Research and NeSC Applications
1 / 31

Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre - PowerPoint PPT Presentation

  • Uploaded on

Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre [email protected] 26 th October 2006. The Context. There are many Grids There are many ways to build Grids There are many different middleware competing in this space

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre' - gratia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Research and NeSC Applications

Prof Richard Sinnott

Technical Director National e-Science Centre

[email protected]

26th October 2006

The context
The Context

  • There are many Grids

  • There are many ways to build Grids

  • There are many different middleware competing in this space

  • People say Grid in grants and then build web services because Grid middleware is too hard

  • There are many agendas

    • big business, academic, …

  • There are many moving targets

    • changing middleware, changing standards, changing sciences resources/questions/funding streams…

  • There is a lot of hype

  • There is a lot of money available

  • There are lots of projects and big scientific challenges

  • There is an urgent need to build user communities

  • There needs to have much more research pull than middleware push

    • … there are many more things that could go here!

Data grids for high energy physics

Online System

Tier2 Centre ~1 TIPS

Caltech ~1 TIPS

Tier2 Centre ~1 TIPS

Tier2 Centre ~1 TIPS

Tier2 Centre ~1 TIPS






1 TIPS is approximately 25,000

SpecInt95 equivalents

Physicists work on analysis “channels”.

Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server

Pentium II 300 MHz

Pentium II 300 MHz

Pentium II 300 MHz

Pentium II 300 MHz

Data Grids for High Energy Physics


~100 MBytes/sec

Offline Processor Farm

~20 TIPS

There is a “bunch crossing” every 25 nsecs.

There are 100 “triggers” per second

Each triggered event is ~1 MByte in size

LCG/gLite middleware

(Large scale data

management, large

scale compute resource

management, resource


~100 MBytes/sec

Tier 0

CERN Computer Centre

~622 Mbits/sec

Tier 1

France Regional Centre

Germany Regional Centre

Italy Regional Centre

FermiLab ~4 TIPS

~622 Mbits/sec

Tier 2

~622 Mbits/sec

Institute ~0.25TIPS




Physics data cache

~1 MBytes/sec

Tier 4

Physicist workstations

Challenges of nanocmos design
Challenges of NanoCMOS Design

OMII-UK middleware

(workflows, security,

data management,

resource management,





The e health future
The e-Health Future…

Globus/WS- middleware

(fine grained security,

data access/integration,

exponential data growth,

keep it simple!)




Protein functions

Protein Structures



Gene expressions


Nucleotide structures

Cell signalling

Nucleotide sequences

Protein-protein interaction (pathways)

Nesc research
NeSC Research…

  • Most NeSC Glasgow research is on security and ease of use across various application domains

  • NeSC Edinburgh focus is on middleware development especially Grid data access/integration (OGSA-DAI, DAIT, OMII-UK, eDIKT), high performance networking, data curation ….

Ease of use
Ease of Use

  • (…and setting the scene for some of the later demonstrations)

  • For Grids/e-Research to be truly successful

    • have to be made as seamless to access and use as the internet

      • Forget training, education for some (most?) users!

    • have to be based on research pull and not middleware push

    • experiences in various projects have shown that users don’t like digital certificates

      • The majority most certainly won’t jump through hoops to get on the Grid

Single sign on
Single Sign-On

  • X.509 certificate based PKI common to many Grid efforts (including UK)

    • Step 1.

      • Get a certificate

    • Step 2.

      • Get your DN registered at places you expect to use

    • Step 3.

      • Read the manuals (Globus, gLite, …) for how to submit/run a job

Step 1
Step 1

  • In UK e-Science community X.509 PKI based on centralised CA with direct single hierarchy to users

    • Typical scenario for getting Grid certificate


2. Check detailsof request

  • Request certificate

  • (

4. Download and install certificate in browser

5. Download and install CRL


3. Ok?



6. Export certificate to various formats e.g. as Grid certificate

$> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!!

This is off-putting for end users!!!

Typically not available on Windows!!!

Root access? Local sys-admin?


  • Identity management issues

    • Certificate Revocation Lists

    • When revoked? By whom? How timely?

