Service-Oriented Science: Scaling eScience Impact Ian Foster Computation Institute Argonne National Lab & University of Chicago
Acknowledgements � Carl Kesselman, with whom I developed many ideas (& slides) � Bill Allcock, Charlie Catlett, Kate Keahey, Jennifer Schopf, Frank Siebenlist, Mike Wilde @ ANL/ UC � Ann Chervenak, Ewa Deelman, Laura Pearlman @ USC/ ISI � Karl Czajkowski, Steve Tuecke @ Univa � Numerous other fine colleagues in NESC, EGEE, OSG, TeraGrid, etc. � NSF & DOE for research support 2
Context: System-Level Science Problems too large &/ or complex to tackle alone … 3
Two Perspectives on System-Level Science � System-level problems require integration � Of expertise � Of data sources (“data deluge”) � Of component models � Of experimental modalities � Of computing systems � Internet enables decom position � “When the network is as fast as the computer's internal links, the machine disintegrates across the net into a set of special purpose appliances” (George Gilder) 4
Integration & Decomposition: A Two-Dimensional Problem Function Resource � Decom pose across network Users Discovery tools Clients integrate dynamically Analysis tools � Select & compose services Data Archives � Select “best of breed” providers � Publish result as new services � Decouple resource & service providers Fig: S. G. Djorgovski 5
A Unifying Concept: The Grid “ Resource sharing & coordinated problem solving in dynamic, multi- institutional virtual organizations” Enable integration of distributed resources 1. Using general-purpose protocols & infrastructure 2. To deliver required quality of service 3. “The Anatomy of the Grid”, Foster, Kesselman, Tuecke, 2001 6
System-Level Decomposition Problem Implementation Facilities U. Colorado UIUC Computers Experimental Experimental Storage Model Model Networks COORD. COORD. Services NCSA Software People Computational Model Grid technology
Service-Oriented Systems: Applications vs. Infrastructure Users Composition � Service-oriented applications � Wrap applications as Workflows services Invocation � Compose applications into workflows Appln Appln Service Service � Service-oriented Grid Provisioning infrastructure � Provision physical resources to support application workloads “The Many Faces of IT as Service”, ACM Queue, Foster, Tuecke, 2005 8
Scaling eScience: Forming & Operating Communities � Define membership & roles; enforce laws & community standards � I.e., policy for service-oriented architecture � Addressing dynamic membership & policy � Build, buy, operate, & share infrastructure � Decouple consumer & provider � For data, programs, services, computing, storage, instruments � Address dynamics of community demand 9
Defining Community: Membership and Laws � Identify VO participants and roles � For people and services � Specify and control actions of members � Empower members � delegation Effective � Enforce restrictions � federate policy Access A B 1 1 Access Policy of site 10 10 granted by to community community to user Site 1 A B admission- control policies 1 2 1 2 16 10
Evolution of Grid Security & Policy 1) Grid security infrastructure � Public key authentication & delegation � Access control lists (“gridmap” files) � Limited set of policies can be expressed 2) Utilities to simplify operational use, e.g. � MyProxy: online credential repository � VOMS, ACL/ gridmap management � Broader set of policies, but still ad-hoc 3) General, standards-based framework for authorization & attribute management 11
Core Security Mechanisms � Attribute Assertions � C asserts that S has attribute A with value V � Authentication and digital signature � Allows signer to assert attributes � Delegation � C asserts that S can perform O on behalf of C � Attribute mapping � { A1, A2… An} vo1 � { A’1, A’2… A’m} vo2 � Policy � Entity with attributes A asserted by C may perform operation O on resource R 12
Security Services for VO Policy � Attribute Authority ( ATA ) � Issue signed attribute assertions (incl. identity, delegation & mapping) � Authorization Authority ( AZA ) � Decisions based on assertions & policy VO VO User A AZA VO ATA VO VO A User B Service 13
Security Services for VO Policy � Attribute Authority ( ATA ) � Issue signed attribute assertions (incl. identity, delegation & mapping) � Authorization Authority ( AZA ) � Decisions based on assertions & policy VO Delegation Assertion VO Resource Admin User B can use Service A Attribute User A AZA VO ATA VO VO A User B Service 14
