GAMA: Grid Account Management Architecture

1
GAMA Grid Account Management Architecture

• Kurt Mueller
• Grid Middleware Development Group
• San Diego Supercomputer Center
• University of California, San Diego

2
GAMA 1 in a nutshell

• A system for creating and managing Grid accounts
  for portal and application users
• Provides dedicated server installation consisting
  of Grid software (CACL, MyProxy, CAS) wrapped in
  web services
• Provides management portlets for easy integration
  into GridSphere portal framework
• User account request form
• Administrative account management console
• User login through GAMA - retrieves GSI credential

3
GAMA 1 architecture
gama
create user
DB
gridportlets
GridSphere
import user
AXIS Web Services wrapper
retrieve credential
Servlet container
Java keystore
Portal server 1
retrieve credential
Portal server 2
Servlet container
Java keystore
GAMA server
Stand-alone applications
4
GAMA 1 ideal environment

• New portal/Grid project
• No existing users/credentials
• Single administrator
• Globus Grid
• GridSphere portal
• Authorization through grid-mapfile

5
GAMA 1 weaknesses

• Hard to incorporate existing user accounts and
  Grid credentials
• Hard to use existing infrastructure
• MyProxy server
• Other CA packages
• Hard to expand core GAMA functions
• SRB account creation
• Authorization - CAS not so useful?
• Unix accounts
• grid-mapfile updates

6
Back to the drawing board
7
GAMA 2 features

• Implementation agnostic
• Extensible through a plug-in architecture
• Workflow system for multi-step operations
• Supports VOs with many sites and independent site
  administrators
• Provides cluster account management

8
Implementation agnostic

• No explicit reliance on MyProxy, CACL, CAS.
  Accomplished through a plug-in architecture on
  GAMA server use whatever CA you want, whatever
  credential storage, whatever authorization
  service, etc.
• GAMA 2 includes CACL, Naregi and MyProxy plugins
  out of the box
• May also include SRB account management, and
  other plugins

9
Extensible

• GAMA admin can write task plugins to accomplish
  novel tasks
• Interface with existing infrastructure
  (authentication/authorization mechanisms,
  databases, CA packages, etc.)
• Manage Unix / Windows / physical accounts
• etc.

10
Extensible

• All GAMA tasks extend GAMATask class
• abstract public class GAMATask
• abstract public void doTask() throws
  GAMATaskException
• abstract public void rollbackTask() throws
  GAMATaskRollbackException

11
Extensible - MyProxyAuthNTask.xml

• lttask-defgt
• lttask-paramgt
• ltparam-namegtusernamelt/param-namegt
• ltparam-classgtjava.lang.Stringlt/param-class
  gt
• ltparam-requiredgttruelt/param-requiredgt
• lt/task-paramgt
• lttask-paramgt
• ltparam-namegtpasswordlt/param-namegt
• ltparam-classgtjava.lang.Stringlt/param-class
  gt
• ltparam-requiredgttruelt/param-requiredgt
• ltparam-nopersistgttruelt/param-nopersistgt
• lt/task-paramgt
• lttask-outputgt
• ltoutput-namegtcredentialobjectlt/output-name
  gt
• ltoutput-classgtorg.globus.gsi.GlobusCredent
  iallt/output-classgt
• lt/task-outputgt
• lttask-outputgt
• ltoutput-namegtcredentialstringlt/output-name
  gt

12
Extensible - MyProxyAuthNTask.java

• public class MyProxyAuthNTask extends GAMATask
• public void doTask() throws GAMATaskException
• String username (String)
• getParamObjectByName("username")
• String passwd (String)
• getParamObjectByName("password")
• cred (GSSCredential) myproxy.get(username,
  passwd, myProxyLifetime.intValue())
• getOutputByName("credentialobject").setOutputObj
  ect(cred)
• getOutputByName("credentialstring").
• setOutputObject(cred.toString())

13
Workflow system

• Server operations are customizable and
  expandable. Uses a workflow system that can
  execute arbitrary sequences of tasks for any
  operation, such as login.
• GAMA 1 login does one thing tries to retrieve a
  credential from MyProxy.
• GAMA 2 login could do a sequence of things
  retrieve credential from MyProxy, open an SRB
  socket connection, write a message to a logfile,
  etc.

