MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA

MGRID Globus software provides secure PKI based cross realm scheduling of resources Historically used extensively in large scientific research projects – mainly to schedule CPU cycles and associated data Complicated software to install and manage Now being used to schedule and manage the network, scientific instruments, etc

MGRID Integrate existing University Grid efforts Add fine-grained authorization Use existing University security, group, and directory services Ease of use Create a generalized Grid service Provide production Grid services

Existing U of M Services Uniqname – Unique campus wide user name to UID Kerberos V5 (multiple cells) KX509 LDAP Directory and Group Services

MGRID Architecture Browser MGRID Portal Grid Resource Compute Cluster Grid Resource Network Reservation or Testing Data Movement

MGRID Architecture Secure access to resources The ease of user requirement => the Web Use existing University security service; Kerberos kx509 translates Kerberos credentials into X509 credentials understood by browsers and web servers

MGRID Architecture On workstation – kinit to obtain Kerberos credentials – kx509 to obtain user X509 credentials – libpkcs11 makes kx509 credentials available to the browser – SSL with required mutual authentication; both user and portal have X509 credentials

MGRID Portal Ease of use for U of M faculty, staff, and students – Kerberos + kx509 + browser = Grid access Hides complexity from user Creates user proxy kx509 credentials OR runs MyProxy to access X509 credentials issued by other institutions Single entry point for Grid resources

MGRID Portal Single point for PKI management – CA self-signed keys – CA policy files User presented with CHEF (soon to be SAKAI) portal environment – Gathers inputs, and runs the Globus client – Individual or Organizational presentation – Easily extensible

Fine Grained Authorization Policy based software Policy engine makes authorization decision – Input are matched against resource specific policy rules – Input attribute names are matched to policy attribute names by a string compare

Fine Grained Authorization Attributes include – User identity – Group membership – Resource request parameters: network bandwidth, number of CPU's, amount of file system space, etc – Environment parameters: time of day, CPU load, network utilization, etc

Authorization Implementation XACML – LDAP stores policy – Can utilize existing users & groups – Enables cross realm authorization by allowing injection of remote group names into policy rules WALDEN – Built on top of XACML – Replaces flat file access control at gatekeeper

MGRID Architecture mod ssl mod kx509 mod kct Apache Tomcat KCT GateKeeper Resource Grid Resource KCA kx509 kinit User Workstation KDC Kerberos V5 SSL – Client Certificate required GSI Kerberos SASL MGRID Portal Authorization Resource Mng SASL 8 WALDEN Authorization WALDEN libpkcs11 Browser mod php mod jk CHEF

SeRIF Secure Remote Invocation Framework – Packaging of an MGRID service We have extended a Globus service (GARA) to enable the scheduling of arbitrary programs via the Grid – local scheduler can initialize;run and stop;cleanup – job status and output redirection – fine grained authorization at resource

SeRIF Very easy to run an new executable via SeRIF – Add a new MGRID portal page to collect parameters – Add runtime and cleanup executable locations to configuration file on SeRIF Resource manager Currently used by NTAP – Can easily add network testing capabilities

MGRID Futures New SeRIF services – Configuration of Network QoS, Lamda paths – Scheduling of video conferences Meta Scheduling (MARS) – Choosing between available similar services – Scheduling multiple services such as CPU and Network QoS

MGRID Architecture Browser MGRID Portal Grid Resource Meta Scheduler (MARS) Compute Cluster Network Reservation or Testing Data Movement

MGRID Portal MGR ID Securi ty Sched uling Data & Resource s Questions?