The IRISGrid Infrastructure Seamless Support for VOs JRES2005, - - PowerPoint PPT Presentation

the irisgrid infrastructure
SMART_READER_LITE
LIVE PREVIEW

The IRISGrid Infrastructure Seamless Support for VOs JRES2005, - - PowerPoint PPT Presentation

Mar 09, 2023 360 likes •660 views

The IRISGrid Infrastructure Seamless Support for VOs JRES2005, Marseille Virtual Organisations Why a support infrastructure Users own and require resources Shared Collective User User Resource User Resource Resource User

slide-1
SLIDE 1

JRES2005, Marseille

The IRISGrid Infrastructure

Seamless Support for VOs

slide-2
SLIDE 2

JRES2005, Marseille

Virtual Organisations

Why a support infrastructure

  • Users own and require resources
  • Shared
  • Collective

Resource Resource User User Resource User Resource Resource User User User Resource User User User User User Resource Resource

A infrastructure to support this activities

slide-3
SLIDE 3

JRES2005, Marseille

Virtual Organisations

  • A set of users
  • Working in a certain common area
  • Sharing similar needs
  • Data processing
  • Access to data sources
  • Interaction among them
  • Pursuing similar goals
  • Plug-and-play
  • A set of resources
  • Operated by specialized teams
  • Operated by users
  • Plug-and-be-played

Resource User Resource Resource User User User User Resource User Resource

slide-4
SLIDE 4

JRES2005, Marseille

The goals

  • Provide users with simple, ubiquitous and integrated access

to all kind of resources

  • What resources are we talking about
  • Network access
  • Computational resources
  • Distributed computations, supercomputers, specific libraries,...
  • Storage resources
  • Temporary/permanent, centralised/distributed,...
  • Information resources
  • E-libraries, searchers and metasearchers, subject gateways,...
  • Interactive resources
  • Video- and multi-conference, virtual desktops,...
slide-5
SLIDE 5

JRES2005, Marseille

A common support infrastructure

The IRISGrid case

  • The eduroam infrastructure
  • Seamless and ubiquitous network access
  • The IRISGrid Directory
  • VO management: Users, centers, resources, research areas
  • pkIRISGrid
  • Trust fabric connecting all components
  • aaIRISGrid
  • Facilitate identity management
  • Grid middleware and portal toolkits
  • The foundations for computational and storage sharing
  • Collaborative tools
  • From mailing lists to real-time systems
  • Holistic resource location
  • Based on a federated approach
slide-6
SLIDE 6

JRES2005, Marseille

eduroam

  • The inter-national roaming network access service
  • Based on a hierarchy of RADIUS servers
  • Institutional servers connect to root NREN servers
  • NREN servers are aggregated at the eduroam central server
  • Exploring new authentication possibilities through VOs

RADIUS server Institution B RADIUS server Institution A

Internet

Central RADIUS Proxy server Authenticator (AP or switch) User DB User DB Supplicant Guest

Student VLAN Guest VLAN Employee VLAN

slide-7
SLIDE 7

JRES2005, Marseille

eduroam: Reaching further

slide-8
SLIDE 8

JRES2005, Marseille

The IRISGrid Directory

Center Center Center

User User User User User User User User User User

VO VO

MDS MDS MDS

The IRISGrid Directory Area classification Monitoring and Discovery Service in the IRISGrid Globus Directory

slide-9
SLIDE 9

JRES2005, Marseille

The IRISGrid Directory

Schemas

  • Support for VOs: irisgridVo
  • Support for Centers and/or departments: irisgridOu
  • Support for users: irisgridUser
  • Support for the PKI objects: pkirisAuthority,

pkirisEndEntity, pkirisCertificate

  • Other iris-* schemas
  • irisPerson, irisInetEntity, copaObject,

papiUser,...

