Enabling Grids for Computing Introduction to High Performance and Grid E-scienc. E Faculty of Sciences, University of Novi Sad Architecture and Services of g. Lite Middleware Dusan Vudragovic <dusan@scl. rs> Scientific Computing Laboratory Institute of Physics Belgrade Serbia Feb. 06, 2009 www. eu-egee. org EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing
Set of basic Grid services Enabling Grids for E-scienc. E • • • Job submission/management File transfer (individual, queued) Database access Data management (replication, metadata) Monitoring/Indexing system information EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 2
Grid services Enabling Grids for E-scienc. E • • Authentication (CA) Authorization (VOMS) Information System User Interface (UI) Computing Element (CE) Storage Element (SE) Workload Management System (WMS) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 3
Authentication (1/10) Enabling Grids for E-scienc. E • Cryptography – To implement the security infrastructure, cryptography uses mathematical algorithms that provide important building blocks – Corresponding definitions for the above symbols: § § Plaintext: M Cyphertext: C Encryption with key K 1 : EK 1(M) = C Decryption with key K 2 : DK 2(C) = M – Algorithms § Symmetric: K 1 = K 2 § Asymmetric: K 1 ≠ K 2 K 1 M EGEE-III INFSO-RI-222667 Encryption K 2 C Decryption M Introduction to High Performance and Grid Computing 4
Authentication (2/10) Enabling Grids for E-scienc. E • Cryptography : : Symmetric Algorithms – The same key is used for encryption and decryption (no public key, only secret keys available. ) – Advantages § Fast – Disadvantages § Exchange of secret keys needed: – how to A distribute the keys? Hi! § the number of keys is O(n 2) B 3$r Hi! – Examples: § DES § 3 DES § AES EGEE-III INFSO-RI-222667 A Hi! B 3$r Introduction to High Performance and Grid Computing Hi! 5
Authentication (3/10) Enabling Grids for E-scienc. E • Cryptography : : Public Key Algorithms (Asymmetric) – Every user has two keys: one private (secret) and one public: § it is impossible to derive the private key from the public one § a message encrypted by one key can be decrypted only by the other one. – No exchange of private key is possible. § the sender cyphers using the public key of the receiver § the receiver decrypts using his own private key; § the number of keys is O(n). – Examples: RSA (1978) EGEE-III INFSO-RI-222667 A Hi! B 3$r A Hi! 3$r Hi! B cy 7 A keys public private cy 7 Hi! B keys public private Introduction to High Performance and Grid Computing 6
Authentication (4/10) Enabling Grids for E-scienc. E • Cryptography : : Digital Signature A – A calculates the hash of the message (with a one-way hash function) This is some – A encrypts the hash using message his private key: the encrypted hash is the digital signature – A sends the signed message to B – B calculates the hash of the B message and verifies it with A, decyphered with A’s public key – If two hashes equal: message wasn’t modified; A cannot A keys repudiate it. public EGEE-III INFSO-RI-222667 Hash(A) Digital Signature Hash(B) =? Hash(A) This is some message Digital Signature private Introduction to High Performance and Grid Computing 7
Authentication (5/10) Enabling Grids for E-scienc. E • Digital Certificates – A’s digital signature is safe if: § A’s private key is not compromised § B knows A’s public key – How can B be sure that A’s public key is really A’s public key and not someone else’s? § A third party guarantees the correspondence between public key and owner’s identity. § Both A and B must trust this third party – Two models proposed to build trust: § X. 509: hierarchical organization (used in Grid) § PGP: “web of trust” (person to person) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 8
Authentication (6/10) Enabling Grids for E-scienc. E • Certification Authorities – The “third party” is called Certification Authority (CA). – Responsibilities of CA: § Issue Digital Certificates (containing public key and owner’s identity) for users, programs and machines § Check identity and the personal data of the requestor § Registration Authorities (RAs) do the actual validation § Revoke certificates in case of a compromise § Renew certificates in case of expiration § Periodically publish a list of revoked certificates through web repository § Certificate Revocation Lists (CRL): contain all the revoked certificates – CA certificates are self-signed EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 9
Authentication (7/10) Enabling Grids for E-scienc. E • X. 509 Certificates – An X. 509 Certificate contains: § § § owner’s public key; identity of the owner (DN); info on the CA; time of validity; Serial number; digital signature of the CA Structure of a X. 509 certificate Public key Subject: C=RS, O=AEGIS, OU=Institute of Physics Belgrade, CN=Dusan Vudragovic Issuer: C=RS, O=AEGIS, CN=AEGIS-CA Not before: Apr 6 14: 08: 33 2008 GMT Not after: Apr 6 14: 08: 33 2009 GMT Serial number: 95 (0 x 5 F) CA Digital signature EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 10
