Constructing Campus Grids Experiences adapting my Vocs to

Constructing Campus Grids Experiences adapting my. Vocs to UABgrid John-Paul Robinson High Performance Computing Services Office of the Vice President for Information Technology University of Alabama at Birmingham Internet 2 Spring Member Meeting April 2007

Overview UAB Cyber. Infrastructure UABgrid my. Vocs box on UABgrid Setting Up a VO Future Directions

UAB Cyber. Infrastructure UAB HPC Resources Shared HPC Facility has 4 clusters Computer Science HPC Facility has 2 clusters UAB overall HPC computing power has been tripling approximately on a 2 year cycle during the past 4 years Optical Networks – campus & regional UABgrid – a campus computing and collaboration environment

UAB HPC Resources IBM Blue. Gene/L System (most recent) 2 Dell Xeon 64 -bit Linux Clusters 4 TB disk storage 128 nodes Gigabit and Infiniband interconnect 2 Verari Opteron 64 -bit Linux Clusters 2 GB RAM per node 64 and 32 nodes Gigabit interconnect IBM Xeon 32 -bit Linux Cluster 64 Nodes, Gigabit interconnect

UAB 10 Gig. E Research Network Build high bandwidth network linking UAB compute clusters Leverage network for staging and managing grid-based compute jobs Connect directly to high-bandwidth regional networks

UABgrid Common interface for access to HPC infrastructure Leverage UAB identity management system for consistent identity across resources Provide access to regional, national, and international collaborators using Shibboleth identity framework Support research collaboration through autonomous virtual organizations

UABgrid Architecture Leverages Id. M investments via In. Common Provides collaboration environment for autonomous virtual organizations Supports integration of local, shared, and regional resources

UAB Office of the VP of IT Cyber. Infrastructure Vision 10 Gigabit Ethernet optical network links major research areas in state High performance computation resources distributed across state Campus grids like UABgrid provide uniform access to computational resources Regional grids like SURAgrid provide access to aggregate computational power and unique resources

Alabama Regional Optical Network Alabama RON is a very high bandwidth lambda network. Operated by SLR. Connects major research institutions across state Connects Alabama to National Lambda Rail and Internet 2 – projected completion for 2007

Aggregating Resources UABgrid 2. 0, powered by my. Vocs, to begin pilot operation Summer 2007 Exploring grid interconnection with Alabama Supercomputer Authority and UA System to aggregate resources in state Continuing participation with SURAgrid to aggregate resources in region

UABgrid Background Project grew out of NMI Testbed participation, complemented by participation in developing SURAgrid Initially an integration of campus identity with grid credentials using Pubcookie to issue certificates from UABgrid CA Initial tool integration based exclusively on identity UABgrid CA: credentials used by grid computing courses; part of SURAgrid Bridge CA

Limitations of Initial Version No virtual organization support or other authorization attributes UABgrid CA key escrow limits trust Support for non-UAB users limited Inter-domain trust via web user interface doesn't scale well

Complimentary Activities “NMI Enabled Open Source Collaboration Tools for Virtual Organization” grant explores middleware integration (2003) Mailing list system integration discussions in Internet 2 Mlist working group leads to “Shibboleth Systems” insights (2004) my. Vocs. org developed as demonstration of Shibboleth system (2005) Grid. Shib collaboration expands system reach to Globus-based grid resources (2006) my. Vocs box built to ease deployment (2006)

“Shibboleth System” Simplified, strict “federation” of one identity provider (Id. P) with many resources providers reflects trust model of traditional system environments Using Shibboleth for intra-system attribute transfer supports applications distributed across domain boundaries The system can receive outside attributes from standard Shibboleth Id. P federations Essentially a proxy identity provider

my. Vocs Demonstration virtual organization collaboration environment at my. Vocs. org Use Shibboleth for identity management and attribute distribution Leverage wealth of open source web applications for VO collaboration tools Globus provides distributed computation foundation Grid. Shib binds Shibboleth and Globus for common attribute foundation

my. Vocs Solves the Attribute Puzzle Id. P 1 Id. P 2 1 Id. Pn 1 Identity Providers

my. Vocs Solves the Attribute Puzzle Id. P 1 Id. P 2 1 Id. Pn 1 Identity Providers

my. Vocs Solves the Attribute Puzzle Id. P 1 Id. P 2 1 Id. Pn 1 Identity Providers Univ Attributes

my. Vocs Solves the Attribute Puzzle Id. P 1 Id. P 2 1 Id. Pn 1 Identity Providers Univ Attributes VO Attributes

my. Vocs Solves the Attribute Puzzle Id. P 1 Id. P 2 1 Id. Pn 1 Identity Providers Univ Attributes VO Attributes

my. Vocs Solves the Attribute Puzzle Id. P 1 App 1 Id. P 2 1 App 2 Id. Pn 1 Identity Providers Univ Attributes VO Attributes Appn Applications

