Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve.

Published byIrene McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve Fisher on behalf of the R-GMA team 3 rd EGEE Users Forum Le Polydôme, Clermont-Ferrand, France

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 2 What it is New Design –Engineered for robustness and scalability New Features –Orthogonality of producer type and of storage mechanism –Fine grained authorization –Multiple virtual databases Status Summary Overview

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 3 R-GMA – what it is R-GMA is a distributed system for information and monitoring (following OGF’s GMA) Users define their own data structures along with the fine grained authorization rules specifying who can write and read the data Users publish data via a producer API without knowledge of potential consumers A consumer API is used to retrieve the permitted view of information published by the producers Producer Registry & Schema Consumer Register/ Locate Register/ Locate Query Data

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 4 New Design New design was motivated by: –Problems seen in production –Need to add new features

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 5 New Design: Real SPs Primary – source of data Secondary – republish data –Co-locate information to speed up queries –Reduce network traffic SP is no longer constructed from a PP and multiple consumers but is a self-contained service – so now much more efficient Local calls on a MON box do not go through https returning XML then parsing it PP SP PP – Primary Producer SP – Secondary Producer

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 6 New Design: Managing Memory Usage May share servlet container (Tomcat) with other servlets JVM may be badly configured Use JDK 5’s MXBeans to detect the low memory condition –Solution should be portable across JVMs When memory is low an RGMABusyException is returned for user calls that may take extra memory –Inserting data into the system –Creating new producer or consumer resources

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 7 New Design: Control Messages For a producer a register message returns the consumers of interest and vice versa. Registration messages are re- sent periodically Reliance on the delivery of individual control messages has been removed Messages to other servers are wrapped in a task handled by our new Task Manager New messages supersede old ones –No build-up of queues Autonomy of services

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 8 New Design: Schema and Registry Replication Schema –Each server has full schema information –There is a master schema and all updates are first done on the master –Failure of the master would prevent schema updates but would have no impact upon producers or consumers Registry –We anticipate 2 or 3 registry instances –Server chooses registry instance to use based on response time –Server makes a new choice if existing instance does not respond

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 9 New Features Orthogonality of producer type and of storage mechanism Fine grained authorization Multiple virtual databases

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 10 New Features: Orthogonality of producer type and of storage mechanism Previously: –Memory  Continuous –Database  Latest or History Now: –Memory  Any combination of Continuous Latest and History –Database  Any combination of Continuous Latest and History

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 11 New Features: Fine Grained Authorization Users can define their own fine grained authorization rules specifying who can write and read the data in each table element Rules stored in the schema – and can only be modified by the person creating and therefore owning the table Authorization is done using SQL views of tables constructed dynamically from: –User defined rules –VOMS attributes

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 12 New Features: Fine Grained Authorization Rules are added to grant access only (not to deny it) and they are cumulative - default is no access Rules have the form “predicate : credentials : action” –The predicate defines the subset of rows of the table or view to which this rule grants access –The credentials define the set of credentials required for a user to be granted access to the subset of rows defined by this rule –The action defines what any matching user is allowed to do to the subset of rows defined by this rule (R, W or RW) –For example:  ::RW grants full access to any authenticated user, to all rows in the specified table

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 13 Authorization Rules - Predicate Predicate is an SQL WHERE clause comparing the values in specified columns with constants, other columns or credential parameters (credential name in square brackets, such as [DN]) that are replaced by the corresponding credentials from the user’s certificate This clause may be empty, in which case the rule applies to all rows in the table For example: –WHERE Owner = [DN] Selects rows where the “Owner” column matches the DN on the certificate

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 14 Authorization Rules - Credentials Credentials is a boolean combination of equality constraints of the form [credential] = constant May be empty, in which case the rule applies to all authenticated users For example: –[GROUP] = ’Marketing’ OR [GROUP] = ’Management’ states to which VOMS groups the rule applies

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 15 Authorization Examples WHERE Section = ’Marketing’:[GROUP] = ’Marketing’ OR [GROUP] = ’Management’:RW Grants read-write access to any authenticated user with a GROUP credential of ’Marketing’ or ’Management’, to those rows that contain the value ’Marketing’ in the ’Section’ column WHERE Owner = [DN]::R Grants read-only access to any authenticated user, to those rows that contain the value of their DN credential in the ’Owner’ column WHERE Group = [GROUP] OR Public = ’true’::R Grants read-only access to any authenticated user, to those rows that contains one of their GROUP credential values in the ’Group’ column, or have a value of ’true’ in the ’Public’ column ::R Grants read-only access to any authenticated user, to all rows in the table

