Accessing Cloud Systems from WS-PGRADE/gUSE

SCI-BUS is supported by the FP7 Capacities Programme under contract nr RI-283481

Accessing Cloud Systems from WS-PGRADE/gUSE

Zoltán FarkasMTA SZTAKI LPDS

zoltan.farkas@sztaki.mta.hu

Outline• Aim of this presentation• Generic portal administrator tasks• Generic initial user tasks• SaaS execution mode:

– Portal administrator tasks– Workflow node configuration

• IaaS execution mode:– Portal administrator tasks– Workflow node configuration

• Generic user tasks (workflow cost estimate, submission, cost display)• Security aspects, using robot certificates

Aim

• To show what are the necessary setup tasks on the portal side to cloud-enable a portal

• To show how the extension can be used• To introduce the security aspects of using

clouds in the portal

Covered portal user roles

• Portal administrator– The one who is able to configure the portal

services• Workflow developer

– The one who is able to create and run workflows• End user

– The one who is able to use existing workflows

Generic portal admin tasks I.

• Through the DCI Bridge Admin interface: http://foo.bar:8080/dci_bridge_service/conf

Generic portal admin tasks II.

• Settings:– Enable plugin: set to „Enabled”– Number of threads: the plugin will manage at

most so many jobs in parallel– Number of resubmissions: the plugin will resubmit

a failed job at most so many times• Leave other settings unchanged

Generic portal admin tasks III.

• Add access to CloudBroker Platform service– Name: users will see the resource using this name– URL: URL of the CBP service– Own executable: see IaaS execution mode later

Status

• The portal administrator has enabled the CloudBroker plugin in the DCI Bridge, and all the CloudBroker services that users would like to use have been added

• These are set by default: CB plugin is enabled, Public and SCI-BUS CB services are added

Generic initial user tasks

• If one would like to configure CBP jobs, proper CBP user credentials have to be set

• Make use of the Security / CloudBroker portlet

Saas and IaaS execution modes

IaaS model SaaS model

Enables users to run their own executables Yes No

What has to be pre-deployed in the virtual machine image

A single wrapper application Every application that users would like to use

What has to be configured in the CloudBroker Platform

Only the wrapper application Applications for the different application

Level of security Low: user can run anything High: users can run only pre-registered, tested apps

Ease of use (user’s perspective) Easy: very similar to existing WS-PGRADE/gUSE interface

Easy: user simply selects from the pre-defined Software

Ease of use (portal administrator’s perspective)

Easy: only two additional properties have to be set

Very easy: no need to set additional properties

Ease of use (CloudBroker administrator’s perspective)

Easy: only one application has to be configured for each cloud resource

Hard: a number of applications have to be configured

Easy of use (cloud administrator’s perspective)

Easy: only one VM image has to be deployed Hard: either a number of VM images have to be deployed or one VM image must be updated a number of times.

SaaS execution – Overview

• Enables portal users to run applications registered in the selected CBP service (for example AutoDock 1.0 Software and ad_worker.sh Executable)

• Thus, no executable, only input files have to be provided by the portal user

SaaS execution „architecutre”

SaaS – Portal admin tasks

• Nothing special• Only the generic portal admin tasks have to be

performed (configure CBP service access in DCI Bridge)

SaaS – Workflow node configuration

• Set „Type” to „cloudbroker”, and „Name” to the CBP service to be used

• Afterwards, select Software, Executable, Resource, Region and Instance type for your job

• A cost estimate is displayed as well

SaaS – Data cost estimate

• Depending on the selected resource, the data fee is displayed as well

IaaS execution - Overview

• Enables to run executables uploaded by the user• A specially prepared wrapper application has to be

registered in the target CBP service (see Wrapper 1.0)

• This wrapper application must be configured the DCI Bridge plugin instance

• The portal will upload the user-provided executable as an input called „execute.bin” to the CloudBroker job, which will be started by the wrapper application

IaaS execution „architecture”

IaaS – Portal admin tasks

• The Software and Executable in the CBP enabling IaaS execution should be defined in the DCI Bridge

• Following Day 2’s hands-on these are:– Software: „Wrapper XY 1.0”– Executable: „Wrapper XY 1.0 guse_wrapper.sh”

IaaS – Workflow node configuration

• Set „Type” to „cloudbroker”, and „Name” to the CBP service to be used

• Click „Enable own executable”• Afterwards, select Software, Executable, Resource, Region and

Instance type for your job• A cost estimate is displayed as well (note: no cost is assigned

to using the Resource below)

IaaS – Data cost estimate

• Depending on the selected resource, the data fee is displayed as well (note: no cost is assigned to using the Storage below)

Generic user tasks – Workflow cost estimate

• Once the workflow is fully configured, estimated cost can be calculated on-demand

• Simply click „Refresh” below the WF graph

Generic user tasks – Workflow submission

• Once the workflow is ready, click „Submit” to submit a workflow instance

• After the workflow has been submitted, you can check its progress as usual

Generic user tasks – Workflow cost display

• Cost of individual jobs can be checked

• Overall workflow cost can be checked as well

Security aspects• CloudBroker entity (Resource, Software) visibility:

– Private: only the user who defined the entity + admins can use it

– Protected: users of the organization where the defining user belongs to + admins can use it

– Public: every user of the CloudBroker Platform service can use it

• Robot certificates:– Can be assigned to CloudBroker jobs– Take care (EGI VO Portal Policy):

• Enable only for the SaaS model, or• Enable for IaaS model, but do not allow the users to upload their

executables