1 / 63

CNGrid Middleware GOSv2

CNGrid Middleware GOSv2. Yongjian Wang BUAA – Beijing, China Interoperability workshop of euchinagrid Beijing, 12-14 June 2006. Brief introduction to GOSv2 Overall architecture of GOSv2 Core Level Services System/Application Level Services. Outline. Brief introduction to GOSv2.

lovey
Download Presentation

CNGrid Middleware GOSv2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CNGrid Middleware GOSv2 Yongjian Wang BUAA – Beijing, China Interoperability workshop of euchinagrid Beijing, 12-14 June 2006

  2. Brief introduction to GOSv2 • Overall architecture of GOSv2 • Core Level Services • System/Application Level Services Outline

  3. Brief introduction to GOSv2

  4. Brief introduction of GOSv2 • Background • Goals • Research Outline

  5. Grid related research begins since 1999 in China • Part of the Grid Software program supported by the China Ministry of Science and Technology 863 program between 2002 and 2005 Backgrounds of GOSv2

  6. Support multiple geographical distributed grid nodes such as super computing centers across China • Sharing mechanism and framework on computing, data, software and combined resources • Provide secured, uniformed and friendly interfaces accessing the scientific computing and information services Goals of GOSv2

  7. Focus on 4 key issues to satisfy common requirements: • Naming mechanism • Process or states maintain • Virtual organization • Programming model • Focus on implementing architecture, not protocols or services • Use Computer System Approach, not middleware or network • Use Service Oriented Architecture concept Research

  8. Overall Architecture of GOSv2

  9. Overall architecture of GOSv2 • GOSv2 architecture • GOSv2 architecture • EVP address spaces • Effective address space • Physical address space • Virtual address space • Security mechanism Outline

  10. GOSv2 Overall Architecture

  11. GOSv2 Architecture

  12. EVP address space

  13. EVP provides three separate naming spaces • effective address space • Effective address space is used to logically categorized services • Examples of effective address: eres://agora1:metaservice • All addresses in this space with a prefix eres which is short for effective address • physical address space • Physical address space used to actually identify physical services • Format of physical address is normal URL just as follows: • http://159.226.49.53:8080/axis/services/MonitorService • virtual address space • Virtual address space used to map effective address to physical address • Virtual address used inside GOSv2 environment and starts with prefix vres:// • Physical resource can enter or exit dynamically because effective and virtual address can hides the differences. EVP address spaces

  14. EVP address spaces

  15. Security Mechanism in GOSv2

  16. User certificate • X.509 certificate signed by CNGrid CA • User proxy certificate • User proxy certificate is usually a session certificate with short live time. • X.509 proxy certificate signed by user, delegate all or part of its owner’s authority • Motivation of user proxy certificate is single login • SAML authorization token • SAML Token contains attribute entries as description of authorization • GOSContext • Java Object contains user proxy certificate and assert token Terms in use

  17. Transport layer • SSL/TLS specification • Message layer • WS-Security specification Features of security mechanism

  18. Axis handler chains adopt the chains of responsibility design pattern. • Divide whole function such as security into a chain of small portions • Every portion implements different sub-function • Portions have no relationships among one another • Based on axis handler chains mechanism • Add new function or remove old function are very easy • Security mechanism doesn’t invade into concrete application • Grip application can use or don’t use security mechanism just by modifying the configuration file. Axis handler chains mechanism

  19. SignHandler • Sign body of soap message and add ws-security soap header • AddHandler • Add GOSContext Object as soap attachment • WSSecurityHandler • Verify ws-security soap header • GetAttachmentsHandler • Get GOSContext Object from attachment of soap message • VerifyCertsHandler • Verify user certificate contained in GOSContext • VerifyTokenHandler • Verify token contained in GOSContext • ACHandler • Access control operation based on different policies Security handlers in GOSv2

  20. Security Handler Chain

  21. Authentication • Agora service • Provide resource management, user management and so on • Convert username and password to corresponding proxy and token • Authorization • SAMLAuthorization Token • Subject • Requester Agora Information • Requester Role Information on Agora Server • DN of requester • Action • Operations of Requested Service Authentication & Authorization

  22. Security mechanism

  23. Core Level Services of GOSv2

  24. Core Level Services • Agora Service • User Management Service • Resource Management Service • Security authentication and authorization • Grip Service • Grip Container • Grip Struct • Router Service • Overlay network approach for resource management and locating • Resource discovery in GOSv2 Outline

  25. Agora Service

  26. GOSv2 Architecture

  27. Role based grid user management • Both external and internal user name • Proxy certificates management • Service oriented resource management • Mapping effective resource to virtual resource • Currently using random resource selection algorithm • Token based authorization and access control management • Multi-granularity • SAML based and decoupled Functions of Agora Service

  28. Architecture of Agora Service

  29. Grip Service

  30. GOSv2 Architecture

  31. Grip Service maintains state information for end user. Grip Container Exposed as Web Service Grip Struct is used to invoke different physical services on behalf of end user Used to access underlying physical service Grip Service

  32. Grip Service

  33. Router Service

  34. GOSv2 Architecture

  35. Router Service is used to convert virtual address to physical address. • Maintain local virtual resource to physical resource mapping relationships • Communicate with neighbor router to form global view of all the deployed router services and service locating can achieved in this way. Router Service

  36. Different routers form an application-level virtual network to exchange V-P mapping information Router Service

  37. Router Scenario- Link

  38. Router Scenario- Neighbor Update

  39. Router Scenario- search

  40. Resource discovery in GOSv2 consist of the following steps: • Find effective address of resource • Convert effective address into virtual address • Convert virtual address into physical address How to discovery resource in GOSv2

  41. System/Application Level Services

  42. GFI (Grid File Infrastructure) • Meta service • Provide logically global user file space • Data Service • Distributed file storage • File transferred using soap message • Grid Batch System • Using Grip and GFI to support global file stagein/out • Using simple batch driver to connect to local batch systems, such as OpenPBS, LSF etc. • Grid Batch Accounting System Outline

  43. Meta Service

  44. GOSv2 Architecture

  45. Name mapping on grid file • effective name virtual name physical name Functions of meta service

  46. Maintain global file information • Maintain file access permissions information • Cooperate with Authorization Authority in agora service for file access authorization • User quota management Functions of Meta Service (cont.)

  47. Meta Service - Operations

  48. Data Service

  49. GOSv2 Architecture

  50. Map user identification to local file directory • Different user correspond to different local file directory • Store user file in local file system • Transfer file (download/upload) by servlet • Form distributed, uniformed user file storage space Functions of Data Service

More Related