Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Three fundamental pillars◦ Andrew File System (information distribution over a
Wide Area Network)
◦ Platform® LSF (computing resources management for jobs submission)
◦ Kerberos 5 realm (authentication domain)
CRESCO HPC System◦ 17.1 Tflop (HPL)
◦ 2720 Cores
◦ Fully integrated with ENEAGRID
Alessio Rocchi – Catania 2009.02.12
Extended GRID infrastructures are complex tomaintain, administer and use
Pre-packaged applications are difficult to adaptto such a complex context◦ Often they do not even exist!
Challenge: software tailored on whole GRID system needings◦ Integrated
◦ Usable
◦ Effective
Alessio Rocchi – Catania 2009.02.12
Alessio Rocchi – Catania 2009.02.12
Administrator-aware services◦ AMACA
◦ ARCO
◦ WARC
User-aware services◦ JobRama
◦ Ticketing System, Password changer, Grid Account request manager
Security for sensitive data and applications is guaranteed by aUnified Access API (UAA), implemented both in web serversystems and stand-alone www-deployed software.
Alessio Rocchi – Catania 2009.02.12
Unified Access API (UAA)
Administrator-aware services◦ AMACA (AFS Memorize and Check Application)
◦ ARCO (AFS Remote Command Operator)
◦ WARC
User-aware services◦ JobRama
◦ Ticketing System, Password changer, Grid Account request manager
Unified Access API (UAA) provide a tool tobuild www-services fully integrated withENEA-GRID
K5: strong user authentication over the entireGRID realm ENEA.IT.
OpenAFS: provides meta-resources forauthorization◦ Access to every service (or feature) is granted on
user/group basis
◦ When required, services have root or AFS adminprivileges
Alessio Rocchi – Catania 2009.02.12
How?◦ Inter Process Communication over HTTP with PAG shell
We need to be sure that every race condition on tokenacquisition is avoided
◦ Request for login and PTS membership are sent, and results are compared with user-defined entries.
◦ If access is granted, an encrypted cookie is generated in order tostore informations
◦ PAG shell and PTS are AFS-specific features
Alessio Rocchi – Catania 2009.02.12
Advantages Security: No need to maintain and share many database
for accounting informations. Let Kerberos do all the dirty work.
Maintainability: One single software piece distributedover a wide application set is easy to maintain.
Granularity: Access validation over groups, not onlyusers.
Limitations
◦ Available only on *nix systems (needs PAG shell)
◦ Needs PHP IPC to be enabled for the site to protect(proc_open())
Alessio Rocchi – Catania 2009.02.12
Alessio Rocchi – Catania 2009.02.12
Unified Access API (UAA)
Administrator-aware services◦ AMACA (AFS Memorize and Check Application)
◦ ARCO (AFS Remote Command Operator)
◦ WARC
User-aware services◦ JobRama
◦ Ticketing System, Password changer, Grid Account request manager
Alessio Rocchi – Catania 2009.02.12
AFS administration effort ishigher than the one needed tomanage a standard POSIX filesystem◦ Metadata/data are deployed over a
WAN. It is important to keep track ofwhat (and when!) is happening everywhere to everything
◦ No features like hystorical database
◦ Consistency checks are important
AMACA: two-module applicationfor batch and on-demanddiscovery of AFS corecomponents status
Crawler stores unstructured data in a MySQLbackend◦ fine-grained data mining operations
Differentiation among subsequent crawlerinvocations is done by identifying everyresultset with a unique ID (snapshot)
Explorer implements business logic aboutdata aggregation, visualization and alarmsgeneration◦ Historical analysis on file system variations
◦ Parameterized searching
Alessio Rocchi – Catania 2009.02.12
AFS Remote Command Operator Why?
◦ Visual execution of remote commands over large and sparse machines clusters
◦ Initially bound to Platform® LSF™ clients and serversmanagement (daemons handling). Currently able toperform any operation on any machine.
How?◦ Administrators register target machines and services,
and establish associations among them (many to manyrelationship)
◦ History is maintained about who executes what
◦ Extended UAA for access validation and operation control
Alessio Rocchi – Catania 2009.02.12
Alessio Rocchi – Catania 2009.02.12
Machines
registration
Services definition
Command execution
UA
A
PT
S V
eri
ficati
on
MySql
User I/O
DB transfers
Net transactions
Web management of ENEA-GRID users and project areas for a WAN distributed AFS cell.
Integrated with K5 and OpenAFS Can delegate to selected users
administration privileges (both AFS and K5)◦ Privileges can be restricted to a single site
◦ Limited administration rights can be granted tobasic users when needed for project area administration.
◦ Utility developed in collaboration with ENEA by R. Nepi (CASPUR).
Alessio Rocchi – Catania 2009.02.12
Alessio Rocchi – Catania 2009.02.12
Unified Access API (UAA)
Administrator-aware◦ AMACA
◦ ARCO
◦ WARC
User-aware◦ JobRama
◦ Ticketing System, Password changer, Grid Account request manager
Web application providing visual and auto-updating monitoring of user jobs (onlycommand line tools are available at the moment)
Currently fully interfaced with Platform® LSF™◦ Engineered to be easily ported to other queue systems
Informations about status, timing, output and system load are shown on a unique web page
Increased flexibility and usability◦ Plain and aggregate informations can be selected on the
basis of a user choice
Alessio Rocchi – Catania 2009.02.12
Ticketing◦ Based on Xoops/Xhelp CMS, conveniently patched in
order to support UAA
Password changer ◦ Change users password in a visual way, without using
command line◦ Implements expect-and-go mechanism over the web
(libexpect)◦ Users who get their password changed receive a
confirmation by email (kpasswd can’t do it).
Account request manager◦ Centralized account request form for ENEAGRID. Every
account request forces a ticket submission in the helpdesk system
Alessio Rocchi – Catania 2009.02.12
One GRID, One Service Pool: unification ofservices and service access!
Easier for administrators◦ Tracking issues and deploying solutions over a
geographically sparse grid system is less difficult
Easier for users◦ They can benefit of visual tools to keep trace of their
work
Alessio Rocchi – Catania 2009.02.12