Presentation on theme: "Access Grid Update Robert Olson Argonne National Laboratory"— Presentation transcript:
1Access Grid Update Robert Olson Argonne National Laboratory SURA/ViDe 5th Annual Digital Video Workshop
2AbstractIn the years since we released the first Access Grid specifications and software, we have learned a great deal about how one might use this technology to enhance collaboration. With the 2.0 release of the AG software, we apply this knowledge to produce a system that is much more capable of enhancing collaboration between groups of people and the tools they use. In this talk I discuss what is new with the AG 2.0 software release and how its capabilities may be applied.
3The Access GridThe Access Grid project’s focus is to enable groups of people to interact with Grid resources and to use the Grid technology to support group to group collaboration at a distanceSupporting distributed research collaborationsDistributed Lectures and seminarsRemote participation in design and developmentVirtual site visits and team meetingsComplex distributed grid based applicationsLong term collaborative workflows
4Access Grid – The Novel Ideas Peer-to-peer Virtual Venues servers to enable worldwide, secure virtual communities through the use of high-end collaboration environmentsCollaborative work sharing beyond simple application sharingIntegration of high-end visualization environments into collaborative spacesMethods of asynchronous collaboration: capture, synchronization, record, playback and annotation of collaborative experiences.
5HW Components of an AG Node RGB VideoDigital VideoDisplayComputerNetworkShared App,ControlNTSC VideoVideo CaptureComputerDigital VideoAnalog AudioDigital AudioAudio CaptureComputerMixerControlComputerRS232 SerialEchoCanceller
6Access Grid Project Goals Enable Group-to-Group Interaction and CollaborationConnecting People and Teams via the GridImprove the User Experience: Go Beyond TeleconferencingProvide a Sense of PresenceSupport Natural Interaction ModalitiesUse Quality but Affordable Digital IP Based Audio/videoLeverage IP Open Source ToolsEnable Complex Multisite Visual and Collaborative ExperiencesIntegrate With High-end Visualization EnvironmentsActiveMural, Powerwall, CAVE Family, WorkbenchesBuild on Integrated Grid Services ArchitectureDevelop New Tools Specifically Support Group Collaboration
7Our ApproachAttack Research Questions in the context of real world experienceBuild up a critical mass of groups using the AG PlatformInvolve multiple groups in trying new ideas and evaluationBuild Working Infrastructure as well as Prototype SoftwareArgonne has five working AG nodes under developmentNew Software is used weekly/Daily as part of standard nanocruisesInvolve multiple groups in deployment, use and researchActive collaborations with over a dozen groups working on AG technologyRelease software early and often (use open source model)Contribute to the Community Code base
8Group-to-Group Interaction is Different Large-scale scientific and technical collaborations often involve multiple teams working togetherGroup-to-group interactions are more complex than than individual-to-individual interactionsThe Access Grid project is aimed at exploring and supporting this more complex set of requirements and functionsThe Access Grid will integrate and leverage desktop tools as needed
9Some Access Grid Active Research Issues Scalable wide area communicationEvolution of multicast related techniques, and time shifting issuesScoping of resources and persistenceValue of spatial metaphors, security modelsVirtual Venues, synchronous and asynchronous modelsImproving sense of presence and point of viewWide Field Video, Tiled Video, High-resolution video codecsNetwork monitoring and bandwidth managementBeacons and network flow engineRole of Back-channel communicationsText channels and private audioRecording and playback of multistream media
10What is the Access Grid? Virtual Venues Network Services Places where users collaborateNetwork ServicesAdvanced MiddlewareVirtual Venues ClientUser SoftwareNodesShared NodesAdministratively scoped set of resourcesResourcesProvide capabilitiesPersonal NodesUser scoped set of ResourcesUsers collaborate by sharing:DataApplicationsResources