  • Extensions to the eduPerson schema
  • Standardization in process through SCHAC
  • At least in the inter-institutional aspects
  • Heavy use of the COPA coding schema to support navigation

and searching

slide-10
SLIDE 10

JRES2005, Marseille

The IRISGrid Directory

COPA coding schema

  • A coding schema to support (virtual) hierarchical access
  • Based in creating strings identifiers (URNs, for example) that

resemble the hierarchy of a given classification (or ontology)

  • Identifiers are added to data available for a certain element
  • Mappings between COPA identifiers and their semantics are kept

in a separate repository (directory branch, for example)

  • Simplifies searches and navigation
  • Decouples representation from the view offered at each moment
  • Several views can be offered in parallel
  • And hot-swap them
  • More on this at

http://www.rediris.es/ldap/copa/copa-intro.en.pdf

slide-11
SLIDE 11

JRES2005, Marseille

The IRISGrid Directory

A sample VO entry

COPA coding of the VO areas of research

slide-12
SLIDE 12

JRES2005, Marseille

The IRISGrid Directory

A sample center entry

VOs this center is participating in

slide-13
SLIDE 13

JRES2005, Marseille

The IRISGrid Directory

A sample user entry

VOs the user is member of Center the user belongs to

slide-14
SLIDE 14

JRES2005, Marseille

The pkIRISGrid

  • Highly distributed infrastructure
  • A central CA
  • As many RAs as required by participant organizations
  • In the process of EUGridPMA accreditation
  • Expected by next meeting (Vienna, January 2006)
  • Own-developed software
  • OpenSSL
  • LDAP as main data store
  • COPA to identify entities, authorities and requests
  • URNs to store all the states in the life of a certificate
  • urn:mace:rediris.es:irisgrid:pki:csr:state:20050304142236:signed:10e190a0c7608...2d425e6af7
  • XML/LDIF to exchange data between CA and RAs/Aux
  • PHP and Perl to implement the RAs and CA
  • PAPI for identity management
slide-15
SLIDE 15

JRES2005, Marseille

The pkIRISGRid

Functional structure

  • Request certs (CSR)

Select an unique IRISGrid identifer (igID)

  • Revocation request (CRR)

RAs, Entities, CSRs, Certs, CRRs, CRLs, ...

  • Approved CSRs
  • Revocation request
  • Notify certificate/revoked

cert availability

  • Validate entity CSRs
  • Verify identity
  • Validate attributes
  • Validate unique igID (auto)
  • Export approved CSRs
  • Revocation request
  • Issue certs
  • Revoke certs
  • Generate CRLs
  • Publish certificates
  • Publish CRLs
  • Certificate
  • CRLs
  • Download certs
  • Download CRLs

Aux RA RA RA USR

  • No network

adapter

  • Stored in vault

XML LDIF

slide-16
SLIDE 16

JRES2005, Marseille

pkIRISGrid

COPA- and LDAP-based storage

RA 1 E 1 E 2 E N Cert 1 Cert 2 Cert N RA 3 E 1 E 105 E 2 Cert 1 Cert 2 pkIRISGrid LDAP tree

Entities data Cert/CSR data RAs data a b c

a3 identifies RA 3 a3b105 identifies RA 3, entity 105 a3b105c1 identifies RA 3, entity 105, and certificate/CSR 1

... ... ... ... a3b105c1 a3 a3b105

slide-17
SLIDE 17

JRES2005, Marseille

aaIRISGrid

  • The authentication and authorization infrastructure supporting
  • Access to resources
  • Certificate management
  • Single sign-on across applications and services
  • Not a substitute for the PKI
  • Based upon it
  • Enhances usability
  • Simplifies administration
  • Based on the PAPI technology (http://papi.rediris.es/)
  • Evolving in the framework of the eduGAIN infrastructure
  • Including full SSO
  • And the results of GridShib
slide-18
SLIDE 18

JRES2005, Marseille

eduGAIN Architecture

slide-19
SLIDE 19

JRES2005, Marseille

Computational and storage sharing

  • 35 participant organizations
  • And a NoE for coordinating middleware activities
  • Core middleware is Globus Toolkit 2.4
  • Plus specific add-ons for network monitoring and ranking
  • Front-end based on GridWay (http://www.gridway.org/)
  • Support for the submit-and-forget paradigm
  • In the process of migrating to GT 4
  • Already supported by GridWay
  • Better support for integration with other services
  • Exploring federation of infrastructures
slide-20
SLIDE 20

