MGRID Architecture - Citi - University of Michigan

MGRID ArchitectureAndy AdamsonCenter for Information Technology IntegrationUniversity of Michigan, USA

MGRID• Globus software provides secure PKI basedcross realm scheduling of resources• Historically used extensively in largescientific research projects – mainly toschedule CPU cycles and associated data• Complicated software to install and manage• Now being used to schedule and manage thenetwork, scientific instruments, etc

MGRID• Integrate existing University Grid efforts• Add fine-grained authorization• Use existing University security, group, anddirectory services• Ease of use• Create a generalized Grid service• Provide production Grid services

Existing U of M Services• Uniqname– Unique campus wide user name to UID• Kerberos V5 (multiple cells)• KX509• LDAP Directory and Group Services

MGRID ArchitectureBrowserMGRIDPortalGridResourceComputeClusterGridResourceNetwork Reservationor TestingGridResourceData Movement

MGRID Architecture• Secure access to resources• The ease of user requirement => the Web• Use existing University security service;Kerberos• kx509 translates Kerberos credentials intoX509 credentials understood by browsersand web servers

MGRID Architecture• On workstation– kinit to obtain Kerberos credentials– kx509 to obtain user X509 credentials– libpkcs11 makes kx509 credentials available tothe browser• https://www.mgrid.umich.edu/– SSL with required mutual authentication; bothuser and portal have X509 credentials

MGRID Portal• Ease of use for U of M faculty, staff, andstudents– Kerberos + kx509 + browser = Grid access• Hides complexity from user• Creates user proxy kx509 credentials ORruns MyProxy to access X509 credentialsissued by other institutions• Single entry point for Grid resources

MGRID Portal• Single point for PKI management– CA self-signed keys– CA policy files• User presented with CHEF (soon to beSAKAI) portal environment– Gathers inputs, and runs the Globus client– Individual or Organizational presentation– Easily extensible

Fine Grained Authorization• Policy based software• Policy engine makes authorization decision– Input are matchedagainst resource specific policy rules– Input attribute names are matched to policyattribute names by a string compare

Fine Grained Authorization• Attributes include– User identity– Group membership– Resource request parameters: network bandwidth,number of CPU's, amount of file system space,etc– Environment parameters: time of day, CPU load,network utilization, etc

Authorization Implementation• XACML– LDAP stores policy– Can utilize existing users & groups– Enables cross realm authorization by allowinginjection of remote group names into policy rules• WALDEN– Built on top of XACML– Replaces flat file access control at gatekeeper

MGRID ArchitectureMGRID PortalApachemod sslmod kctmod kx509mod phpmod jkTomcat CHEFWALDENAuthorization4Kerberos5GSI6SASL8SSL – Client Certificate required3Kerberos V5KCTKCAKDCGrid ResourceGateKeeperResource MngResource2Kerberos1SASL7User WorkstationBrowserlibpkcs11kx509kinitWALDENAuthorization

SeRIF• Secure Remote Invocation Framework– Packaging of an MGRID service• We have extended a Globus service (GARA)to enable the scheduling of arbitraryprograms via the Grid– local scheduler can initialize;run and stop;cleanup– job status and output redirection– fine grained authorization at resource

SeRIF• Very easy to run an new executable viaSeRIF– Add a new MGRID portal page to collectparameters– Add runtime and cleanup executable locations toconfiguration file on SeRIF Resource manager• Currently used by NTAP– Can easily add network testing capabilities

MGRID Futures• New SeRIF services– Configuration of Network QoS, Lamda paths– Scheduling of video conferences• Meta Scheduling (MARS)– Choosing between available similar services– Scheduling multiple services such as CPU andNetwork QoS

MGRID ArchitectureBrowserMGRIDPortalMeta Scheduler (MARS)GridResourceComputeClusterGridResourceNetwork Reservationor TestingGridResourceData Movement

MGRIDQuestions?PortalSecurityMGRIDSchedulingData &Resources