Speaker
Dr
David Groep
(NIKHEF)
Description
The majority of compute resources in today’s scientific grids are based on Unix and
Unix-like operating systems. In this world, user and user-group management is based
around the well-known and trusted concepts of ‘user IDs’ and ‘group IDs’ that are
local to the resource; in contrast, the grid concepts of user and group management
are centered around globally assigned user identities and VO membership and
structures that are entirely independently of the resource where the actual work is
done.
To this end gatekeepers have been deployed traditionally at the fabric boundary to
translate grid identities to Unix user IDs – usually in the form of ‘map files’ that
translate (many) grid identity names to (many or a few) Unix user IDs. New job
submission frameworks, such as the (java-based) execution web services and the
introduction of late binding of the user jobs in a grid-wide overlay network of
‘pilot’ jobs, push the fabric boundary ever further into the resource. This
necessitates the introduction glExec, a secure and light-weight (and thereby
auditable) credential mapping system, that can be run both on fabric boundary, as
part of an execution web service, and on the worker node in a late-binding scenario.
In this contribution we describe the rationale for glExec, how it interacts with the
site authorization and credential mapping frameworks such as LCAS, LCMAPS and GUMS,
and how it can be used to improve site control and traceability in a pilot-job system.
Primary author
Dr
David Groep
(NIKHEF)
Co-authors
Mr
Gerben Venekamp
(NIKHEF)
Mr
Oscar Koeroo
(NIKHEF)
