20070424-grids-robinson
Download
Report
Transcript 20070424-grids-robinson
Constructing Campus Grids
Experiences adapting myVocs to UABgrid
John-Paul Robinson
High Performance Computing Services
Office of the Vice President for Information Technology
University of Alabama at Birmingham
Internet2 Spring Member Meeting
April 2007
Overview
UAB CyberInfrastructure
UABgrid
myVocs
myVocs box
myVocs box on UABgrid
Setting Up a VO
Future Directions
UAB CyberInfrastructure
UAB HPC Resources
Shared HPC Facility has 4 clusters
Computer Science HPC Facility has 2 clusters
UAB overall HPC computing power has been tripling
approximately on a 2 year cycle during the past 4 years
Optical Networks – campus & regional
UABgrid – a campus computing and
collaboration environment
UAB HPC Resources
IBM BlueGene/L System (most recent)
2 Dell Xeon 64-bit Linux Clusters
128 nodes
4 TB disk storage
Gigabit and Infiniband interconnect
2 Verari Opteron 64-bit Linux Clusters
64 and 32 nodes
2 GB RAM per node
Gigabit interconnect
IBM Xeon 32-bit Linux Cluster
64 Nodes, Gigabit interconnect
UAB 10GigE Research Network
Build high bandwidth
network linking UAB
compute clusters
Leverage network for
staging and managing
grid-based compute
jobs
Connect directly to
high-bandwidth
regional networks
UABgrid
Common interface for access to HPC
infrastructure
Leverage UAB identity management system for
consistent identity across resources
Provide access to regional, national, and
international collaborators using Shibboleth
identity framework
Support research collaboration through
autonomous virtual organizations
UABgrid Architecture
Leverages IdM
investments via
InCommon
Provides collaboration
environment for
autonomous virtual
organizations
Supports integration of
local, shared, and
regional resources
UAB Office of the VP of IT
CyberInfrastructure Vision
10 Gigabit Ethernet optical network links major
research areas in state
High performance computation resources
distributed across state
Campus grids like UABgrid provide uniform
access to computational resources
Regional grids like SURAgrid provide access to
aggregate computational power and unique
resources
Alabama Regional Optical Network
Alabama RON is a very
high bandwidth lambda
network. Operated by
SLR.
Connects major research
institutions across state
Connects Alabama to
National Lambda Rail
and Internet2 – projected
completion for 2007
Aggregating Resources
UABgrid 2.0, powered by myVocs, to begin pilot
operation Summer 2007
Exploring grid interconnection with Alabama
Supercomputer Authority and UA System to
aggregate resources in state
Continuing participation with SURAgrid to
aggregate resources in region
UABgrid Background
Project grew out of NMI Testbed participation,
complemented by participation in developing
SURAgrid
Initially an integration of campus identity with
grid credentials using Pubcookie to issue
certificates from UABgrid CA
Initial tool integration based exclusively on
identity
UABgrid CA: credentials used by grid
computing courses; part of SURAgrid Bridge
CA
Limitations of Initial Version
No virtual organization support or other
authorization attributes
UABgrid CA key escrow limits trust
Support for non-UAB users limited
Inter-domain trust via web user interface
doesn't scale well
Complimentary Activities
“NMI Enabled Open Source Collaboration Tools for
Virtual Organization” grant explores middleware
integration (2003)
Mailing list system integration discussions in Internet2
Mlist working group leads to “Shibboleth Systems”
insights (2004)
myVocs.org developed as demonstration of Shibboleth
system (2005)
GridShib collaboration expands system reach to
Globus-based grid resources (2006)
myVocs box built to ease deployment (2006)
“Shibboleth System”
Simplified, strict “federation” of one identity
provider (IdP) with many resources providers
reflects trust model of traditional system
environments
Using Shibboleth for intra-system attribute
transfer supports applications distributed across
domain boundaries
The system can receive outside attributes from
standard Shibboleth IdP federations
Essentially a proxy identity provider
myVocs
Demonstration virtual organization collaboration
environment at myVocs.org
Use Shibboleth for identity management and
attribute distribution
Leverage wealth of open source web
applications for VO collaboration tools
Globus provides distributed computation
foundation
GridShib binds Shibboleth and Globus for
common attribute foundation
myVocs Solves the Attribute Puzzle
IdP1
IdP21
IdPn1
Identity Providers
myVocs Solves the Attribute Puzzle
IdP1
IdP21
IdPn1
Identity Providers
myVocs Solves the Attribute Puzzle
IdP1
IdP21
IdPn1
Identity Providers
Univ
Attributes
myVocs Solves the Attribute Puzzle
IdP1
IdP21
IdPn1
Identity Providers
Univ
Attributes
VO
Attributes
myVocs Solves the Attribute Puzzle
IdP1
IdP21
IdPn1
Identity Providers
Univ
Attributes
VO
Attributes
myVocs Solves the Attribute Puzzle
IdP1
App1
IdP21
App2
IdPn1
Identity Providers
Univ
Attributes
VO
Attributes
Appn
Applications
A Look Inside myVocs
UAB
IdP
UIUC
IdP
Open
IdP
Other
IdPs
Shibboleth SP
VO Attribute Store
myVocs
VO IdP with GridShib
VO SP
VO SP
VO SP
Globus
VO SPSP
Mail
List
Wiki
CMS
Grid
Apps
myVocs
myVocs is a “modern application environment”
(in spirit of RL Bob's Middleware picture from
this morning)
Collaboration application scalability
Many users, many organizations, many tools, many kinds
of existing infrastructure
Deployment manages application access
myVocs box
A virtual machine instance of myvocs.org
Instantiates working federated platform
Allows stand-alone exploration of federation
middleware
Simplify construction of federated system
environments
Support development of federated applications
