Virtual User System for Globus based grids. Norbert Meyer, Paweł Wolniewicz, Michał Jankowski - Poznan Supercomputing and Networking Center. Motivation. Ease management of user accounts in a Globus based grids We expect many virtual organizations with hundreds or even thousands of users
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Virtual User System for Globus based grids Norbert Meyer, Paweł Wolniewicz, Michał Jankowski - Poznan Supercomputing and Networking Center
Motivation • Ease management of user accounts in a Globus based grids • We expect many virtual organizations with hundreds or even thousands of users • Maintaining personal user accounts on dozens of nodes becomes impossible • Grid-mapfile requires too much administration time • static accounts are not appropriate for dynamic VOs • Enable fine-grain and flexible authorization • Need for combining security policies of VO and resource owners • Reusing already implemented authorization services and mechanisms • Enable accounting and tracking user activities • This is crucial for production grids shared between many institutions • Guest or anonymous accounts are insufficient • No mechanism for gathering accounting data from multiple nodes
Virtual User System • VUS is an extension of the system that runs users' jobs that allows running jobs without having an user account on a node. The user is authenticated, authorized and then logged on a 'virtual' account (one user per one account at the time). The history of user-account mapping is stored, so that accounting and tracking user activities is possible. • The first implementation was an extension to queuing systems and it was successfully exploited 3 years ago in the Polish national cluster • The current VUS adopts the above idea for grid environment and allows VO-based authorization. Technically it is a Globus 'gridmap callout' and it has been implemented from scratch.
gridmap file banned file vo-prefix-map file Virtual Organization Information System (VOIS) Resource Access Decision (RAD) Grid Authorization Service (GAS) Authorization plugins
Clusterix Clusterix TUC Cyfronet PSNC TUC Cyfronet PSNC scientists operators programmers staff Lab_users Scientists operators programmers staff Lab_users Grid Node guests common power login: login: login: login: login: login: login: login: login: login: login: VOIS Authorization - Example VO hierarchy VO admins security policy Account groups Node admin security policy
VOIS Authorization -Advantages • Fine-grain: • combined security policies of VO and resource owner (grid node administrator) • VO may express differences by groups of its users by defining hierarchy of sub-VOs • the above differentiation may be reflected by the resource owner by mapping sub-VOs to different account groups with different rights • additional, resource-specific policies may be implemented as Globus GRAM callout that uses VUS database and mechanisms. • Effective: • distributed - scalable • caching mechanisms implemented • Little administrative support: • grid node administrator configures the access on VO level rather than on single user level • VO administrator manages his own users • in case of big VOs the user management may be delegated down the hierarchy
Accounting -Functionality • Possibility of storing standard and non-standard resource usage information (resource types are user defined) • Standard resource usage stored automatically • Cost computing based on price list • Access to the accounting data in different roles: user, resource owner, organization manager • Information on single user available despite lack of (personal) user accounts on Grid Nodes • Cyclic summarizing atomic accounting data on the Grid Node
References • K.Keahey, V.Welch, S.Lang, B.Liu, S.Meder Fine-Grain Authorization Policies in the GRID: Design and Implementation 1st International Workshop on Middleware for Grid Computing, 2003. • L.Pearlman, V.Welch, I.Foster, C.Kesselman, S.TueckeA Community Authorization Service for Group Collaboration, Proceedings of the IEEE 3rd International Workshop on Policies for Distributed Systems and Networks, 2002. • K.Keahey, M.Ripeanu, K.Doering Dynamic Creation and Management of Runtime Environments in the Grid, Workshop on Designing and Building Grid Services, GGF-9, October 8, 2003. • W.Dymaczewski, N.Meyer, M.Stroiński, P.Wolniewicz Virtual User Account System for distributed batch processing • M.Lawenda, N.Meyer, M.Stroiński, P.Wolniewicz Managing User Accounts in an Open Network Environment
Thank you! http://vus.psnc.pl firstname.lastname@example.org email@example.com firstname.lastname@example.org