14
Workflow system - MyProxyAuthNSequence.xml

• ltsequence-defgt
• ltsequence-descriptiongtGAMA's default MyProxy
  authentication sequencelt/sequence-descriptiongt
• ltsequence-typegtauthenticatelt/sequence-typegt
• ltsequence-type-defaultgttruelt/sequence-type-def
  aultgt
• ltsequence-rollbackallonfailuregtfalselt/sequence
  -rollbackallonfailuregt
• ltsequence-itemgt
• ltitem-classgtedu.sdsc.gama.server.services.
  task.auth.
• authn.MyProxyAuthNTasklt/item-classgt
• ltitem-class-config-idgt0lt/item-class-config
  -idgt
• ltitem-descriptiongtsimple MyProxy
  authentication with username and
  passwordlt/item-descriptiongt
• ltitem-rollbackonfailuregtfalselt/item-rollba
  ckonfailuregt
• ltitem-stopsequenceonsuccessgtfalselt/item-st
  opsequenceonsuccessgt
• ltitem-stopsequenceonfailuregttruelt/item-sto
  psequenceonfailuregt
• lt/sequence-itemgt
• lt/sequence-defgt

15
Workflow system - NewUserSetupSequence.xml

• ltsequence-defgt
• ltsequence-descriptiongtGAMA's default CACL and
  MyProxy new user sequencelt/sequence-descriptiongt
• ltsequence-itemgt
• ltitem-classgtedu.sdsc.gama.server.services.
  task.ca.newuser.
• CACLNewUserTasklt/item-classgt
• ltitem-descriptiongtCreate a new user in
  CACLlt/item-descriptiongt
• ltitem-rollbackonfailuregttruelt/item-rollbac
  konfailuregt
• ltitem-stopsequenceonsuccessgtfalselt/item-st
  opsequenceonsuccessgt
• ltitem-stopsequenceonfailuregttruelt/item-sto
  psequenceonfailuregt
• lt/sequence-itemgt
• ltsequence-itemgt
• ltitem-classgtedu.sdsc.gama.server.services.
  task.myproxy.newuser.
• MyProxyLoadCredentialsFromCATasklt/item-classgt
• ltitem-descriptiongtLoad a user's
  credentials from CA into MyProxylt/item- descripti
  ongt
• ltitem-rollbackonfailuregttruelt/item-rollbac
  konfailuregt
• ltitem-stopsequenceonsuccessgtfalselt/item-st
  opsequenceonsuccessgt
• ltitem-stopsequenceonfailuregttruelt/item-sto
  psequenceonfailuregt
• lt/sequence-itemgt

16
GridSphere Portal
GAMA 1 Server
GAMA 2 Server
Login user
Login portlet (GridSphere)
Task engine
Account request portlet (GridSphere)
CACL
MyProxy
Account admin portlet (GridSphere)
Create user
NewUserSequence
AuthNSequence
CAS
Login web service client
SRB

Login web service client
Account admin GUI (GridSphere portal)
17
Multi-site support

• GAMA 2 server supports multiple sites, each with
  its own local site administrator
• Site admin logs in to GAMA server and manages
  accounts for just their site other sites users
  are not visible. Primary GAMA admin can manage
  all users.
• GAMA can be configured to perform different
  sequences of actions for different sites
• Site A -gt login sequence A
• Site B -gt login sequence B

18
Cluster account management

• GAMA knows about resources such as clusters
• A resource belongs to a site
• Site admin can specify access permissions for
  each user on each resource in their site
• Resources can poll GAMA server for list of valid
  users, and manage individual user accounts and/or
  grid-mapfile entries accordingly.
• Provides a critical step in cluster management
• Rocks for OS/software install, GAMA for users

19
GAMA 2 web services

• Provide a simple API that duplicates GAMA 1 API
• authenticateUser()
• authorizeUser()
• requestNewUser()
• Plus new methods for site/resource management
• createSite()
• addNewResource()
• getResourceUsers()
• addUserToResource()

20
GAMA 2 web services

• All web services take as inputs a set of
  key-value pairs, and produce as outputs another
  set of key-value pairs
• Allows flexibility for task/sequence writers, at
  the expense of explicitness
• String authenticateUser(String username, String
  password, String lifetime)
• vs.
• HashMap authenticateUser(HashMap inputs)

21
GAMA server admin GUI demo
22
GAMA 2.0 Steps to completion

• Finish tying in web service interface to task
  engine
• Complete the administrative GUI
• Group management
• Task and sequence management
• Refactor account request and login portlets
• Provide client tools for cluster user management
• Construct server Rocks roll with Naregi, MyProxy
  and GAMA

23
GAMA the future

• Explore authentication technologies
• CAS still useful?
• Shibboleth / GridShib
• etc.
• More complete end-to-end user management
• grid-mapfile updates on end resources, for
  instance
• Synchronization / cooperation between multiple
  GAMA servers across VOs

24
References

• GAMA http//grid-devel.sdsc.edu/gama
• GridSphere http//www.gridsphere.org
• CACL http//www.sdsc.edu/CA
• Naregi CA https//www.naregi.org/ca
• MyProxy http//grid.ncsa.uiuc.edu/myproxy
• CAS http//www.globus.org/security/CAS
• GEON project http//www.geongrid.org
• Telescience project http//telescience.ucsd.edu
• NBCR http//nbcr.sdsc.edu

25
Credits

• SDSC/GEON
• Kurt Mueller, Sandeep Chandra, Karan Bhatia
• UCSD/NCMIR
• Abel Lin, Khim Ung, Lu Dai
• UCSD/BIRN
• Jason Novotny, Ramil Manansala, Jana Nguyen