Conceptualize complex federations as simple
federations in layers
myVocs box Contents
Debian GNU/Linux minimal system install
Shibboleth IdM infrastructure
Simplified group management with Sympa
Dynamically allocated collaboration tools
GridShib CA and IdP interfaces
Short-circuit identity provider
Basic tools to support stand-alone operation
Running myVocs box
Download virtual machine image from
http://myvocs-box.myvocs.org
Run it with VMware Player or Server
Put myvocs-box IP in /etc/hosts
Point browser at http://myvocs-box
Explore VO management & sample web tools
UABgrid 2.0
Use of myVocs collaboration environment
architecture resolves limitations of initial version
Leverage myVocs box instance as the VO
management platform
UABgrid CA aligned with PKI-lite
GridShib CA supports grid credential
assignment without key escrow
InCommon federation supplies identities and
other useful attributes
UABgrid and myVocs
UAB
IdP
Other
IdPs
Shibboleth SP
VO Attribute Store
VO IdP with GridShib
VO SP
Globus
VO SPSP
Web
Apps
Grid
Apps
UABgrid running myVocs box
Know the network profile configuration
Import myVocs box into local namespace
Integrate with local trust environment
Hook in identity providers
Establish virtual organizations
Migrate existing resources
Integrate new resources
Network Profile
Default ports HTTP, HTTPS, SSH. OK
No firewall rules. OK
Public default root password. Not OK
Import into Namespace
“Import” into namespace means assign
appropriate local host name
Host name change affects system, web server,
Shibboleth, and messaging
System name is standard host name change process
Web server has static rule with default host name
Shibboleth has host name in config and metadata
Messaging requires Sendmail to masquerade as new
host name and to listen on external interface
Integrate with Local Trust
Environment
UABgrid CA defines PKI trust environment for
hosts and users on UABgrid
UABgrid CA will define trust foundation for
myVocs box and UABgrid metadata
Migration from default myVocs box trust
configuration delayed temporarily to speed
exploration of other parts of implementation
Default myVocs config “works” with a false
sense of self
Hook in Identity Providers
The goal is to make UABgrid an InCommon
application
InCommon will be primary identity federation for
UABgrid
UABgrid operating policy for InCommon is
being developed
Initial draft awaiting review
Two levels of access with different attribute requirements:
collab tools & compute resources
OpenIdP.org in use for initial testing
Establish Virtual Organization
VOs are easy to create by way of the Sympa
interface
HPC Services group has existing virtual
organization called the Advanced Technology
Lab (@lab)
@lab selected for migration to UABgrid VO
(Drupal, mailing list, Connotea, Trac, etc)
6 core members with additional affiliates
@lab will be used to manage UABgrid using
UABgrid (eat own dog food)
UABgrid Management Project
cfengine for configuration management
All nodes will need Globus + GridShib stack to
accept “management” jobs
Authorization to execute jobs comes from @lab
VO role
Taking system perspective provides a simplistic
model to support construction of infrastructure
Still early on, but grid management using the
grid infrastructure is the goal
Experience: Authentication
Shibboleth clearly sufficient for web applications
User certs via GridShib CA interface good for
non-web applications
Flexible yet consistent session lifetime
management needed – can be achieved for
now via published practices
Essentially, authentication needs can be pretty
well satisfied with existing technology
Experience: Authorization
Default myVocs authz roles OK for smaller
groups (only 3 roles)
No central PDP (each app decides meaning of
roles) good for enabling integration rather than
enforcing it (applications just receive consistent
attributes)
Managing multiple apps independently can be
time consuming, use a small number
Experience: Applications
Sample applications in myVocs box are OK for
working groups due to scale
Sample web applications dated – the current
sample apps need to be updated to latest
releases and modernized
Management of some application features
requires file system access – need
owner/admin file UI for web applications
Need registration UI for additional apps
GridShib for Globus is for WS (ie. not SSH)
Experience: Final Thought
Don't get lost in the technology.
Shibboleth and Globus are just the means to
building user-driven, federated
system environments
Remaining Tasks
Integrate myVocs box with UABgrid trust fabric
Migrate existing applications used by @lab –
requires some development work to address
Shibboleth support
Integrate additional resources – on-going
evaluation of application needs for this and
other VOs
Migrate other existing working groups to
UABgrid 2.0 (a.k.a. buy-in)
The Future
UABgrid 2.0
Pilot begins summer 2007
Explore grid-based integration with UA System and
Alabama Supercomputer Authority
Recruiting additional manpower
myVocs box
Will continue to be leveraged on UABgrid for
development efforts and improved as VO management
platform
Performance of VM analyzed
Ease of administration improved
Shibboleth trust management, additional attributes
Acknowledgments
NSF ANI-0330543 “NMI Enabled Open Source
Collaboration Tools for Virtual Organization”
Office of the Vice President for Information
Technology, University of Alabama at
Birmingham
Projects: SURAgrid, GridShib, Internet2
People: Jill Gemmill, Tom Scavo, Von Welch,
Jim Phelps, Michael Schiffers, David Shealy
References
UAB CyberInfrastructure Planning
UABgrid
http://uabgrid.uab.edu
myVocs & myVocs box
http://www.uab.edu/it/CyberInfrastructure
http://myvocs.org
OpenIdP.org
http://openidp.org