  • Strong passwords for private keys

    • Users write them down, share them, forget them

  • Privilege Management

    • Numerous domains where never get access to local account to “do stuff”

  • User classification

    • Tinkerers vs much larger e-Research Community

      • they want services to point their browser at and point click to run things on the Grid

        • I don’t want an account on a cluster to compile/run code, I’m a biologist who wants to run BLAST on a free National Grid resource

As a result
As a result…

  • ~3500 UK e-Science certs

    • 1000 for Manchester cluster

  • But over 3 Million Athens

    accounts in UK HE/FE

  • Iceberg is not to scale!!!!

How can we improve things
How Can we Improve Things?

  • We don’t want each domain reinventing their own security solutions

  • Best to exploit local authentication

    • Sites know best if users still at institution and are best placed to state what their privileges are/should be

Introducing shibboleth
Introducing Shibboleth

  • Shibboleth (


    Shibboleth [Hebrew for an ear of corn, or a stream or flood]

    1. A word which was made the criterion by which to

    distinguish the Ephraimites from the Gileadites. The

    Ephraimites, not being able to pronounce sh, called the

    word sibboleth. See --Judges xii.

    2. Hence, the criterion, test, or watchword of a party; a

    party cry or pet phrase. ]

    • Shibboleth will replace Athens as access mgt system across UK academia

  • Federations based on trust

    • or more accurately trust but verify

    • numerous international federations exist MAMS, SWITCH, HAKA, SDSS…

Typical shibboleth scenario

4. Home site authenticates user

3.User selects their

home institution

2. Shibboleth redirects

userto W.A.Y.F. service


  • User points browser at Grid resource/portal (or non-Grid resource)

Typical Shibboleth Scenario

Identity Provider


Home Institution


Service provider

5. User accesses resource



Grid resource

/ portal

It s a start but
It’s a start, but…

  • Benefit from local authentication but really want finer grained control…

    • I know you have authenticated, but I need to know that you have sufficient/correct privileges to access my VO resources

    • can also return various other information needed to support authorisation decisions

Authorization technologies
Authorization Technologies

  • Various technologies for authorization including

    • PERMIS

      • PrivilEge and Role Management Infrastructure Standards Validation


    • Community Authorisation Service


    • AKENTI

      • http://www-itg.lbl.giv/security/akenti

    • CARDEA


    • VOMS


  • At NeSC we have been working extensively with PERMIS

Role based access controls
Role Based Access Controls

  • Basic idea is to define:

    • roles applicable to specific VO

      • roles often hierarchical

        • Role X ≥ Role Y ≥ Role Z

        • Manager can do everything (and more) than an employee can do who can do everything (and more) than a trainee can do

    • actions allowed/not allowed for VO members

    • resources comprising VO infrastructure (computers, data resources etc)

  • A policy then consists of sets of these rules

    • { Role x Action x Target }

      • Can user with VO role X invoke service Y on resource Z?

    • Policy itself can be represented in many ways, e.g. XML, XACML, …

  • Tools available for policy editing, associating users with roles, signing policies etc

    • Policies stored as attribute certificates in LDAP server

      • (New tools/wizards presented at OGF18 Washington)

  • Finer grained shibboleth scenario

    4. Home site authenticates user and

    pushes attributes totheservice provider

    3.User selects their

    home institution

    2. Shibboleth redirects

    userto W.A.Y.F. service


    1. User points browser at Grid resource/portal

    Finer Grained Shibboleth Scenario

    Identity Provider

    Service provider




    Home Institution

    6. Make final AuthZ decision


    Grid Application

    5. Pass authentication info and

    attributestoauthZ function



    Grid Portal

    Ok but
    Ok, but…

    • I can do authorisation but I want single-sign on to lots of distributed resources across different organisations (aka Virtual Organisations in Grid speak)

      • Browser allows to keep session information so can access other resources without signing in again

        • Provided authorisation information valid for different service providers

          • Each service provider completely autonomous

        • Can configure attribute release/attribute acceptance policies per identity provider/service provider

    Bridges project
    BRIDGES Project

    • More later

    GEMEPS Project

    • More later

    VOTES Project

    • More later

    Dyvose project
    DyVOSE Project

    • Dynamic Virtual Organisations for e-Science Education (DyVOSE) project

      • Two year project (£289k) started 1st May 2004 funded by JISC

      • Exploring advanced authorisation infrastructures for security

        • … in Grid Computing Module as part of advanced MSc at Glasgow

          • providing insight into rolling Grid out to the masses!

