Gridification components

Download Report

Transcript Gridification components 

WP4 Gridification
Subsystem overlap
Globus & existing systems
LCAS and AAA in WP4
for Gridification Task: David Groep
[email protected]
WP4 Gridification components
 External



issues relating to the three core Grid protocols (GRAM, GSIFTP,GRIP)
network issues (firewall admin, NAT)
fabric authorization interoperability (multi-domain, AAA, co-allocing)
 Internal


(“Grid”) components
components
authenticated installation services
secure bootstrapping services
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 2
WP4 Subsystems and relationships (D4.2)
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 3
Job submission protocol & interface

Current Globus design





Gatekeeper does authentication,
authorization and user mapping
RSL passed to JobManager
authorization and user mapping done
quite early in the process
Identical components



GRAM (attributes over HTTPS)
Identified design differences


Client tools connect to gatekeeper
Protocol must stay the same (GRAM)
Separation of JobManager (closer to
RMS) and GateKeeper will remain
Issues: scalability problems with many jobs within one centre (N jobmanagers)
authorization cannot take into account RMS state (budget, etc.)
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 4
Authorization and AAA

Current Globus design:



No dynamic per-site
Authorization decisions
Identified design points



Authorization and user mapping are
combined in one
new design, taking concepts from
generic AAA architectures
coordinate with AuthZ group and GGF
Identical components



towards generic
AAA architectures/servers
distributed AAA decisions/brokering
concepts from new
SciDAC/SecureGRID/AAAARCH
Accounting framework yet to be considered…
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 5
Local Centre AuthZ Service (LCAS) future

Integrate in generic AAA ARCH

being developed in IRTF
(experimental)

co-allocation of resources

incorporates site-local policies

use existing policy languages


AAA
AAA
ASM
Ponder, AAAARCH language, …?
complementary to CAS
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 6
Credential Mapping

Current Globus design:





Kerberos by external service (sslk5)
Extend for multiple credential types
move to later in the process (after
AAA decision)
Identical components



Currently by GateKeeper/GridMapDir
(on connection establishment)
Identified design points


Authorization and user mapping are
combined
gridmapdir patch by Andrew McNab
sslk5/k5cert service
Issues in current design

mapping may be expensive (updating
password files, NIS, LDAP, etc.)
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 7
Information Services (GriFIS)

Current design:





NO fundamental changes
More information providers (CDB)
Correlators between RMS, Monitoring
and CDB (internal WP4 components)
Identical components



Modular information providers
Identified design points


MDS2.1(or compat):LDAP with back-ends
MDS2.1, F-tree and/or GMA/R-GMA
Some of the information providers
Issues in current design


Evaluation of WP3 framework still in
progress
Wide variety of frameworks in general,
but all seem currently interchangeable
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 9
Network access to large fabrics

Current Globus design


Identified design differences




Is not in scope of Globus toolkit
Needed component for large farms
Needed for bandwidth
provisioning/brokerage
Farm nodes not visible from outside!
Identical components




0st order: no functionality
1st order: IP Masquerading routers
2nd order: IP Masq & protocol translation
(IPv6 → IPv4 and v.v.)
later: use of intelligent edge devices,
managed bandwidth (and connections)
per job, AAA interaction (with LCAS)
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 10
Key overlaps & differences
 Globus
provides adequate components for much of the functionality
 Lacking





Generic and distributed AAA
too-early relinquishing of credential mapping capabilities in gatekeeper
does not address intra-fabric security concerns (FLIdS)
information providers for whatever the framework will be
managed network access
 Key



components
components to stay compatible
GRAM protocol & RSL forwarding [Globus,GGF]
Information framework (GIS, GMA, R-GMA, …) [Globus,GGF and EDG WP3]
Security methods and protocols (X.509, SSL, …)
David Groep – WP4 gridification subsystem overlaps – 2001.11.27 - 11