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 16 New Features: Virtual Databases One R-GMA schema for the whole world is not scalable Introduce VDB as a namespace mechanism We expect that a VO will define one or more VDBs –Will phase out the “default” VDB Each VDB will have: –Several registry replicas –A schema replica at each site supporting that VDB –One schema defined as the master schema for each VDB

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 17 Publishing to Multiple VDBs When data are inserted into a producer, the data are published into a specific VDB It is possible for a producer service to publish to more than one VDB Virtual Database 1 declare VDB2.T1 Producer Registry Schema declare VDB1.T2 Producer declare VDB1.T1 declare VDB2.T1 declare VDB2.T3 Virtual Database 2 Registry Schema

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 18 Querying Multiple VDBs Queries may be evaluated over several VDBs Normal SQL syntax of a database prefix before the table name is used to specify the VDB SQL joins across tables in multiple VDBs are supported A special union syntax has been defined: "SELECT * FROM {VDB1,VDB2}.T" to indicate that the query should be evaluated over the union of the tuples from table T in VDB1 and VDB2 –It requires that the tables T from the two VDBs are identical from {VDB1,VDB2}.T1 Virtual Database 1 Registry Schema Virtual Database 2 Registry Schema find producers for T1 Consumer find producers for T1

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 19 Status All components written and a lot of testing has already been done More testing being done Expected to be offered to certification around end of the month This will give us a highly reliable, functional and scalable R-GMA

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 R-GMA: Now with added authorization 20 Summary From the existing deployment we learned: –Firewalls do get reconfigured –Users do the most unexpected things New design: –We have tried to think of everything that can go wrong –Made the system self correcting and avoided critical messages –Have introduced the task manager –Have provided schema and registry replication New Features: –Multiple virtual databases (VDBs) to partition the data –Users can define their own fine grained authorization With thanks to:

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks R-GMA Now With Added Authorization Steve."

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org Information and Monitoring Status and Plans GridPP18, Glasgow, 20-21 Mar 2007.

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans GridPP18, Glasgow, Mar 2007.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org Building a robust distributed system: some lessons from R-GMA CHEP-07, Victoria,

INFSO-RI Enabling Grids for E-sciencE Building a robust distributed system: some lessons from R-GMA CHEP-07, Victoria,
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org Information and Monitoring Status and Plans GridPP16, QMUL, 29 Jun 2006 Steve.

INFSO-RI Enabling Grids for E-sciencE Information and Monitoring Status and Plans GridPP16, QMUL, 29 Jun 2006 Steve.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.
ISOM Distributed Databases Arijit Sengupta. ISOM Learning Objectives Understand the concept and necessity of distributed databases Understand the types.

ISOM Distributed Databases Arijit Sengupta. ISOM Learning Objectives Understand the concept and necessity of distributed databases Understand the types.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification.
Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.
Database Systems More SQL Database Design -- More SQL1.

Database Systems More SQL Database Design -- More SQL1.
Distributed Databases

Distributed Databases
Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.

Service Broker Lesson 11. Skills Matrix Service Broker Service Broker, provides a solution to common problems with message delivery and consistency that.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org Introduction to R-GMA: Relational Grid Monitoring Architecture.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Introduction to R-GMA: Relational Grid Monitoring Architecture.
CSE314 Database Systems More SQL: Complex Queries, Triggers, Views, and Schema Modification Doç. Dr. Mehmet Göktürk src: Elmasri & Navanthe 6E Pearson.

CSE314 Database Systems More SQL: Complex Queries, Triggers, Views, and Schema Modification Doç. Dr. Mehmet Göktürk src: Elmasri & Navanthe 6E Pearson.
Introduction on R-GMA Shi Jingyan Computing Center IHEP.

Introduction on R-GMA Shi Jingyan Computing Center IHEP.
DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.

DBSQL 14-1 Copyright © Genetic Computer School 2009 Chapter 14 Microsoft SQL Server.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America Information System (IS) Valeria Ardizzone.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Information System (IS) Valeria Ardizzone.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Information System on gLite middleware Vincent.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Information System on gLite middleware Vincent.
Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.

Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.
EGEE is a project funded by the European Union under contract IST-2003-508833 Outstanding design issues Stephen Hicks 23/06/04 www.eu-egee.org.

EGEE is a project funded by the European Union under contract IST Outstanding design issues Stephen Hicks 23/06/04

Similar presentations

Ads by Google