    Putting the dy in dyvose

    Glasgow SoA

    using Glasgow DIS

    to issue Edin. roles

    Edinburgh SoA

    using Glasgow DIS

    to issue Edin. roles

    ACs created

    for Edin.


    Putting the “Dy” in DyVOSE

    • Dynamic PMI Case Study







    VO policies



    VO policies

    PERMIS based Authorisation checks/decisions


    + Protein






    Grid BLAST



    data input


    by Students


    data returned based

    on student team role

    Grid-data Client

    Security related projects
    Security Related Projects

    • GLASS

      • JISC funded started March 2006

        • Exploring early adoption of Shibboleth

          • Working with Computer Services directly

        • Scenarios based upon teaching and access to NHS resources/data

          • Includes brain trauma (interest to neuro-folk/CARMEN?)

        • Builds upon university wide unified account management system being rolled out (based on Novell nSure technology)

    • ESP-Grid

      • JISC/Oxford University funded

        • Developed demonstrator to show how Grid resources can be accessed and used via Shibboleth technology

    • Grid Security Report

      • JISC/JCSR funded

        • Focus on Grid security practices, middleware and outlook

    • Grid meets Geographical Information Systems

      • JISC funded with focus on Shibboleth access to GIS data resources

    Grid enabled occupational data environment geode
    Grid Enabled Occupational Data Environment (GEODE)

    • GEODE

      • Funded by ESRC lead by University of Stirling

        • Two year project aiming to develop Grid enabled portal for occupational data

          • includes integration of various existing classification schemes

      • More later!

    Grid enabling biomedical pathway simulator
    Grid Enabling Biomedical Pathway Simulator

    • To extend software from DTI funding BPS project to benefit from the Grid

      • Biochemical differential equation solver

      • Parameter searches

      • Security aspects important

    Scottish bioinformatics research network
    Scottish Bioinformatics Research Network

    • Four year proposal (£2.4M) started February 2006

      • Funded by Scottish Enterprise, Scottish Higher Education Funding Council, Scottish Executive Environment and Rural Affairs Department

        • Involves Glasgow, Dundee, Edinburgh, Scottish Bioinformatics Forum

      • Aim to provide bioinformatics infrastructure for Scottish health, agriculture and industry

        • Infrastructure support at Dundee, Edinburgh and Glasgow to support first-rate research in bioinformatics at each academic institute

        • Infrastructure support at three institutes, to support inter-institutional sharing of compute and data resources through application of Grid computing

        • Outreach and training activities mediated by the Scottish Bioinformatics Forum

    Scottish family health study
    Scottish Family Health Study

    • Five (2+3) year proposal (£4.6M) started January 2006

      • Funded by Health Department and Department for Enterprise and Lifelong Learning

        • Involves Glasgow, Dundee, Edinburgh, Aberdeen

          • focus of genetics as applied to healthcare

          • first two years emphasis on providing a platform for research into the genetic basis of common complex diseases in Scotland

            • Mental health, cardiovascular, …

            • Plan to establish 15,000 family-based intensively-phenotyped cohort recruited from the East and West of Scotland

          • basis for neutralising heritable (genetic) risk factors in disease surveillance, treatment optimisation, avoidance of adverse drug events and prediction of response to therapy, health care planning and drug discovery, …

    Meeting the Design Challenge of nanoCMOS Electronics

    £5.3M EPSRC Pilot – kicks off next week

    Toshiba 04

    Device diversification

    90nm: HP, LOP, LSTP

    45nm: UTB SOI

    32nm: Double gate

    4-year project with lots of international visibility

    Current efforts
    Current Efforts

    • AHRC Grant proposals

      • Performance Arts

      • Scottish Language and Literature

    • OMII proposals

      • Visualisation service

    • Scottish Enterprise

      • Production level clinical e-Infrastructure for Scotland

    • Wellcome Trust

      • Grid based biomedical visualisation infrastructure

    • EPSRC

      • Grid based brain trauma co-ordination with China

        • Links to CARMEN

      • Construction Industry and Grids

    • JISC

      • MANY bids on-going in e-Infrastructure, e-Repositories, … areas

    • And of course the Scottish Grid Service…


    • There are more opportunities than can be followed up

    • All funding councils, DTI, JISC, Europe FW7, international calls

      • How long for…?

      • Often difficult to get the first grant…?

      • More than happy to work with folk…?