq
uenc
e
Account admin GUI (GridSphere portal)
Aut
hNS
equ
ence
Login portlet (GridSphere) Login user
GEMSTONE
Kepler
Login web service client
Login web service client
GAMA 2 Server
GEON meeting - May 22, 2006
Multi-site support
• GAMA 2 server supports multiple sites, each with its own local site administrator
• Site admin logs in to GAMA server and manages accounts for just their site; other sites’ users are not visible. Primary GAMA admin can manage all users.
• GAMA can be configured to perform different sequences of actions for different sites:– Site A -> login sequence A– Site B -> login sequence B
GEON meeting - May 22, 2006
Cluster account management
• GAMA knows about resources such as clusters– A resource belongs to a site
• Site admin can specify access permissions for each user on each resource in their site
• Resources can poll GAMA server for list of valid users, and manage individual user accounts and/or grid-mapfile entries accordingly.
• Provides a critical step in cluster management:Rocks for OS/software install, GAMA for users
GEON meeting - May 22, 2006
GAMA 2 web services
• Provide a simple API that duplicates GAMA 1 API:authenticateUser()authorizeUser()requestNewUser()…
• Plus new methods for site/resource management:createSite()addNewResource()getResourceUsers()addUserToResource()…
GEON meeting - May 22, 2006
GAMA 2 web services
• All web services take as inputs a set of key-value pairs, and produce as outputs another set of key-value pairs
• Allows flexibility for task/sequence writers, at the expense of explicitness:
String authenticateUser(String username, String password, String lifetime) {…}
vs.HashMap authenticateUser(HashMap inputs) {…}
GEON meeting - May 22, 2006
GAMA server admin GUI demo
GEON meeting - May 22, 2006
GAMA 2.0: Steps to completion
• Finish tying in web service interface to task engine
• Complete the administrative GUI– Group management– Task and sequence management
• Refactor account request and login portlets• Provide client tools for cluster user
management• Construct server Rocks roll with Naregi,
MyProxy and GAMA
GEON meeting - May 22, 2006
GAMA: the future
• Explore authentication technologies– CAS still useful?– Shibboleth / GridShib– etc.
• More complete end-to-end user management:– grid-mapfile updates on end resources, for instance
• Synchronization / cooperation between multiple GAMA servers across VOs
GEON meeting - May 22, 2006
References
• GAMA: http://grid-devel.sdsc.edu/gama• GridSphere: http://www.gridsphere.org• CACL: http://www.sdsc.edu/CA• Naregi CA: https://www.naregi.org/ca• MyProxy: http://grid.ncsa.uiuc.edu/myproxy• CAS: http://www.globus.org/security/CAS• GEON project: http://www.geongrid.org• Telescience project:
http://telescience.ucsd.edu• NBCR: http://nbcr.sdsc.edu
GEON meeting - May 22, 2006
Credits
SDSC/GEON:Kurt Mueller, Sandeep Chandra, Karan Bhatia
UCSD/NCMIR:Abel Lin, Khim Ung, Lu Dai
UCSD/BIRN:Jason Novotny, Ramil Manansala, Jana Nguyen