Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Published byEmerald Haynes Modified over 8 years ago

Similar presentations

Presentation on theme: "TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,"— Presentation transcript:

1 http://www.teragrid.org/programs/sci_gateways/ TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch², Tom Scavo², Terry Fleury², and Nancy Wilkins-Diehr³ ¹Pittsburgh Supercomputing Center, ²National Center for Supercomputing Applications, and ³San Diego Supercomputer Center

2 http://www.teragrid.org/programs/sci_gateways/ Outline  TeraGrid Science Gateways Provide a community interface to the TeraGrid  Community Shell Provides control over actions in community accounts  Community User Attributes Provide information for accounting and incident response

3 http://www.teragrid.org/programs/sci_gateways/ TeraGrid Science Gateways

4 TeraGrid  NSF-funded facility to offer high end compute, data and visualization resources to the nation’s academic researchers http://www.teragrid.org/programs/sci_gateways/

5 TeraGrid Science Gateways  Enable communities with a common scientific goal to use national resources through a common interface  Enable TeraGrid to scale to larger numbers of users than its current accounting mechanisms can handle http://www.teragrid.org/programs/sci_gateways/

6 Typical Science Gateway Web Authn Resource Provider WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account A science gateway is a convenient intermediary between a browser user and a grid resource provider. Science Gateway

7 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Each gateway is issued a community credential that uniquely identifies the gateway.

8 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account Resource providers associate the community credential with a local community account.

9 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.

10 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway then issues a short-lived proxy credential signed by its community credential. proxy credential Key

11 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The gateway submits the job on the user’s behalf, authenticating as itself to the resource.

12 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate.

13 http://www.teragrid.org/programs/sci_gateways/ Typical Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Browser community credential Key community account After the job is executed, the result is returned to the browser user via the gateway web interface. Web Interface

14 http://www.teragrid.org/programs/sci_gateways/ Community Shell

15 Community Shell: Motivation  Many TeraGrid Science Gateways use community accounts, a form of shared account  Shared accounts are a potential weak point in resource security  Increased risk of attack  Greater degree of anonymity  Science Gateways typically use community accounts in predictable ways  Small set of applications http://www.teragrid.org/programs/sci_gateways/

16 Community Shell: Implementation  Community Shell software is configured as the system shell and enabled in Globus GRAM  System administrator sets community shell policy  Can allow applications from a trusted directory  Can limit to specific commands (regular expression)  Gateway developer provides applications that run in the community account http://www.teragrid.org/programs/sci_gateways/

17 Community Shell Configuration at PSC  Community Account uses “scratch” space for input/output  $HOME/.commshrc determines access  Community Account no longer owns the home directory, but can write to it  Job Scripts are in home directory, but are owned by the group developers, only readable and executable by gateway account. http://www.teragrid.org/programs/sci_gateways/

18 Science Gateway Process Science Gateway Developers Account Science Gateway Community Account Gateway Application WS GRAM Service Scratch File Space Science Gateway Development team creates application and tests it in the “normal” environment Resource Provider’s Infrastructure http://www.teragrid.org/programs/sci_gateways/

19 Science Gateway Process Science Gateway Developers Account Science Gateway Community Account The application is placed into the Community Shell Restricted Account Gateway Application WS GRAM Service Scratch File Space Resource Provider’s Infrastructure http://www.teragrid.org/programs/sci_gateways/

20 Science Gatways at PSC  Nanohub - Lemieux and BigBen  GridChem - Pople http://www.teragrid.org/programs/sci_gateways/

21 Community User Attributes

22 http://www.teragrid.org/programs/sci_gateways/ Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account So what’s wrong with this science gateway scenario ?

23 http://www.teragrid.org/programs/sci_gateways/ Science Gateway Web Authn Resource ProviderScience Gateway WS GRAM Client WS GRAM Service proxy credential proxy certificate Key Java WS Container Webapp Web Interface Web Browser community credential Key community account All requests look exactly the same to the resource provider ! jsmith commacct mjones

24 http://www.teragrid.org/programs/sci_gateways/ Resource Providers need gateway user information for accounting and incident response.

25 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Resource ProviderScience Gateway community credential Key Java WS Container (with GridShib for GT) Web Browser An enhancement to the community account model increases the information flow between the gateway and the resource provider. Web Authn WS GRAM Service Webapp WS GRAM Client Web Interface GridShib SAML Tools attributes username GridShib for GT

26 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username Two new GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens.

27 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Browser username Again the browser user authenticates to the gateway by presenting a username and password. Web Interface

28 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential Key This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token. SAML

29 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12: trscavo Key The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., e-mail).

30 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT GridShib SAML Tools community credential Key proxy certificate SAML WS GRAM Service Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token.

31 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Webapp attributes Web Interface Web Browser username proxy credential SAML Key GridShib for GT extracts the SAML token from the proxy certificate and writes the information to a log file. Security Context

32 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Interface Web Browser username proxy credential SAML Key Blacklist Policy GridShib for GT compares the information in the security context to the blacklist, denying access if any request info is on the blacklist.

33 http://www.teragrid.org/programs/sci_gateways/ Grid Authorization Model for Gateways Web Authn Resource ProviderScience Gateway WS GRAM Client GridShib for GT proxy certificate GridShib SAML Tools community credential Key SAML WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Webapp attributes Web Browser username proxy credential SAML Key Blacklist Policy As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Interface

34 http://www.teragrid.org/programs/sci_gateways/ GridShib for GT WS GRAM Service Logs Java WS Container (with GridShib for GT) Security Context Blacklist Policy Integration with TeraGrid Central Database Resource Provider The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. Security table GRAM audit table TGCDB AMIE upload Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting.

35 http://www.teragrid.org/programs/sci_gateways/ Conclusion  Science Gateways provide a community interface to the TeraGrid  Community shell provides control over actions in community accounts used by Science Gateways  Community user attributes provide information for accounting and incident response

36 For More Information  Science Gateways http://www.teragrid.org/programs/sci_gateways/  Community Shell http://www.teragridforum.org/mediawiki/index.php?title= Community_Shell  Science Gateway User Attributes http://www.teragridforum.org/mediawiki/index.php?title= Science_Gateway_User_Attributes http://www.teragrid.org/programs/sci_gateways/

37 Acknowledgments  This material is based upon work supported by the United States National Science Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. Thank You!

Download ppt "TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
MTA SZTAKI Hungarian Academy of Sciences Grid Computing Course Porto, 22-24 January 2007. Introduction to Grid portals Gergely Sipos

MTA SZTAKI Hungarian Academy of Sciences Grid Computing Course Porto, January Introduction to Grid portals Gergely Sipos
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © 2009. Chapter 1, pp 19-28. For educational use only.

Slides for Grid Computing: Techniques and Applications by Barry Wilkinson, Chapman & Hall/CRC press, © Chapter 1, pp For educational use only.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Similar presentations

Ads by Google