Thailand National Grid Project

Putchong Uthayopas1 and Vara Varavithya2

1 DirectorHigh Performance Computing and Networking Center

Kasetsart University, Bangkok, Thailandpu@ku.ac.th

2 Department of Electrical Engineering

Faculty of EngineeringKing Mongkut’s Institute of Technology North Bangkok

vara@kmitnb.ac.th

TNGP, APAN2005@BKK 2

Thai Grid Current Status

Currently in OperationDelivered Grid Monitoring and

Management Tools to CommunitiesGovernment Approve approx. 6M US$

funding the project for 3 yearsSupports

CertificationTechnical

Grid Technology Promotions

TNGP, APAN2005@BKK 3

AgendaThailand National Grid ProjectThaiGrid Status UpdateCurrent Development in ThaiGrid

TNGP, APAN2005@BKK 4

TNGP ObjectivesPromote the use of Grid TechnologiesExcellence in Grid TechnologyHuman Resource DevelopmentProvide Grid Infrastructure

Computing InfrastructureCommunication Structure

Help Establishing Standard and PracticesHouse the ThaiGrid Office

TNGP, APAN2005@BKK 5

National Grid Committee

Business

StructureMinistry of ICT

Grid TechnologyExcellence Center

SIPA

ResearchInstitutions

Grid Users

Gov.Agencies

Com Sci. Eng. People

AcademicInstitutions

Researchers

TNGP, APAN2005@BKK 6

Computing InfrastructureTera Flops

Machine

SatelliteClusters

32-proc.Machine

SatelliteClusters

32-proc.Machine

SatelliteClusters

32-proc.Machine

SatelliteClusters

32-proc.Machine

16 Satellite Sites

High Speed Network

TNGP, APAN2005@BKK 7

Participated Organizations

KU, CU, KMITNB, KMUTT, KMITL, Mahidol, KKU, SUT, WU, AIT

Weather Forecast ServicesNECTEC

TNGP, APAN2005@BKK 8

Human ResourceHousing Dozen of Grid Engineers

and Scientists at the excellence center

Systematically trains Grid Admins via series of tutorials and workshopsTarget 2,000 in three years

TNGP, APAN2005@BKK 9

ApplicationsHealth Care Data Grid High Performance Computing

ApplicationsDrug DesignCFDFEMEvolutionary Computing

Financial Application

Based on Participated Inst.

Expertise

TNGP, APAN2005@BKK 10

Targeted OutcomesRobust Grid Enable High Performance

Computing InfrastructureA set, 3-4, of Grid Applications Show

CasesSocial impact to Thai’s well beingSupports sciences and technology

2,000 HR DevelopmentGrid Technology Promotion

TNGP, APAN2005@BKK 11

ThaiGrid Project Found Jan 2002

Build up a long term research partnership to explore The construction of Grid testbed and production

environment The building of Grid tools and middleware. The deployment of grid technology to support the mission

of scientific discovery The development of Grid application

TNGP, APAN2005@BKK 12

ThaiGrid Overall Status

10 Clusters total AMATA – KU GASS – KU MAEKA – KU WARINE – KU CAMETA – SUT OPTIMA - AIT ENQUEUE – KMITNB PALM – KMITNB SPIRIT – CU INCA - KMUTT

110 Hosts (From SCMS)

158 CPUs (From SCMS)

TNGP, APAN2005@BKK 13

ThaiGrid Status Map

TNGP, APAN2005@BKK 14

SoftwareROCKS-3.2.0 (Shasta) with

HPC RollGrid RollSCE RollScheduler Roll

Globus Toolkits 2.4SCMSWeb Monitoring ToolShared Certificate Authority

TNGP, APAN2005@BKK 15

ThaiGrid ToolsTGCheckPort – Checking the

firewall between sites

TGregister – Grid user management and automatically updated grid-mapfile system

TNGP, APAN2005@BKK 16

TGregister

TNGP, APAN2005@BKK 17

ApplicationDrug Design

ThaiGrid Drug Design PortalHIV Drug DesignAvian Flu Drug Design

TNGP, APAN2005@BKK 18

Drug Design

TNGP, APAN2005@BKK 19

Proxy Certificate

Delegation

X.509SSL

Multi-Level User Implementation on X.509

ThaiGrid User Services

Two core concepts:

• X.509 digital certificates used as identity credentials

• Proxy Certificate used to delegate identity temporarily to other credentials

Grid Security : Security VO manage• Management of VO - Discover VO by Grid participants - Authentication and authorization of participants to join VO - Access control: Participants access shared resources in VO