Authentication (8/10) Enabling Grids for E-scienc. E • The Grid Security Infrastructure (GSI) – Based on X. 509 PKI: § every user/host/service has an X. 509 certificate; § certificates are signed by trusted (by the local sites) CA’s; § every Grid transaction is mutually authenticated: § Ali sends his certificate; A B A’s certificate Verify CA signature Random phrase • B verifies signature in A’s Encrypt with A. ’ s private key certificate; • B sends A a challenge string; Encrypted phrase • A encrypts the challenge string with his private key; • A sends encrypted challenge to B Decrypt with A’s public key • B uses A’s public key to decrypt the challenge. • B compares the decrypted string Compare with original phrase with the original challenge • If they match, B verifies A’s identity and A can not repudiate it. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 11
Authentication (9/10) Enabling Grids for E-scienc. E • X. 509 Proxy Certificate – Proxy: GSI extension to X. 509 Identity Certificates § signed by the normal end entity cert (or by another proxy). – It enables single sign-on. – It supports some important features: § Delegation § Mutual authentication – It has a limited lifetime (minimized risk of “compromised credentials”) – User enters pass phrase, which is used to decrypt private key – Private key is used to sign a proxy certificate with its own, new public/private key pair. Pass Phrase EGEE-III INFSO-RI-222667 User certificate file Private Key (Encrypted) User Proxy certificate file Introduction to High Performance and Grid Computing 12
Authentication (10/10) Enabling Grids for E-scienc. E • Delegation – Delegation = remote creation of a (second level) proxy credential § New key pair generated remotely on server § Client signs proxy cert and returns it – Allows remote process to authenticate on behalf of the user EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 13
Authorization (1/7) Enabling Grids for E-scienc. E • Multi-institution issues No Cross. Domain Trust Certification Authority Domain B Domain A Policy Authority Task Server X Sub-Domain A 1 EGEE-III INFSO-RI-222667 Policy Authority Trust Mismatch Server Y Mechanism Mismatch Sub-Domain B 1 Introduction to High Performance and Grid Computing 14
Authorization (2/7) Enabling Grids for E-scienc. E • Grid solution: use of VOs No Cross. Domain Trust Certification Authority Policy Authority Sub-Domain B 1 Sub-Domain A 1 Domain A Domain B Task Federation Service GSI Server X EGEE-III INFSO-RI-222667 Virtual Organization Domain Server Y Introduction to High Performance and Grid Computing 15
Authorization (3/7) Enabling Grids for E-scienc. E • Use delegation to establish dynamic distributed system Computing Center Service Rights VO EGEE-III INFSO-RI-222667 Computing Center Introduction to High Performance and Grid Computing 16
Authorization (4/7) Enabling Grids for E-scienc. E • VOMS server – Virtual organizations (VOs) are groups of Grid users (authenticated through digital certificates) – VO Management Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. – VO Manager, according to VO policies and rules, authorizes authenticated users to become VO members – Resource centers (RCs) may support one or more VOs, and this is how users are authorized to use computing, storage and other Grid resources – VOMS allows flexible approach to A&A on the Grid EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 17
Authorization (5/7) Enabling Grids for E-scienc. E • VOMS Ingredients – Attribute Certificates: AC is a PKI container, defined in RFC 3281, capable of containing a set of attributes tied to a specific identity. It is the system used by VOMS to issue its attributes. – VOMS groups: /aegis/scl – VOMS roles: /Role=VO-Admin § Roles can be defined for groups as well – FQAN (Fully Qualified Attribute Name) is a compact way to represent user’s membership in a group, along with its role holdership, if any § Syntax: <groupname>/Role=<rolename>/Capability=NULL where the /Capability=NULL may be omitted, since it refers to a deprecated feature of VOMS § /aegis/scl/Role=NULL/Capability=NULL EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 18
Authorization (6/7) Enabling Grids for E-scienc. E • Attribute Certificate – FQAN are included in an Attribute Certificate – Attribute Certificates are used to bind a set of attributes (like membership, roles, authorization info etc) with an identity – ACs are digitally signed – VOMS uses AC to include the attributes of a user in a proxy certificat EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 19
Authorization (7/7) Enabling Grids for E-scienc. E • VOMS Architecture VOMS Server voms-proxy-init voms-admin CLI GSI SOAP + SSL HTTPS Web browser EGEE-III INFSO-RI-222667 VOMS Core Service (vomsd) VOMS Admin Service SOAP Authorization Database Web User Interface Introduction to High Performance and Grid Computing 20
