1 / 14

CoreGRID Workpackage 5 Virtual Institute on G rid Information and Monitoring Services

CoreGRID Workpackage 5 Virtual Institute on G rid Information and Monitoring Services. Authorizing Grid Resource Access and Consumption Erik Elmroth , Michał Jankowski , Norbert Meyer WP 5.4 3 rd CoreGRID Workshop on Grid Middleware Barcelona , June 5-6 , 200 8. Outline. Introduction

tokala
Download Presentation

CoreGRID Workpackage 5 Virtual Institute on G rid Information and Monitoring Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał Jankowski, Norbert Meyer WP 5.4 3rdCoreGRID Workshop on Grid Middleware Barcelona, June 5-6, 2008

  2. Outline • Introduction • Authorizing resource access • Authorizing resource consumption • Existing technologies • VUS – SGAS integration • Limitations and future extensions • Conclusions 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  3. Introduction • Authorization of grid resource usage include authorization of: • resource access • resource consumption • Due to the distributed nature of grids (both on physical and administrative level) the authorization is complex • These issues are well addressed on local cluster level • In most modern grids at least one of the above tasks is neglected • Security (access control) and economy (limiting resource usage) are more and more focused 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  4. Authorizing resource access - problems • Authentication • Fine grained authorization (maximum security for resources with minimum limitations to the users) • Effective and scalable user management (delegation of some administrative privileges and work from node administrator to VO) • Combined security policies of VO and resource owner • Privilege enforcement (mapping global user - certificate to a local virtual environment) • Isolation of user tasks • Possibility of logging user activities for accounting and audit 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  5. Authorizing resource consumption - problems • Authorization based on the users ability to pay for the usage: • pre-allocation (quota) – academic environment • real ability to pay – commercial solutions • Types of grid economy: • real or virtual money • static or dynamic pricing • price negotiation before running a job or analysis of the fraction of resource utilization during the computation • Limiting size of the job (no of processors, memory, time), possibly depending on user privileges 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  6. Combining the two types of authorization • There is a need for both types of the authorization, often to be used in parallel • The authorization patterns may vary significantly depending on use scenario • Combinations of small, separate components, designed for use in concert are solutions for different scenarios • The components should be implemented in accordance with the fundamentals of Service Oriented Architectures (SOA) in general and the grid eco-system approach in particular 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  7. Virtual User System - Motivation • Ease management of user accounts in grids • Many virtual organizations with hundreds or even thousands of users • Maintaining personal user accounts is impossible • Grid-mapfile requires too much administration time • static accounts are not appropriate for dynamic VOs • Enable fine-grain and flexible authorization • Need for combining security policies of VO and resource owners • Reusing already implemented authorization services and mechanisms • Enable accounting and tracking user activities • This is crucial for production grids shared between many institutions • Guest or anonymous accounts are insufficient 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  8. VO Job Submit Service Computing Site Resource Broker session resource usage Accounts Pool security logs login: login: Virtual User System - Architecture • Extension of a Job Submit Service • The user is authenticated, authorized and then logged on a 'virtual' account • The history of user-account mapping is stored, so that accounting and tracking user activities is possible 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  9. SweGrid Accounting System Motivation • Soft real-time allocation enforcement based on resource usage collected from existing site schedulers (easy integration to existing software, no intrusion to local accounting systems) • Coordinated quota management across all clusters. • Uniform usage retrieval (GGF Usage Records). • Policy negotiation and customization between user, resource manager and allocation authority • Use state-of-the-art Web and Grid technologies • Fine grained resource control based on the cost of used resources 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  10. Computing Site Resource Broker Job Submit Service VO Job Manager JARM SGAS Bank LRMS LUTS € € € € € € SweGrid Accounting System Architecture • Set of tools (services) for capacity allocation between user groups • Coordinates the enforcement of grid-wide usage limits • The usage limits are expressed by the Bank account balance 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  11. Computing Site Job Submit Service VO Access authorization VUS VOMS plugin 1 plugin 2 Resource Broker … plugin n € € € € € € jobs VUS database SGAS Bank Job Manager JARM LRMS LUTS Architecture of the Approach 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  12. Limitations and future extensions • Distributed SGAS LUTS for large Grids • Hierarchical Virtual Organizations • Hierarchical bank accounts • Synchronization of the authorization between the broker and the computing site 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  13. Conclusions • Novel approach to Grid job authorization - combining established technologies : • dynamic assigning grid users virtual user accounts (VUS) • grid-wide accounting and resource allocation enforcement (SGAS) • Concerted authorization for resource access and resource consumption • The proposed solution leaves the resource owner with ultimate control over the resource • The solution is highly flexible and allows for policy customization 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

  14. Thank You! 3rd CoreGRID Workshop on Grid Middleware, Barcelona, June 5-6, 2008

More Related