12Virtual Venues What is a Virtual Venue? A Virtual Venue is a virtual space for people to collaborateWhat do Virtual Venues provide?Entry/Exit Authorization InformationConnections to other VenuesCoherence among UsersVenue Environment, Users, DataClient Capabilities NegotiationList of Available Network ServicesKeep track of resulting Stream ConfigurationsApplicationsVirtual Venues have two interfacesAdministrative – Venue Management SoftwareClient – Virtual Venue Client Software
13Virtual Venues Client Enable face-to-face meeting activities What can be done:Sharing DataShared ApplicationsApplications:Distributed PowerPointShared Web browserWhiteboardVoting ToolQuestion & Answer ToolShared Desktop ToolIntegrate legacy single-user apps
14Network Services Network Services Provide a middleware layer for enabling the richest collaborationsAre invisible to Venues Clients, used by Virtual VenuesPrimarily Transform streaming dataCan be anywhere on the networkCan be composed to build complex solutions:Venue Audio Stream Audio Transcoder Audio to Text Two-Way PagerTwo-Way Pager Text to Audio Audio Transcoder Venue Audio StreamNetwork Services provide opportunities for third party developersANL is working on Network Services forAudio Transcoding (16KHz ↔ 8KHz)Video Stream Selection
15Access Grid Nodes Access Grid Nodes Basic Node Services include: Comprise a set of collaboration resourcesExpose those resources through Node ServicesBasic Node Services include:Audio & Video ServicesNetwork Performance Monitoring ServiceNetwork Reliability/Fallback ServiceLeashing Service – Registering presence with a shared nodeExtended Node Services could be:Display Service with enhanced layout controlVideo Service supporting new CODECsAutomatic performance adaptationApplication Hosting Service
16Access Grid 2.0 Design Requirements Secure Communication ThroughoutReliable, Robust Data TransportExample: Network Failover TechnologyMore Diverse Reference PlatformsHandhelds High End SolutionsPersonal and Shared NodesMore Usable SoftwareWell Documented InterfacesFederated OperationIntegrate Grid Computing TechnologyAG 2.0 is Web Services basedAG 2.0 uses GT2.XAG 2.0 can enhance an OGSI by providing collaboration services
17Access Grid Nodes Access Grid 2.0 reference platforms: What Hardware? Advanced Node – Tiled Display, Multiple Video Streams, Localized AudioRoom Node – Shared Display, Multiple Video Streams, Single Audio Stream (AG 1.x Node)Desktop Node – Desktop Monitor, Multiple Video Streams, Single Audio Stream (AG 1.X PIG)Laptop Node – Laptop Display, Single Video Stream, Single Audio StreamMinimal Node – Compact Display, Single Video Stream, Single Audio StreamWhat Hardware?Cameras, Microphones, Speakers, Display, Input DevicesGet Audio Correct!Software Requirements?Python 2.2, wxPython, GT2.0, pyGlobusCould show the UI here, pointing out that hosts can be added and removed.
18Summary of Changes from 1.0 to 2.0 Virtual VenuesStatic Media ConfigurationsAssumed Multicast TechnologySingle Server assumptionVirtual Venues ClientWeb BrowserNodesNon-extensible single reference platformAG 1.1 1.2 PIGs introducedApplications layered outside of AG software2.0Virtual VenuesDynamic Media ConfigurationsCapability Brokering FunctionalityIntegrated Data StorageSupport for highly scalable deploymentsMulticast AddressingTopological Simplicity (connections as URLs)Virtual Venues ClientStreamlined ClientIntegrated Grid SecurityWorkspace DockingApplication Development Interfaces ExposedNodesNodes defined in terms of resourcesManagement UIInterfaces exposed for building new ServicesBroader set of Reference PlatformsApplicationsVenue Hosted Collaborative AppsNetwork Services
20Access Grid 2.0 Timeline Code Available now from: co AccessGrid2.0 Beta 1 Available now (March 15, 2003)Virtual Venues ServerTransitional Venue Server for AG1.X AG2.0 Migrationhttps://vv2.mcs.anl.gov:9000/Venues/default (The Access Grid Lobby)Basic Node ServicesVirtual Venues Client SoftwareVenues Management UIFinal 2.0 Toolkit April 15th, 2003
22Technological Goals Enable comprehensive security Leverage existing technologyGlobus ToolkitSOAP + WSDLProvide a low barrier of entry for …New developersRapid development of new functionalityAdding third-party extensions
23Security: General goals Identification of users and servicesAuthentication of the identity of these users and servicesAuthorization for access to resourcesPrivacy of data (files, streams, control, etc.)Public Key Infrastructure provides standards and mechanisms to fulfill these needs