Information System (1/10) Enabling Grids for E-scienc. E • Collect information of grid resources – Discovering new added resources – Monitoring load and health status • Publish these information – Periodically updated – Well know data model • Used by – Users searching a concrete resource – WMS allocating and managing jobs – Other monitoring services • Basic data model – Grid Laboratory Uniform Environment (GLUE) Schema. • Two architectures in glite 3 – g. Lite Information System (BDII) § BDII over Globus MDS (Monitoring and Discovery System). § Open. LDAP interface. – Relational Grid Monitoring Architecture (R-GMA) § Based on the GMA (Grid Monitoring Architecture) standard from the Grid Global Forum § Information in SQL relational databases § Web Services. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 21
Information System (2/10) Enabling Grids for E-scienc. E • GLUE Schema : : Overview – A schema of objects and attributes describing Grid resources and its relationships. § Originally a EU-Data. TAG and US-i. VDGL coordinated effort. § Current participants: EGEE, OSG, Globus and Nordu. Grid. § A way to describe Grid info • Statically and dynamically supplied • Hierarchically represented • Independently of the framework (LDAP, XML, SQL…) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 22
Information System (3/10) Enabling Grids for E-scienc. E • GLUE Schema : : Site Element EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 23
Information System (4/10) Enabling Grids for E-scienc. E • GLUE Schema : : Cluster Element EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 24
Information System (5/10) Enabling Grids for E-scienc. E • GLUE Schema : : Computing Element EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 25
Information System (6/10) Enabling Grids for E-scienc. E • g. Lite Information System Levels – Resource level: Grid Resource Information Server (GRIS) § One GRIS on top of each CE, SE, WMS, My. Proxy (no WNs). § Sensors and scripts get status of concrete resources statically (e. g. Glue. CEUnique. ID) or dynamically (e. g. Glue. CEState. Waiting. Jobs) – Site level: Grid Index Information Server (GIIS) § Compiles all the information of the different GRISes in a site. § g. Lite recommends using a BDII instead of a GIIS • Improves robustness and stability. • Called the site BDII. – Top level: Berkeley DB Information Index (BDII) § Keeps all Grid information about the VOs (generally one). § Stores information from local BDIIs or GIISes in its database. § Only queries sites that are included in a configuration file. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 26
Information System (7/10) Enabling Grids for E-scienc. E EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 27
Information System (8/10) Enabling Grids for E-scienc. E • LDAP Model – Way of collecting info § Pull model (higher level servers periodically query lower level servers) § All servers are based on LDAP • Inherit hierarchical structure (tree-like) • LDAP Data Information Format (LDIF) – Users get info with § Generic applications • ldapsearch (BDII: 2170 ports) • Graphical UIs (BDII web; LDAP GUIs) • Always can get information about specific resources (maybe more up-todate) by querying directly the site BDIIs, GIISes or GRISes. § Querying VO info with lcg-infosites or lcg-info tools EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 28
Information System (9/10) Enabling Grids for E-scienc. E • R-GMA Overview – – – – – Added from EDG Project Based on the GMA standard from the GGF Information in SQL relational databases (a DB per VO) Query syntax is a SQL subset Simple consumer-producer model Web Services oriented CLI and Web user interface Allows self-logging applications R-GMA offers a global view of the VO information § In one large relational DB: virtual database. § Registry stores localization tuples (database rows) published by producers: • Standard Tables: CE state in GLUE Schema (by R-GMA-GIN) • Applications specific tables (e. g. self-logging with Log 4 j) • Access by SQL queries through a WS interface. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 29
Information System (10/10) Enabling Grids for E-scienc. E EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 30
User Interface (UI) Enabling Grids for E-scienc. E • UI is the user’s interface to the Grid - Command-line interface to – Attribute/Proxy certificate – Job operations § To submit a job § Monitor its status § Retrieve output – Data operations § Upload file to SE § Create replica § Discover replicas – Other grid services • To run a job user creates a JDL (Job Description Language) file EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 31
Computing Element (CE) Enabling Grids for E-scienc. E A CE is a grid batch queue with a “grid gate” front-end: L&B Logging Job request Gatekeeper Information system Loc. Info system A&A Grid gate node Local resource management system: Condor / PBS / LSF master Homogeneous set of worker nodes (WNs) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 32