• The problem of VO security - Large number of distributed resources - Dynamic and complex relationships among organizations across trust domains - Resource utilization scenarios are complex and changing dynamically

•Large and dynamic population•Different accounts at different sites •Personal and confidential data•Heterogeneous privileges (roles)•Desire Single Sign-On

UsersUsers

SitesSites• Heterogeneous Resources• Access Patterns • Local policies• Membership

• Group data • Access Patterns • Membership

GroupsGroups

Grid Security: VO’s Role

GridGrid

Grid Security : Authorization management• Community Authorization Service

user

CA

CAS Server

Mutual authentication and access resource

Request proxyto CAS server

Reply restriced proxy to user

Delegation restriced proxy from CAS

CAS concept:• Reduce trust relationship by - Group user to community - Resource authorized community - Community authorized user - Constrain in proxy certificate

• But CAS cannot support authorization in small communities in VO and support only GridFTP

Grid Security: Small Communities in VO

Component of small communities in VO Static users for assign authoritative Temporarily users accept authoritative from static users Users operation same jobs in small communities in VO Multi-level authoritative from user to user

Requirement of small communities in VOMechanism for direct assign authoritative

multi-level user management

Authoritativecredentials

High-leveluser

Low-leveluser

Proxy generatorwith privilege authoritative

Authoritative privilege

generator

Gatekeeper

Check permitfor authorization

Grid mapfile

Run jobsCannot run jobs

GRID RESOURCEGRID RESOURCE

Multi-Level assign authoritative architecture

Generate assign authoritative

Request proxy with privilege authoritative

allow deny

Authentication & authorization with proxy privilege authoritative

Multi-Level assign authoritative Concept

• Use Attribute Certificate concept for assign privilege authoritative

• Embed Attribute Certificate into X.509 Certificate

Subject:Subject:O=Grid, O=ThaiGrid, O=Grid, O=ThaiGrid, OU=ee.kmitnb.ac.th, CN=suriyaOU=ee.kmitnb.ac.th, CN=suriyaIssuer: C=TH, O=Grid, O=ThaiGrid, Issuer: C=TH, O=Grid, O=ThaiGrid, CN=ThaiGrid CACN=ThaiGrid CAExpiration date: AugExpiration date: Aug 22 08:08:14 2005 22 08:08:14 2005 GMTSerial number: 625 (0x271)GMTSerial number: 625 (0x271)

CA Digital signatureCA Digital signature

Attribute CertificateAttribute Certificate::Issuer : Issuer : O=Grid, O=ThaiGrid, O=Grid, O=ThaiGrid, OU=ee.kmitnb.ac.th, CN=suriyaOU=ee.kmitnb.ac.th, CN=suriyaHolder : O=Grid, O=ThaiGrid, Holder : O=Grid, O=ThaiGrid, OU=ee.kmitnb.ac.th, CN=gridstaffOU=ee.kmitnb.ac.th, CN=gridstaffValidity date : JanValidity date : Jan 22 08:08:14 2005 GMTSerial 22 08:08:14 2005 GMTSerialextension : sun.ee.kmitnb.ac.th/allowextension : sun.ee.kmitnb.ac.th/allowIssuer Signature : MD5RSAEncryptionIssuer Signature : MD5RSAEncryption

Public KeyPublic Key

Concept :

Transfer multi-level assign authoritative

Attribute Certificate:Attribute Certificate:Issuer : user AIssuer : user AHolder : user B,C,..XHolder : user B,C,..XPrivilege :host/allow/denyPrivilege :host/allow/denyValidity : 20050128:18:45Validity : 20050128:18:45Signature: user ASignature: user A

Proxy Certificate with ACProxy Certificate with ACIdentity : user BIdentity : user B

Public Key : user BPublic Key : user BValidity : 20050128:18:45Validity : 20050128:18:45Signature: CASignature: CA

Assign authoritative from user AAssign authoritative from user A

User B proxy-init with AC

User B

CA

User X

Resource

User A

User A is authoritative

privilege

User B can access

Step access same user B

Assign authoritative Assign authoritative to user B to user Xto user B to user X

•

•

Current Development

Build tool support multi-level assign authoritative user management for small communities in VO

Modify Proxy Certificate by embedded

Attribute Certificate for access rights

TNGP, APAN2005@BKK 29

ConclusionThe Start of Thailand National Grid

ProjectThaiGrid Operation has been in

operation and strong.Several applications, middleware

developmentLots more to come in human resource

development to foster grid efforts