24Security: Identification Users and services identified with a public key identity certificate issued by a trusted certificate authorityAn identity certificate contains:Information about the subject of the certificateA public key representing the subjectThe digital signature of the CA issuing the cert
25Identity Certificates For example, a Globus identity certificate:% openssl x509 -noout -text -in ~/.globus/usercert.pemCertificate:Data:Version: 3 (0x2)Serial Number: 6060 (0x17ac)Signature Algorithm: md5WithRSAEncryptionIssuer: C=US, O=Globus, CN=Globus Certification AuthorityValidityNot Before: Jan 7 20:22: GMTNot After : Jan 7 20:22: GMTSubject: O=Grid, O=Globus, OU=mcs.anl.gov, CN=Bob OlsonSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)Modulus (1024 bit):00:cd:7d:bb:ae:30:bb:c1:74:2d:e4:6e:d4:30:6e: [etc]Exponent: (0x10001)X509v3 extensions:Netscape Cert Type:SSL Client, SSL Server23:14:96:05:0d:db:ce:aa:70:17:03:5a:07:31:a0:81:e3:10:…Subject informationSubject Public KeyCA Signature
26Security: Authentication Assumptions:Authentication takes place on a transaction between a client and a serverClient and server each hold an identity certAuthentication is mutual: After completion, client and server have verified identity of the other partySecured communications in AG2 use Globus……which uses SSL/TLSSSL/TLS defines protocol for a secure handshake with mutual authentication.
27Security: Authorization Authorization is the process of gating access to a resource based on some criteria.Many different approaches, few standards.Access control listsRole-based authorizationAttribute certificatesAG2 approach: provide building blocks for applications to define authorization.Reference implementation uses a basic role-based authorization scheme.
28Security: Privacy Usually what people think when they think security Straightforward, once authentication and authorization issues overcomeGlobus Security Infrastructure uses SSL/TLS mechanisms for privacyTypically, symmetric encryption with session keys negotiated at session startup.Media data uses AES encryption with session keys distributed by secure channels.
29Practical security issues In AG2.0 Alpha, each user must have an identity certificateIdentity certs issued by Certificate AuthoritiesAG Development CAGlobus test CADOE Science Grid CACommercial CA (Verisign, Thawte, …)Certificate SafetyIf the private key for a cert is compromised, the cert cannot be trustedHence, users have responsibility for maintaining safety of their keysThe use of identity certificates is often cumbersome
30Identity Maintenance Alternatives NCSA MyProxyOnline proxy storage for standard identity certificatesMedium-term expiration proxies kept at central serverProxies created via username/password authenticationOnline CA with username/password supportIdentity certificates held at an online CANo requirement for user storage of certsIntegration with Shibboleth or other single sign-on infrastructure
31Trust issuesIf a CA is not trusted by a service, then no certificates issued by that CA are trustedCA trust is a minimum requirement for access
33Building on Access Grid 2.0 The Access Grid Toolkit is extensible by the addition of Node Services, Network Services and Applications.This tutorial covers the building of a Node Service and the building of two Applications:A Shared Web BrowserA Distributed Presentation Viewer
34Building a Node Service Node Services for Streaming MediaResponsibilitiesAdhere to Node Service interfacePacketize and send media streams to networkRespond to stream description updates
35Building Applications Applications rely the Venue for discovery, coherence, coordination and synchronization.In order to support Applications, we have added a new piece an Application Factory to the Venue.Application Factory Application Objects + Application Clients Distributed Applications integrated with AG
36Application Architecture: Venue Side An Application Factory creates Venue-resident applications.Each application is represented in the venue by an Application ObjectAn application object can store local data and can have one event channelEvent channels utilize a Venue-based Event ServiceVenueEvent ServiceApplicationFactoryApplication Object name type webServiceUri channelEvent ChannelLocal Data