Storage Element (SE) Enabling Grids for E-scienc. E • • • Storage elements hold files: write once, read many Replica files can be held on different SE: – “close” to CE; share load on SE File Catalogue - what replicas exist for a file and where are they? File transfer Requests L&B Info system Event Logging Loc. Info System Grid. FTP Gatekeeper A&A Disk arrays or tapes EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 33
Workload Management System Enabling Grids for E-scienc. E EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 34
Enabling Grids for E-scienc. E Job management requests (submission, cancellation) expressed via a Job Description Language (JDL) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 35
Enabling Grids for E-scienc. E Keeps submission Requests are kept for a while, waiting for being dispatched If there is no matching resource available EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 36
Enabling Grids for E-scienc. E Repository of resource information Updated via notifications and/or active polling on sources Provide matchmaker With information to decide best resources for request. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 37
Enabling Grids for E-scienc. E Finds an appropriate CE or resource for job request according to the information from ISM. Taking into account job preferences, resource status, policies on resources EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 38
Enabling Grids for E-scienc. E Performs the actual job submission and monitoring Normally it is Condor. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 39
Enabling Grids for E-scienc. E Computing Element is the place where you jobs run EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 40
Enabling Grids for E-scienc. E • Workload Manager Proxy WMProxy – Provides access to WMS functionality through a Web Services based interface – Each job submitted to a WMProxy Service is given the delegated credentials of the user who submitted it. – These credentials can then be used to perform operations requiring interactions with other services – WMProxy advantages: § web service, SOAP § job collections, DAG jobs, shared and compressed § sandboxes – WMProxy caveats: § needs delegated credentials § Delegate once, submit many EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 41
Enabling Grids for E-scienc. E • Workload Manager (WM) – Is responsible for § Calls Matchmaker to find the resource which best matches the job requirements. § Interacting with Information System and File catalog. § Calculates the ranking of all the matchmaked resource • Information Supermarket (ISM) – is responsible for § basically consists of a repository of resource information that is available in read only mode to the matchmaking engine • Job Adapter – is responsible for § making the final touches to the JDL expression for a job, before it is passed to Condor. C for the actual submission § creating the job wrapper script that creates the appropriate execution environment in the CE worker node • transfer of the input and of the output sandboxes EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 42
Enabling Grids for E-scienc. E • Job Controller (JC) – Is responsible for § Converts the condor submit file into Class. Ad § hands over the job to Condor. C • Condor – responsible for § performing the actual job management operations: job submission, removal • Log Monitor – is responsible for § watching the Condor log file § intercepting interesting events concerning active jobs • events affecting the job state machine § triggering appropriate actions. EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 43
Enabling Grids for E-scienc. E • Task Queue – Gives the possibility to keep track of the requests if no resources are immediatelly avalaible – Non-matching requests will be retried periodically (eager scheduling) – Or wait for notification of avalaible resources (lazy scheduling) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 44
Enabling Grids for E-scienc. E Computing Element is built on a homogeneous farm of computing nodes (called Worker Nodes) Also there are many components inside CE such as gatekeeper, globus-jobmanager, . . EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 45
Enabling Grids for E-scienc. E EGEE-III INFSO-RI-222667 Gatekeeper Grants access to the CE and map grid user Introduction to High Performance and Grid Computing to a local user id. 46
Enabling Grids for E-scienc. E Batch System A cluster of compute nodes controlled by a head node. handles the job execution Example: Torque (Open PBS), PBS EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 47
Location of files Enabling Grids for E-scienc. E Network Daemon UI LFC Characteristics of resources Workload Manager Inform. Service Job Contr. Condor. G WMS Computing Element EGEE-III INFSO-RI-222667 CE characts & status Storage Element Introduction to High Performance and Grid Computing 48