A Look Inside my. Vocs UAB Id. P UIUC Id. P Open Id. P Other Id. Ps Shibboleth SP my. Vocs VO Attribute Store VO Id. P with Grid. Shib VO SP Globus SP VO SP Mail List Wiki CMS Grid Apps

my. Vocs is a “modern application environment” (in spirit of RL Bob's Middleware picture from this morning) Collaboration application scalability Many users, many organizations, many tools, many kinds of existing infrastructure Deployment manages application access

my. Vocs box A virtual machine instance of myvocs. org Instantiates working federated platform Allows stand-alone exploration of federation middleware Simplify construction of federated system environments Support development of federated applications Conceptualize complex federations as simple federations in layers

my. Vocs box Contents Debian GNU/Linux minimal system install Shibboleth Id. M infrastructure Simplified group management with Sympa Dynamically allocated collaboration tools Grid. Shib CA and Id. P interfaces Short-circuit identity provider Basic tools to support stand-alone operation

Running my. Vocs box Download virtual machine image from http: //myvocs-box. myvocs. org Run it with VMware Player or Server Put myvocs-box IP in /etc/hosts Point browser at http: //myvocs-box Explore VO management & sample web tools

UABgrid 2. 0 Use of my. Vocs collaboration environment architecture resolves limitations of initial version Leverage my. Vocs box instance as the VO management platform UABgrid CA aligned with PKI-lite Grid. Shib CA supports grid credential assignment without key escrow In. Common federation supplies identities and other useful attributes

UABgrid and my. Vocs UAB Id. P Other Id. Ps Shibboleth SP VO Attribute Store VO Id. P with Grid. Shib VO SP Globus SP VO SP Web Apps Grid Apps

UABgrid running my. Vocs box Know the network profile configuration Import my. Vocs box into local namespace Integrate with local trust environment Hook in identity providers Establish virtual organizations Migrate existing resources Integrate new resources

Network Profile Default ports HTTP, HTTPS, SSH. OK No firewall rules. OK Public default root password. Not OK

Import into Namespace “Import” into namespace means assign appropriate local host name Host name change affects system, web server, Shibboleth, and messaging System name is standard host name change process Web server has static rule with default host name Shibboleth has host name in config and metadata Messaging requires Sendmail to masquerade as new host name and to listen on external interface

Integrate with Local Trust Environment UABgrid CA defines PKI trust environment for hosts and users on UABgrid CA will define trust foundation for my. Vocs box and UABgrid metadata Migration from default my. Vocs box trust configuration delayed temporarily to speed exploration of other parts of implementation Default my. Vocs config “works” with a false sense of self

Hook in Identity Providers The goal is to make UABgrid an In. Common application In. Common will be primary identity federation for UABgrid operating policy for In. Common is being developed Initial draft awaiting review Two levels of access with different attribute requirements: collab tools & compute resources Open. Id. P. org in use for initial testing

Establish Virtual Organization VOs are easy to create by way of the Sympa interface HPC Services group has existing virtual organization called the Advanced Technology Lab (@lab) @lab selected for migration to UABgrid VO (Drupal, mailing list, Connotea, Trac, etc) 6 core members with additional affiliates @lab will be used to manage UABgrid using UABgrid (eat own dog food)

UABgrid Management Project cfengine for configuration management All nodes will need Globus + Grid. Shib stack to accept “management” jobs Authorization to execute jobs comes from @lab VO role Taking system perspective provides a simplistic model to support construction of infrastructure Still early on, but grid management using the grid infrastructure is the goal

Experience: Authentication Shibboleth clearly sufficient for web applications User certs via Grid. Shib CA interface good for non-web applications Flexible yet consistent session lifetime management needed – can be achieved for now via published practices Essentially, authentication needs can be pretty well satisfied with existing technology

Experience: Authorization Default my. Vocs authz roles OK for smaller groups (only 3 roles) No central PDP (each app decides meaning of roles) good for enabling integration rather than enforcing it (applications just receive consistent attributes) Managing multiple apps independently can be time consuming, use a small number

Experience: Applications Sample applications in my. Vocs box are OK for working groups due to scale Sample web applications dated – the current sample apps need to be updated to latest releases and modernized Management of some application features requires file system access – need owner/admin file UI for web applications Need registration UI for additional apps Grid. Shib for Globus is for WS (ie. not SSH)

Experience: Final Thought Don't get lost in the technology. Shibboleth and Globus are just the means to building user-driven, federated system environments

Remaining Tasks Integrate my. Vocs box with UABgrid trust fabric Migrate existing applications used by @lab – requires some development work to address Shibboleth support Integrate additional resources – on-going evaluation of application needs for this and other VOs Migrate other existing working groups to UABgrid 2. 0 (a. k. a. buy-in)

The Future UABgrid 2. 0 Pilot begins summer 2007 Explore grid-based integration with UA System and Alabama Supercomputer Authority Recruiting additional manpower my. Vocs box Will continue to be leveraged on UABgrid for development efforts and improved as VO management platform Performance of VM analyzed Ease of administration improved Shibboleth trust management, additional attributes

Acknowledgments NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organization” Office of the Vice President for Information Technology, University of Alabama at Birmingham Projects: SURAgrid, Grid. Shib, Internet 2 People: Jill Gemmill, Tom Scavo, Von Welch, Jim Phelps, Michael Schiffers, David Shealy

References UAB Cyber. Infrastructure Planning UABgrid http: //uabgrid. uab. edu my. Vocs & my. Vocs box http: //www. uab. edu/it/Cyber. Infrastructure http: //myvocs. org Open. Id. P. org http: //openidp. org