37Application Architecture: User Side On the user side the Venue Client is the key.The user can install applications, which are then available to the Venue Client.When a user enters a Venue if there are application objects, the Venue Client looks for applications that are of the same type.The Venue Client also enables the user to start a local application, and create the Application Object in the Venue.VenueVenue State(Including Application Objects)Venue ClientApplication ClientType: XApplication ClientType: YApplication ClientType: Z
38Example Applications Shared Web Browser Shared Presentation Viewer Stateless – Current page not stored anywhere but in the clientsShared Presentation ViewerStateful –Master PresenterCurrent SlideSlides
39A Shared Web Browser Application task: Web browsing All users see the same pageThe Venue serves as a rendezvous mechanismApplication state: webpage URLState is distributed; that is, there is no central server maintaining the stateWith each state change, an event is distributed to all interested clients
40Distributed Presentation Application task: coordinated display of presentation materialPowerPoint is the prevalent client, but the application can be built in a platform independent way.Application stateA presentation (set of slides / images / pages)Current location within the presentationA presenter who has control of progress through the presentation
41Access Grid 2.0 - Overview of Core Venue Server ManagementNodes and Node ManagementNetwork ServicesPlans for the next year
44Venue Server Management AdministratorsMulticast address allocationStandard rangeCustom rangeStorage Location
45Venue Server Management Support for static addressingTransitional venue serverNetwork address requirements, like SCGlobalAdd/Remove Exits
46Nodes and Node Management An AG Node often consists of multiple machinesThe central NodeService communicates with a ServiceManager on each machine
47Nodes and Node Management Users install available services to establish the capabilities of the NodeAdding services extends the collaborative capabilities of the NodeServices are simple to develop and integrate, facilitating third-party development
48Nodes and Node Management The structure of an AG2 Node is more flexible than AG1 Nodes. On a personal Node, all the services would run on a single machine.
49Nodes and Node Management Node ServicesExpose resources on the machines in the nodeImplement a specific network interfaceProvide capabilities to the nodeVideo, h261, 25fpsAudio, 16kHz
50Nodes and Node Management Node Management UIAdd Service ManagersAdd ServicesConfigure ServicesStore/Load Configuration
51Nodes and Node Management Where AG1 Nodes consist of a collection of hardware in a single, static configuration, AG2 enables multiple configurations:One stream for a presentation (e.g. an instructor)Multiple streams for a group attending a presentation (e.g. a classroom)High-bandwidth/Low-bandwidth configurations
52Node/VenueClient/Venue interaction A users enter the Venue with the collected capabilities of his nodeIf the user has the capability of producing a media stream not present in the Venue, the Venue allocates a new streamStreams are present in the Venue as long as participants are providing that stream to the Venue; the addresses assigned for media transmission are allocated and freed dynamically
53Network ServicesUsers with incompatible capability sets could be in a venue together, but would be unable to interactThe Venue could resolve these incompatibilities with appropriate adapters, through Capabilities NegotiationVideo, h261 => Video, jpegAudio, 16kHz => Audio, 8kHzWe call these adapters “Network Services”
54Plans for the next Year OGSI and GT3 Multiple certificates / Graduated security / Authorization?? Graduated security == Roles??? AuthorizationBuilding communities with the AGTk (~VO)?? Community authorization server
55Plans for the next Year Venue Client Client-side datastore/Docking Subgroup communicationsAutomatic bridging
56Plans for the next Year Nodes Node Services Operator Panel Node advertisementNode Services? High-res Video? Stereo AudioDisplay Service supporting advanced layoutCamera Control ServiceOperator PanelConsolidate as much of the hands-on operational functionality of existing media tools in a single, compact interface
57Plans for the next year Venues and Venue Server Capabilities NegotiationVenue Server RegistryStream Selection