Security Services for VO Policy � Attribute Authority ( ATA ) � Issue signed attribute assertions (incl. identity, delegation & mapping) � Authorization Authority ( AZA ) � Decisions based on assertions & policy VO Delegation Assertion VO Resource Admin User B can use Service A Attribute User A AZA VO VO Member Attribute ATA VO Member VO VO A User B Attribute Service 15
Security Services for VO Policy � Attribute Authority ( ATA ) � Issue signed attribute assertions (incl. identity, delegation & mapping) � Authorization Authority ( AZA ) � Decisions based on assertions & policy VO Delegation Assertion VO Resource Admin User B can use Service A Attribute User A AZA VO VO-A Attr � Mapping VO Member Attribute ATA VO-B Attr ATA VO Member VO VO A VO B User B Attribute Service Service 16
Closing the Loop: GT4 Security Toolkit Authz Callout: SSL/ WS-Security SAML, XACML with Proxy Services (running Certificates on user’s behalf) Access Rights Compute CAS or VOMS Center issuing SAML or X.509 ACs Users Rights Local policy MyProxy on VO identity VO or attribute Rights’ authority KCA Shib 17
Security Needn’t Be Hard: Earth System Grid PURSE User Registration � Purpose � Access to large data � Policies � Per-collection control � Different user classes � Implementation (GT) Optional � Portal-based User review Registration Service � PKI, SAML assertions See also: � Experience GAMA (SDSC), Dorian (OSU) � > 2000 users www.earthsystemgrid.org � > 100 TB downloaded 18
Scaling eScience: Forming & Operating Communities � Define membership & roles; enforce laws & community standards � I.e., policy for service-oriented architecture � Addressing dynamics of membership & policy � Build, buy, operate, & share infrastructure � Decouple consum er & provider � For data, program s, services, com puting, storage, instrum ents � Address dynam ics of com m unity dem and 19
Bootstrapping a VO by Assembling Services 1) Integrate services from other sources � Virtualize external services as VO services Community Content Services Services Provider Capacity Capacity Provider 2) Coordinate & compose � Create new services from existing ones “Service-Oriented Science”, Science , 2005 20
Providing VO Services: (1) Integration from Other Sources � Negotiate service level agreements Community Community … A Z � Delegate and deploy capabilities/ services � Provision to deliver defined capability � Configure environment � Host layered functions 21
Virtualizing Existing Services into a VO � Establish service agreement with service � E.g., WS-Agreement � Delegate use to VO user User User B VO User A VO Admin Existing Services 22
Deploying New Services Policy Allocate/provision Configure Activity Client Initiate activity Monitor activity Control activity Environment Interface Resource provider WSRF (or WS-Transfer/ WS-Man, etc.), Globus GRAM, Virtual Workspaces 23
Available in High-Quality Open Source Software … Globus Toolkit v4 Data w w w .globus.org Replication Grid Credential Replica Telecontrol Mgmt Location Protocol Community Python Data Access Delegation Scheduling WebMDS & Integration Runtime Framework Reliable Workspace C Community File Trigger Authorization Management Runtime Transfer Grid Resource Java Authentication GridFTP Index Allocation & Authorization Runtime Management Data Execution I nfo Com m on Security Mgm t Mgm t Services Runtim e 24 Globus Toolkit Version 4: Software for Service-Oriented Systems, LNCS 3779, 2-13, 2005
http: / / dev.globus.org Guidelines (Apache) Infrastructure (CVS, email, bugzilla, Wiki) Projects Include … 25
Virtual Workspaces (Kate Keahey et al.) � GT4 service for the creation, monitoring, & management of virtual w orkspaces � High-level workspace description � Web Services interfaces for monitoring & managing � Multiple implementations � Dynamic accounts � Xen virtual machines � (VMware virtual machines) � Virtual clusters as a higher-level construct 26
How do Grids and VMs Play Together? request create new VM image VM Factory VM EPR Create use existing VM image VM image Client inspect & manage VM Repository Resource deploy, suspend VM VM Manager start program 27
Virtual OSG Clusters OSG OSG cluster Xen hypervisors “Virtual Clusters for Grid Communities,” TeraGrid cluster Zhang et al., CCGrid 2006 28
Recommend
More recommend