Daemon responsible for accepting incoming requests Enabling Grids for E-scienc. E Network Daemon JDL LFC waiting UI Input Sandbox files RB storage submitted Workload Manager Inform. Service glite-wms-job-submit myjob. jdl Contr. Job Condor. G WMS Computing Element EGEE-III INFSO-RI-222667 CE characts & status Storage Element Introduction to High Performance and Grid Computing 49
Job Status Enabling Grids for E-scienc. E submitted Network Daemon UI waiting Job RB storage Workload Manager WM: responsible to take the appropriate actions to satisfy the request Computing Element Inform. Service Job Contr. Condor. G WMS EGEE-III INFSO-RI-222667 LFC CE characts & status Storage Element Introduction to High Performance and Grid Computing 50
Enabling Grids for E-scienc. E submitted Network Daemon UI RB storage Workload Manager LFC waiting Match. Maker/ Broker Inform. Service Where this job can be executed ? Job Contr. Condor. G WMS Computing Element EGEE-III INFSO-RI-222667 CE characts & status Storage Element Introduction to High Performance and Grid Computing 51
Enabling Grids for E-scienc. E submitted Network Matchmaker: responsible Daemon UI to find the “best” CE where to submit a job RB storage LFC waiting Match. Maker/ Broker Workload Manager Inform. Service Job Contr. Condor. G WMS Computing Element EGEE-III INFSO-RI-222667 CE characts & status Storage Element Introduction to High Performance and Grid Computing 52
Where is the needed Input. Data ? Enabling Grids for E-scienc. E submitted Network Daemon UI RB storage WMS Computing Element waiting Match. Maker/ Broker Workload Manager Job Contr. Condor. G EGEE-III INFSO-RI-222667 LFC Inform. Service What is the status of the Grid ? CE characts & status Storage Element Introduction to High Performance and Grid Computing 53
Enabling Grids for E-scienc. E submitted Network Daemon UI RB storage Workload Manager LFC waiting Match. Maker/ Broker Inform. Service CE choice Job Contr. Condor. G WMS Computing Element EGEE-III INFSO-RI-222667 CE characts & status Storage Element Introduction to High Performance and Grid Computing 54
Enabling Grids for E-scienc. E submitted Network Daemon LFC waiting UI RB storage Workload Manager Job Contr. Condor. G Inform. Service Job Adapter CE characts JA: responsible WMS final “touches” for the & status to the job before performing submission (e. g. creation of wrapper script, etc. ) Computing Element EGEE-III INFSO-RI-222667 SE characts & status Storage Element Introduction to High Performance and Grid Computing 55
submitted Enabling Grids for E-scienc. E Network Daemon LFC waiting UI RB storage ready Workload Manager Inform. Service Job Contr. Condor. G JC: responsible for the actual job management operations (done via Condor. G) Computing Element EGEE-III INFSO-RI-222667 WMS CE characts & status Storage Element Introduction to High Performance and Grid Computing 56
Enabling Grids for E-scienc. E submitted Network Daemon LFC waiting UI RB storage Workload Manager ready Inform. Service scheduled Job Contr. Condor. G Input Sandbox files Computing Element EGEE-III INFSO-RI-222667 WMS CE characts & status SE characts & status Job Storage Element Introduction to High Performance and Grid Computing 57
Enabling Grids for E-scienc. E submitted Network Daemon LFC waiting UI RB storage Workload Manager Inform. Service scheduled Job Contr. Condor. G Input Sandbox ready running WMS “Grid enabled” data transfers/ accesses Computing Element Storage Element Job EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 58
Enabling Grids for E-scienc. E submitted Network Daemon LFC waiting UI RB storage Workload Manager ready Inform. Service Job Contr. Condor. G Output Sandbox files Computing Element EGEE-III INFSO-RI-222667 scheduled running WMS done Storage Element Introduction to High Performance and Grid Computing 59
Enabling Grids for E-scienc. E submitted Network Daemon LFC waiting UI RB storage Workload Manager glite-wms-get-output <job. ID> Output Sandbox Computing Element EGEE-III INFSO-RI-222667 ready Inform. Service Job Contr. Condor. G scheduled running WMS done Storage Element Introduction to High Performance and Grid Computing 60
submitted Enabling Grids for E-scienc. E Network Daemon LFC waiting UI Output Sandbox files RB storage Workload Manager ready Inform. Service Job Contr. Condor. G scheduled running done WMS cleared Computing Element EGEE-III INFSO-RI-222667 Storage Element Introduction to High Performance and Grid Computing 61
glite-wms-job-status <job. ID> Enabling Grids for E-scienc. E glite-wms-job-logging-info <job. ID> UI Network Daemon LB: receives and stores job events; processes corresponding job status Job status LB proxy Logging & Bookkeeping Workload Manager Job Contr. Condor. G WMS Log of job events Computing Element EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 62
Other Grid services Enabling Grids for E-scienc. E • • PX (My. Proxy) FTS (File Transfer Service) LFC (Logical File Catalog) AMGA (ARDA Metadata Grid Application) EGEE-III INFSO-RI-222667 Introduction to High Performance and Grid Computing 63
Скачать презентацию Enabling Grids for Computing Introduction to High Performance
9451667f0a7950f40ea5ebdb817e55dd.ppt