Presentation is loading. Please wait.

Presentation is loading. Please wait.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Published byGervase Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA."— Presentation transcript:

1 MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA

2 MGRID Globus software provides secure PKI based cross realm scheduling of resources Historically used extensively in large scientific research projects – mainly to schedule CPU cycles and associated data Complicated software to install and manage Now being used to schedule and manage the network, scientific instruments, etc

3 MGRID Integrate existing University Grid efforts Add fine-grained authorization Use existing University security, group, and directory services Ease of use Create a generalized Grid service Provide production Grid services

4 Existing U of M Services Uniqname – Unique campus wide user name to UID Kerberos V5 (multiple cells) KX509 LDAP Directory and Group Services

5 MGRID Architecture Browser MGRID Portal Grid Resource Compute Cluster Grid Resource Network Reservation or Testing Data Movement

6 MGRID Architecture Secure access to resources The ease of user requirement => the Web Use existing University security service; Kerberos kx509 translates Kerberos credentials into X509 credentials understood by browsers and web servers

7 MGRID Architecture On workstation – kinit to obtain Kerberos credentials – kx509 to obtain user X509 credentials – libpkcs11 makes kx509 credentials available to the browser https://www.mgrid.umich.edu/ – SSL with required mutual authentication; both user and portal have X509 credentials

8 MGRID Portal Ease of use for U of M faculty, staff, and students – Kerberos + kx509 + browser = Grid access Hides complexity from user Creates user proxy kx509 credentials OR runs MyProxy to access X509 credentials issued by other institutions Single entry point for Grid resources

9 MGRID Portal Single point for PKI management – CA self-signed keys – CA policy files User presented with CHEF (soon to be SAKAI) portal environment – Gathers inputs, and runs the Globus client – Individual or Organizational presentation – Easily extensible

10 Fine Grained Authorization Policy based software Policy engine makes authorization decision – Input are matched against resource specific policy rules – Input attribute names are matched to policy attribute names by a string compare

11 Fine Grained Authorization Attributes include – User identity – Group membership – Resource request parameters: network bandwidth, number of CPU's, amount of file system space, etc – Environment parameters: time of day, CPU load, network utilization, etc

12 Authorization Implementation XACML – LDAP stores policy – Can utilize existing users & groups – Enables cross realm authorization by allowing injection of remote group names into policy rules WALDEN – Built on top of XACML – Replaces flat file access control at gatekeeper

13 MGRID Architecture mod ssl mod kx509 mod kct Apache Tomcat KCT GateKeeper Resource Grid Resource KCA kx509 kinit User Workstation KDC Kerberos V5 SSL – Client Certificate required GSI Kerberos SASL MGRID Portal 1 2 3 4 5 6 7 Authorization Resource Mng SASL 8 WALDEN Authorization WALDEN libpkcs11 Browser mod php mod jk CHEF

14 SeRIF Secure Remote Invocation Framework – Packaging of an MGRID service We have extended a Globus service (GARA) to enable the scheduling of arbitrary programs via the Grid – local scheduler can initialize;run and stop;cleanup – job status and output redirection – fine grained authorization at resource

15 SeRIF Very easy to run an new executable via SeRIF – Add a new MGRID portal page to collect parameters – Add runtime and cleanup executable locations to configuration file on SeRIF Resource manager Currently used by NTAP – Can easily add network testing capabilities

16 MGRID Futures New SeRIF services – Configuration of Network QoS, Lamda paths – Scheduling of video conferences Meta Scheduling (MARS) – Choosing between available similar services – Scheduling multiple services such as CPU and Network QoS

17 MGRID Architecture Browser MGRID Portal Grid Resource Meta Scheduler (MARS) Compute Cluster Network Reservation or Testing Data Movement

18 MGRID Portal MGR ID Securi ty Sched uling Data & Resource s Questions?

Download ppt "MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.

Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.
Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.

Secure Network Performance Testing using SeRIF Dr. Charles J. Antonelli Center for Information Technology Integration University of Michigan Winter 2006.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.

Authenticated QoS Project Overview Andy Adamson Research Investigator Center for Information Technology Integration University of Michigan Ann Arbor.
USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:

USING THE GLOBUS TOOLKIT This summary by: Asad Samar / CALTECH/CMS Ben Segal / CERN-IT FULL INFO AT:
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Similar presentations

Ads by Google