JRES2005, Marseille

Geographical distribution

  • USC
  • UDC
  • CESGA
  • UniCan
  • IFCA
  • PIC
  • IFAE
  • UAB
  • CEPBA
  • UPC

ESCA

  • UV
  • IFIC
  • UPV
  • RedIRIS
  • UAM
  • UCM
  • CIEMAT
  • CNB
  • CAB
  • INTA
  • UCIIIM
  • URJES

A

  • UM
  • IAA
  • UIB
  • IMEDEA
  • IAC
  • CIC
  • USAL
  • UniOvi
  • UGR
  • UAL
  • UMA
  • EHU
slide-21
SLIDE 21

JRES2005, Marseille

Collaborative tools

The good old mailing lists

  • Essential for basic interactions
  • General coordination lists
  • Participants, support staff, middleware staff,...
  • General areas: HEP, biotech, astro-sciences,...
  • Owned by the IRISGrid admins
  • A specific list per VO
  • Connected to the general areas the VO is classified in
  • Owned by the VO managers
  • Based on listserv
  • The current mailing list software at RedIRIS
  • Migration to Sympa has been started
  • Better integration with the supporting infrastructure
slide-22
SLIDE 22

JRES2005, Marseille

Collaborative tools

Presence and instant messaging

  • Informal and direct interaction
  • Both P2P and collective
  • Automatic roster initialization
  • People in the VO(s) a user is included
  • Loose control
  • Direct management of contacts
  • Free creation and management of chat rooms
  • Based on Jabber
  • Hosted at the RedIRIS server
  • Experiments with a server mesh
  • Experimenting with the integration of real-time
  • aaIRISGrid-enabled Wiki
slide-23
SLIDE 23

JRES2005, Marseille

Collaborative tools

Real-time interactions

  • Few Access Grid rooms
  • ROI perception by institutional responsibles
  • Well-established network of H.323 conference rooms
  • Public directory available for users
  • GDS in operation and expanding
  • Specific RedIRIS community in VRVS
  • Four reflectors in Spain (2 at the RedIRIS premises)
  • ~1500 registered users, ~800 reserved hours per month
  • Training activities
  • Good contact with the VRVS developers
  • Exploring incorporation of AAI technologies
  • Evaluating SIP.edu
slide-24
SLIDE 24

JRES2005, Marseille

The RedIRIS VRVS community

slide-25
SLIDE 25

JRES2005, Marseille

Resource location

  • In the broad sense we have been using so far
  • From a cluster to a set of related papers
  • Common directories are the usual answer to this
  • But they face data partition
  • Formats, protocols, security (and privacy) considerations
  • The result is the continuous re-building of central repositories
  • f data
  • Almost automatically outdated with respect to their once local

sources

  • The federated model comes into play once again
  • Accessing or collecting data from them using a trusted link
  • Maintaining total autonomy for the federated repository
  • Policies, methods, interfaces
  • Offering a common (possibly particular) view of information
slide-26
SLIDE 26

JRES2005, Marseille

The Searchy architecture

  • Each source incorporates an agent, available through a

SOAP interface

  • Uses RDF as internal representation
  • Agents for LDAP, SQL, Harvest, the Google API, and

Searchy itself

slide-27
SLIDE 27

JRES2005, Marseille

Web interfaces

  • Navigation and management of the IRISGrid Directory
  • Navigation and searching by research areas
  • UNESCO Thesaurus, CATRE, e-Ciencia
  • VOs related to a certain area
  • Users participating in an VO
  • Collaborative resources available to a VO
  • mapfile generation
  • Centres related to VOs
  • Navigation through the computational resources (MDS)
  • pkIRISGrid
  • Users
  • RA operators
slide-28
SLIDE 28

JRES2005, Marseille

As conclusion

  • The IRISGrid infrastructure tries to combine classical Grid and

classical NREN services

  • Leverage network services with the VO concept
  • Expand VO services beyond computation and storage
  • The main goal is double
  • Simplify resource access: plug-and-play
  • Simplify resource offering: plug-and-be-played
  • A long process
  • In its initial steps
  • Promising results
  • And a lot of work ahead